Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Top Security Threats for .NET Developers
1. Top Security Threats
for .NET developers
Mikhail Shcherbakov
Product Manager at Cezurity
10-я конференция .NET разработчиков
19 апреля 2015
dotnetconf.ru
2. About me
Product Manager at Cezurity
One of the core developers of the source code
analyzer PT Application Inspector
Former Team Lead at Acronis, Luxoft, Boeing,
SPC KRUG
7. Glossary
Threat - a potential violation of security (ISO
7498-2).
Impact - consequences for an organization or
environment when an attack is realized, or
weakness is present.
Attack - a well-defined set of actions that, if
successful, would result in either damage to an
asset, or undesirable operation.
8. Glossary
Weakness - a type of mistake in software that, in
proper conditions, could contribute to the
introduction of vulnerabilities within that software.
Vulnerability - an occurrence of a weakness (or
multiple weaknesses) within software, in which the
weakness can be used by a party to cause the
software to modify or access unintended data,
interrupt proper execution, or perform incorrect
actions that were not specifically granted to the
party who uses the weakness.
27. CSRF
ASP.NET MVC
<%= Html.AntiForgeryToken() %>
<input name="__RequestVerificationToken" type="hidden“ …
ASP.NET Web Forms
__VIEWSTATE, __EVENTVALIDATION
http://www.jardinesoftware.com/Documents/ASP_Net_W
eb_Forms_CSRF_Workflow.pdf
34. Secure Misconfiguration
Application Misconfiguration
Server Misconfiguration
Information Exposure Through an Error
Message
Information Leakage
Directory Indexing
Insecure Indexing
Using Components with Known Vulnerabilities
35. Summary
OWASP Top Ten Project (2010/2013)
http://bit.ly/1OffewO
OWASP .NET Project http://bit.ly/1cz62Sv
Vladimir Kochetkov Blog http://bit.ly/1DecXWI
Troy Hunt Blog www.troyhunt.com
OWASP Developer Guide http://bit.ly/1JcQLoh
CWE/SANS Top 25 Most Dangerous Software
Errors (2011) http://bit.ly/1bjDTOH
36. Thank you for your attention!
Mikhail Shcherbakov
ms@cezurity.com
linkedin.com/in/mikhailshcherbakov
github.com/yuske
@yu5k3
Product Manager at Cezurity