SlideShare una empresa de Scribd logo

DevConf.US 2020 - OWASP Top -10 - Allon Mureinik

Allon Mureinik
Allon Mureinik

Not everyone is a security expert. Of course, not everyone needs to be a security expert, but in today’s world of rapid development and deployment, developers cannot afford to ignore security considerations completely, and “just leave it up to the security team to review”. In this talk, I’ll present the OWASP Top-10 project, an (incomplete) list of the top security vulnerabilities (web) developers face. I will then talk about how developer-awareness from the ground up is a key to shifting left the way we think about security, which is the first step in creating better-secured applications. Slides from my talk at DevConf.US 2020 Recording: https://www.youtube.com/watch?v=Unf-U_hPpH4 Demo code: https://github.com/mureinik/owasp-top10-demo

Software
1 de 22
Descargar para leer sin conexión
OWASP Top Ten Quickstart Your Security Awareness Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/
© 2020 Synopsys, Inc. 2OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Setting Expectations http://montypython.com/
© 2020 Synopsys, Inc. 3OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Security is everyone's responsibility https://thenounproject.com/term/security/957678
© 2020 Synopsys, Inc. 4OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) But it starts with the developer https://thenounproject.com/term/developer/94089
© 2020 Synopsys, Inc. 5OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) OWASP https://owasp.org/
© 2020 Synopsys, Inc. 6OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) OWASP Top Ten https://owasp.org/www-project-top-ten/ 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10.Insufficient Logging and Monitoring
© 2020 Synopsys, Inc. 7OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) OWASP Top Ten https://owasp.org/www-project-top-ten/ 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10.Insufficient Logging and Monitoring
© 2020 Synopsys, Inc. 8OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) A1:2017 Injection https://thenounproject.com/term/injection/1827356
© 2020 Synopsys, Inc. 9OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) SQL Injection https://xkcd.com/327/
© 2020 Synopsys, Inc. 10OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Log Injection app.post('/logi', function(req, res) { // We trust our users, every login will be successful! const username = req.body.username; // Enterprise-grade logging FTW! console.log(username + ' logged in.'); res.end('Logged in with the honor system'); });
© 2020 Synopsys, Inc. 11OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Log Injection - demo
© 2020 Synopsys, Inc. 12OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) A4:2017 XML External Entities (XXE) https://thenounproject.com/term/xml/3123782
© 2020 Synopsys, Inc. 13OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) XXE Injection app.use(bodyParser.text({type: '*/*'})); app.post('/xxe', function(req, res) { const parsed = libxmljs.parseXml(req.body, {noent: true}); const name = parsed.get('//name').text(); res.end('Name is: ' + name); });
© 2020 Synopsys, Inc. 14OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) XXE Injection - demo
© 2020 Synopsys, Inc. 15OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) A7:2017 Cross-Site Scripting (XSS) https://thenounproject.com/term/html/101165
© 2020 Synopsys, Inc. 16OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Stored XSS app.get('/xss', function (req, res) { db.all('SELECT comment FROM comments ORDER BY ts DESC', [], function(err, rows) { const comments = rows.map(r => r.comment).join('<br/>'); const body = `<html lang="en"> <body> How is DevConf.US so far?<br/> <form action="/xss" method="post"> <input name="comment" type="text">&nbsp;<input type="submit"> </form> <br/> Here's what others are saying:<br/> ${comments} </body> </html>`; res.send(body); }); });
© 2020 Synopsys, Inc. 17OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Stored XSS (cont.) app.post('/xss', function (req, res) { db.run('INSERT INTO comments(comment) VALUES (?)', [req.body.comment], function (err) { if (err) { return console.log(err.message); } }); res.writeHead(302, { 'Location': 'xss' }); res.end(); });
© 2020 Synopsys, Inc. 18OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Stored XSS - demo
© 2020 Synopsys, Inc. 19OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Summary https://thenounproject.com/term/brief/935656
© 2020 Synopsys, Inc. 20OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) •OWASP Top-10 Project: https://owasp.org/www-project-top-ten/ •Source code for the demos: https://github.com/mureinik/owasp-top10-demo •curl, used throughout the demos: https://curl.haxx.se/ Some useful links
© 2020 Synopsys, Inc. 21OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Questions? https://thenounproject.com/term/questions/1195076/
Thank You Contact allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/

Recomendados

Default to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your dayDefault to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your dayAllon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityAllon Mureinik
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewedAllon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022Allon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkAllon Mureinik
 
Zoom out
Zoom outZoom out
Zoom outAllon Mureinik
 
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionAllon Mureinik
 
This DoS goes loop-di-loop
This DoS goes loop-di-loopThis DoS goes loop-di-loop
This DoS goes loop-di-loopAllon Mureinik
 

Recomendados

Default to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your dayDefault to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your dayAllon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityAllon Mureinik
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewedAllon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022Allon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkAllon Mureinik
 
Zoom out
Zoom outZoom out
Zoom outAllon Mureinik
 
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionAllon Mureinik
 
This DoS goes loop-di-loop
This DoS goes loop-di-loopThis DoS goes loop-di-loop
This DoS goes loop-di-loopAllon Mureinik
 
How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better managerAllon Mureinik
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the PeopleAllon Mureinik
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the peopleAllon Mureinik
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityAllon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Allon Mureinik
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATAllon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Allon Mureinik
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesAllon Mureinik
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewAllon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Allon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Allon Mureinik
 
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Allon Mureinik
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 

Más contenido relacionado

Más de Allon Mureinik

How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better managerAllon Mureinik
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the PeopleAllon Mureinik
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the peopleAllon Mureinik
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityAllon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Allon Mureinik
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATAllon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Allon Mureinik
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesAllon Mureinik
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewAllon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Allon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Allon Mureinik
 
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Allon Mureinik
 

Más de Allon Mureinik (12)

How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better manager
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the People
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the people
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real community
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WAT
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new ones
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features Overview
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
 
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)
 

Último

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 

Último (20)

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 

DevConf.US 2020 - OWASP Top -10 - Allon Mureinik

  • 1. OWASP Top Ten Quickstart Your Security Awareness Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/
  • 2. © 2020 Synopsys, Inc. 2OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Setting Expectations http://montypython.com/
  • 3. © 2020 Synopsys, Inc. 3OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Security is everyone's responsibility https://thenounproject.com/term/security/957678
  • 4. © 2020 Synopsys, Inc. 4OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) But it starts with the developer https://thenounproject.com/term/developer/94089
  • 5. © 2020 Synopsys, Inc. 5OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) OWASP https://owasp.org/
  • 6. © 2020 Synopsys, Inc. 6OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) OWASP Top Ten https://owasp.org/www-project-top-ten/ 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10.Insufficient Logging and Monitoring
  • 7. © 2020 Synopsys, Inc. 7OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) OWASP Top Ten https://owasp.org/www-project-top-ten/ 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10.Insufficient Logging and Monitoring
  • 8. © 2020 Synopsys, Inc. 8OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) A1:2017 Injection https://thenounproject.com/term/injection/1827356
  • 9. © 2020 Synopsys, Inc. 9OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) SQL Injection https://xkcd.com/327/
  • 10. © 2020 Synopsys, Inc. 10OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Log Injection app.post('/logi', function(req, res) { // We trust our users, every login will be successful! const username = req.body.username; // Enterprise-grade logging FTW! console.log(username + ' logged in.'); res.end('Logged in with the honor system'); });
  • 11. © 2020 Synopsys, Inc. 11OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Log Injection - demo
  • 12. © 2020 Synopsys, Inc. 12OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) A4:2017 XML External Entities (XXE) https://thenounproject.com/term/xml/3123782
  • 13. © 2020 Synopsys, Inc. 13OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) XXE Injection app.use(bodyParser.text({type: '*/*'})); app.post('/xxe', function(req, res) { const parsed = libxmljs.parseXml(req.body, {noent: true}); const name = parsed.get('//name').text(); res.end('Name is: ' + name); });
  • 14. © 2020 Synopsys, Inc. 14OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) XXE Injection - demo
  • 15. © 2020 Synopsys, Inc. 15OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) A7:2017 Cross-Site Scripting (XSS) https://thenounproject.com/term/html/101165
  • 16. © 2020 Synopsys, Inc. 16OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Stored XSS app.get('/xss', function (req, res) { db.all('SELECT comment FROM comments ORDER BY ts DESC', [], function(err, rows) { const comments = rows.map(r => r.comment).join('<br/>'); const body = `<html lang="en"> <body> How is DevConf.US so far?<br/> <form action="/xss" method="post"> <input name="comment" type="text">&nbsp;<input type="submit"> </form> <br/> Here's what others are saying:<br/> ${comments} </body> </html>`; res.send(body); }); });
  • 17. © 2020 Synopsys, Inc. 17OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Stored XSS (cont.) app.post('/xss', function (req, res) { db.run('INSERT INTO comments(comment) VALUES (?)', [req.body.comment], function (err) { if (err) { return console.log(err.message); } }); res.writeHead(302, { 'Location': 'xss' }); res.end(); });
  • 18. © 2020 Synopsys, Inc. 18OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Stored XSS - demo
  • 19. © 2020 Synopsys, Inc. 19OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Summary https://thenounproject.com/term/brief/935656
  • 20. © 2020 Synopsys, Inc. 20OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) •OWASP Top-10 Project: https://owasp.org/www-project-top-ten/ •Source code for the demos: https://github.com/mureinik/owasp-top10-demo •curl, used throughout the demos: https://curl.haxx.se/ Some useful links
  • 21. © 2020 Synopsys, Inc. 21OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Questions? https://thenounproject.com/term/questions/1195076/