Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

2018 Orlando Code Camp Application Security

193 visualizaciones

Publicado el

A presentation on raising awareness around application security

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

  • Sé el primero en recomendar esto

2018 Orlando Code Camp Application Security

  1. 1. A Boy, A Sugar Glider and the TSA Brian Clark @_clarkio Credit: https://www.flickr.com/photos/pitmanra/
  2. 2. Credit: https://www.flickr.com/photos/pitmanra/ The Story
  3. 3. Credit: https://www.flickr.com/photos/diamondtdesign/
  4. 4. Credit: https://www.flickr.com/photos/25802865@N08/
  5. 5. Credit: https://www.flickr.com/photos/lostintexas/
  6. 6. Credit: https://www.flickr.com/photos/muar_chee/
  7. 7. Browser http://insecureheroes.com Server http://insecureheroes.com
  8. 8. Browser http://insecureheroes.com Server http://insecureheroes.com
  9. 9. Browser http://insecureheroes.com Server http://insecureheroes.com
  10. 10. Browser http://insecureheroes.comCookies Server http://insecureheroes.com
  11. 11. Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
  12. 12. Browser http://insecureheroes.comCookies Server http://insecureheroes.com http://clickbaity.co
  13. 13. Browser http://insecureheroes.comCookies Server http://insecureheroes.com http://attacker.com Attack insecureheroes.com Hero: Darth
  14. 14. An attack that executes a request on behalf of another authenticated user that was not intending to perform that action being requested Cross-site Request Forgery
  15. 15. Synchronizer Token Pattern Random token Unique to user and session Part of the request header Validated server-side
  16. 16. https://www.npmjs.com/package/csur f
  17. 17. https://angular.io/guide/http#security-xsrf-protection
  18. 18. https://caniuse.com/#search=samesi te
  19. 19. Credit: https://www.flickr.com/photos/hyku/
  20. 20. Credit: https://www.flickr.com/photos/hdport/
  21. 21. Credit: https://www.flickr.com/photos/27229185@N05/
  22. 22. An attack that injects malicious code into a trusted web site such that it may be executed unintendedly by other users Cross-site Scripting (XSS)
  23. 23. Prevention Content Security PolicyInput Handling Control what resources the browser is allowed to load Ensure data is aligned with the expectations for its intended use
  24. 24. Input Handling
  25. 25. Input Handling EscapingSanitizationValidation
  26. 26. Sanitization EscapingValidation Ensure the data is legit Invalid Email Result :
  27. 27. Validation EscapingSanitization Clean the bad data BC Result :
  28. 28. SanitizationValidation Escaping Encode the bad data B<script>alert(1);</script>C Result :
  29. 29. Do not trust user input
  30. 30. Where should we apply input handlers?
  31. 31. Where should we apply input handlers? Client? Server?
  32. 32. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary
  33. 33. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Untrusted
  34. 34. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Trusted
  35. 35. Both
  36. 36. https://angular.io/guide/security
  37. 37. https://angular.io/guide/security
  38. 38. https://www.npmjs.com/package/express-validator
  39. 39. https://www.npmjs.com/package/xss-filters
  40. 40. Summary Access Control Malicious Input Sugar Gliders Faking Requests
  41. 41. Reference s https://owasp.org https://github.com/Azure-Samples/angular-cosmosdb (branch: insecure-heroes) https://angular.io/guide/security https://www.npmjs.com/package/csurf https://angular.io/guide/http#security-xsrf-protection https://caniuse.com/#search=samesite
  42. 42. Brian Clark @_clarki o Thank You!

×