Abstract image of a woman sitting on books and studying on a laptop

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

Download as PPTX, PDF
A
Andi Rustandi Djunaedi

The document discusses secure coding practices, focusing on web application vulnerabilities highlighted by the OWASP Top 10 list, including SQL injection and session fixation. It emphasizes the importance of addressing both security and performance issues, along with practical exercises to understand and mitigate these vulnerabilities. Additionally, the document includes resources for further exploration and suggests measures to prevent exploitation of these vulnerabilities.

Technology
Related topics:
Web Application Security
1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
Secure Coding the bare minimum – understand the problem
Introduction • Andi R Djunaedi • Software Engineer at blibli.com since March 2014 • https://www.linkedin.com/in/andird • https://github.com/andirdju • https://github.com/bliblidotcom
Overview – understand the problem • Theory • Code • Web application -> we’ll talk about this • Operating System • Network • Other? • Importance • Practice, get your laptop, pc or whatever • How it works
Theory - Code • Web Applications • OWASP Top 10 List - new list every 3 years • https://www.owasp.org/index.php/Top_10_2013-Top_10 • https://www.owasp.org/index.php/Top_10_2010-Main • Top 3 - Samples • SQL Injection • Arbitrary SQL query execution • Session Fixation • Assume other’s Identity • Cross Site Scripting • Arbitrary client code (javascript, html) execution
Importance – Non Security • Performance • poor user experience • redesign, refactor, make it faster • Code coverage • buggy, spent more time on fixing bug • stop the leak • When • next iteration
Importance – Security • How to fix security incidents ??? • Personal/Financial data stolen • Data deleted • When • NOW !!!
Practice – Understand the problem • Run bad web app • OWASP Top 3 Sample • SQL Injection • Session Fixation • Cross Site Scripting • Exercise
Run – web app • Git, Jdk 8, Maven • https://github.com/bliblidotcom/sample-basic-secure-coding • In memory H2 database • Embedded server • mvn spring-boot:run • http://localhost:8080
Get your laptop – SQL Injection • Demo – Valid use case is only find one record by id • Read all records • Insert new records • Delete all records
Get your laptop – Session Fixation • Demo - session info only known to the user • Bad person(A) create new session • Persuade unsuspecting person(B) via phishing • Bad person(A) get session information of other person(B)
Get your laptop – Cross Site Scripting • Demo – valid use case only displays list of data • Can be done via the same SQL injection • Html • Add html form • Javascript • Add pop up • Add redirect
What’s Next • Crack the other API • it have similar problems • Fix the exploit • Don’t repeat yourself by creating custom solutions • SQL named parameter • Regenerate session id • Content escaping

More Related Content

PPTX
Node.js Dublin Meetup April 2014
Damian Beresford
 
PDF
Penny coventry fiddler-spsbe23
BIWUG
 
PPTX
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
Sencha
 
PPTX
Getting Started with ASP.NET 5
Brij Mishra
 
PPTX
Building rest services using aspnetwebapi
Brij Mishra
 
PPTX
10 tips to make your ASP.NET Apps Faster
Brij Mishra
 
PPTX
Writing power shell the right tool for the job
Jaap Brasser
 
PDF
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 
Node.js Dublin Meetup April 2014
Damian Beresford
 
Penny coventry fiddler-spsbe23
BIWUG
 
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
Sencha
 
Getting Started with ASP.NET 5
Brij Mishra
 
Building rest services using aspnetwebapi
Brij Mishra
 
10 tips to make your ASP.NET Apps Faster
Brij Mishra
 
Writing power shell the right tool for the job
Jaap Brasser
 
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 

What's hot (20)

PDF
CrossWorlds: Unleash the Power of Domino for Connections Development
LetsConnect
 
PPTX
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
 
PDF
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
 
PDF
Secure your environment by automation
Jaap Brasser
 
PDF
Automating security with PowerShell
Jaap Brasser
 
PDF
Paint it blue with PowerShell
Jaap Brasser
 
PDF
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
PDF
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 
PPTX
Building your own JEA Configuration
Jaap Brasser
 
PDF
Manage your infrastructure with PowerShell
Jaap Brasser
 
PDF
Reach the next level with PowerShell
Jaap Brasser
 
PPTX
Saving Time By Testing With Jest
Ben McCormick
 
PPTX
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
DIWUG
 
PDF
Chat automation in a Modern IT environment
Jaap Brasser
 
PPT
Next generation frontend tooling
pksjce
 
PPTX
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
PDF
Planidoo & Zotonic
David de Boer
 
PPTX
Design for scale
Doug Lampe
 
PPTX
Porting ASP.NET applications to Windows Azure
Gunnar Peipman
 
PPTX
From zero to hero – learn how to automate from the gui
Jaap Brasser
 
CrossWorlds: Unleash the Power of Domino for Connections Development
LetsConnect
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
 
Secure your environment by automation
Jaap Brasser
 
Automating security with PowerShell
Jaap Brasser
 
Paint it blue with PowerShell
Jaap Brasser
 
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 
Building your own JEA Configuration
Jaap Brasser
 
Manage your infrastructure with PowerShell
Jaap Brasser
 
Reach the next level with PowerShell
Jaap Brasser
 
Saving Time By Testing With Jest
Ben McCormick
 
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
DIWUG
 
Chat automation in a Modern IT environment
Jaap Brasser
 
Next generation frontend tooling
pksjce
 
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
Planidoo & Zotonic
David de Boer
 
Design for scale
Doug Lampe
 
Porting ASP.NET applications to Windows Azure
Gunnar Peipman
 
From zero to hero – learn how to automate from the gui
Jaap Brasser
 
Ad

Similar to Tech IT Easy x DevTalk : "Secure Your Coding with OWASP" (20)

KEY
Android lessons you won't learn in school
Michael Galpin
 
PPTX
Debugging the Web with Fiddler
Ido Flatow
 
PDF
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum
 
PPTX
Introduction to cypress in Angular (Chinese)
Hong Tat Yew
 
PPTX
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
PDF
The Python in the Apple
zeroSteiner
 
PDF
Practical solutions for connections administrators lite
Sharon James
 
PDF
Do you lose sleep at night?
Nathan Van Gheem
 
PPT
OpenShift Origin: Build a PaaS Just Like Red Hats
Mark Atwood
 
PDF
Building RESTful APIs
Silota Inc.
 
PPT
Node and Azure
Jason Gerard
 
PPTX
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
PPTX
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
PPTX
Creating a Documentation Portal
Steve Anderson
 
PDF
How to Contribute to Apache Usergrid
David M. Johnson
 
PDF
MEAN Stack WeNode Barcelona Workshop
Valeri Karpov
 
PPTX
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
ForgeRock
 
PDF
Extending WordPress as a pro
Marko Heijnen
 
PPTX
Highlights from microsoft ignite 2015
Kim Frehe
 
PDF
Node.js to the rescue
Marko Heijnen
 
Android lessons you won't learn in school
Michael Galpin
 
Debugging the Web with Fiddler
Ido Flatow
 
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum
 
Introduction to cypress in Angular (Chinese)
Hong Tat Yew
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
The Python in the Apple
zeroSteiner
 
Practical solutions for connections administrators lite
Sharon James
 
Do you lose sleep at night?
Nathan Van Gheem
 
OpenShift Origin: Build a PaaS Just Like Red Hats
Mark Atwood
 
Building RESTful APIs
Silota Inc.
 
Node and Azure
Jason Gerard
 
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
Creating a Documentation Portal
Steve Anderson
 
How to Contribute to Apache Usergrid
David M. Johnson
 
MEAN Stack WeNode Barcelona Workshop
Valeri Karpov
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
ForgeRock
 
Extending WordPress as a pro
Marko Heijnen
 
Highlights from microsoft ignite 2015
Kim Frehe
 
Node.js to the rescue
Marko Heijnen
 
Ad

Recently uploaded (20)

PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
PDF
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Two-dimensional Klein-Gordon and Sine-Gordon numerical solutions based on dee...
IAESIJAI
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Two-dimensional Klein-Gordon and Sine-Gordon numerical solutions based on dee...
IAESIJAI
 
Five Habits of High-Impact Board Members
OnBoard
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

  • 1. Secure Coding the bare minimum – understand the problem
  • 2. Introduction • Andi R Djunaedi • Software Engineer at blibli.com since March 2014 • https://www.linkedin.com/in/andird • https://github.com/andirdju • https://github.com/bliblidotcom
  • 3. Overview – understand the problem • Theory • Code • Web application -> we’ll talk about this • Operating System • Network • Other? • Importance • Practice, get your laptop, pc or whatever • How it works
  • 4. Theory - Code • Web Applications • OWASP Top 10 List - new list every 3 years • https://www.owasp.org/index.php/Top_10_2013-Top_10 • https://www.owasp.org/index.php/Top_10_2010-Main • Top 3 - Samples • SQL Injection • Arbitrary SQL query execution • Session Fixation • Assume other’s Identity • Cross Site Scripting • Arbitrary client code (javascript, html) execution
  • 5. Importance – Non Security • Performance • poor user experience • redesign, refactor, make it faster • Code coverage • buggy, spent more time on fixing bug • stop the leak • When • next iteration
  • 6. Importance – Security • How to fix security incidents ??? • Personal/Financial data stolen • Data deleted • When • NOW !!!
  • 7. Practice – Understand the problem • Run bad web app • OWASP Top 3 Sample • SQL Injection • Session Fixation • Cross Site Scripting • Exercise
  • 8. Run – web app • Git, Jdk 8, Maven • https://github.com/bliblidotcom/sample-basic-secure-coding • In memory H2 database • Embedded server • mvn spring-boot:run • http://localhost:8080
  • 9. Get your laptop – SQL Injection • Demo – Valid use case is only find one record by id • Read all records • Insert new records • Delete all records
  • 10. Get your laptop – Session Fixation • Demo - session info only known to the user • Bad person(A) create new session • Persuade unsuspecting person(B) via phishing • Bad person(A) get session information of other person(B)
  • 11. Get your laptop – Cross Site Scripting • Demo – valid use case only displays list of data • Can be done via the same SQL injection • Html • Add html form • Javascript • Add pop up • Add redirect
  • 12. What’s Next • Crack the other API • it have similar problems • Fix the exploit • Don’t repeat yourself by creating custom solutions • SQL named parameter • Regenerate session id • Content escaping