SlideShare a Scribd company logo

Break it while you make it: writing (more) secure software

Download as ODP, PDF
Leigh Honeywell, profile picture
Leigh Honeywell

The document discusses core security principles for developers, including the three pillars of security (confidentiality, integrity, availability), common vulnerabilities like buffer overflows and injection flaws, security mindsets and architectures, and tools for testing applications. It provides an overview of the OWASP top 10 security risks and recommends resources for further learning about secure coding practices.

Technology
1 of 55
Downloaded 60 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Break it while you make it writing (more) secure software Leigh Honeywell HackLab.to [email_address] http://twitter.com/hypatiadotca
About Me Co-Founder and Board Member of HackLab.TO
Advisor to the SecTor Security Conference
U of T student
Malware Operations Engineer at a major anti-virus vendor (who I am not speaking as a representative of)
Why I'm here To talk about the core security principles developers need to know
To get you thinking like the people who will try to break your app
To show some nifty tools
Maybe to scare you a little?
To get you breaking your own apps :)
#3hotsecurewords There are three core “pillars” of information security: Confidentiality
Integrity
Availability
Confidentiality Only allow access to data for which the user is permitted.
The user may not be permitted anything!
Sometimes called secrecy or privacy
There are real consequences for failing at this – PIPEDA, HIPAA, PCI-DSS, and various other acronyms.
Integrity Ensure data is not tampered with or altered by unauthorized users.
Availability Ensure systems and data are available to authorized users when they need it.
Without this, the others don't matter.
Anyone remember Friendster?
Vulnerabilities
Vulnerabilities A vulnerability is an error made in a program, causing unintended behavior of the program in a way that affects security negatively. FIRST defines a vulnerability as: “a bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability.”
Vulnerabilities Examples of vulnerabilities: Weak passwords
Insecure permissions
Directory traversal
Buffer overflows
Cross-site scripting and request forgery
Exploits
Exploits An exploit is a specific example of triggering a vulnerability. If the vulnerability is a missile, the exploit is the warhead.
Exploits Examples of exploits: Morris Worm Almost everything at http://www.milw0rm.com/ http://www.example.com/displayfile.php?../../../../etc/passwd
Exploits Easy way to think about it: If typing “ perl –e ‘print “A” x 10000; ” makes it crash, you’ve found a vulnerability If you end up with this, you’ve got a working exploit: bash-3.00# id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest), 45(utmp)
The Security Mindset How many security features are there in a grocery store self-check-out?
How can you break each of them?
What did they forget to think of?
Bruce Schneier on the mindset: http://tinyurl.com/2sj365
The Security Mindset How many of you opened that tinyurl? What if I'd just dropped a Firefox 0-day on you?
I didn't, don't worry. That would get me fired.
This is why I suck at programming
Finding Balance “Not all "harmless failures" lead to big trouble, but it's surprising how often a clever adversary can pile up a stack of seemingly harmless failures into a dangerous tower of trouble. Harmless failures are bad hygiene. We try to stamp them out when we can.” – Ed Felten, Freedom to Tinker http://preview.tinyurl.com/c6ewzv
Security Architecture The OWASP Secure Coding Principles puts it thus: “ Security architecture starts on the day the business requirements are modeled, and never finish until the last copy of your application is decommissioned. Security is a life-long process, not a one shot accident.” http://www.owasp.org/index.php/Secure_Coding_Principles
Right from the Start When starting a new application or re-factoring an existing application, you should consider each functional feature, and consider: Is the process surrounding this feature as safe as possible? In other words, is this a flawed process?
If I were evil, how would I abuse this feature?
Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature?
(also from OWASP)
Security in the Bones Software design, as well as implementation, must consider the three pillars of information security. Otherwise, you're going to fail.
10 Principles Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Don’t trust services Separation of duties Avoid security through obscurity Keep security simple Fix security issues correctly The OWASP guide gives 10 principles for writing secure code:
10 Principles Minimize attack surface area
Give the attacker the absolute minimum possible to work with when trying to discover an attack. By reducing complexity of an application, the number of possible vulnerabilities is also reduced.
Establish secure defaults
If a variable level of security is desired, have the default be high, and leave it up to the user to make the decision to lower it. This prevents “out of the box” insecurities.
10 Principles Least privilege
Any component of a system should have only as much privilege as necessary to function properly. This is best known for permissions on user accounts, but also applies to software components.
Defense in depth
Adding on more security methods is a good thing, but they must approach the problem in different ways.

More Related Content

PPT
Survey Presentation About Application Security
Nicholas Davis
 
PPTX
Introduction to security testing
Nagasahas DS
 
PPTX
Explore Security Testing
shwetaupadhyay
 
PDF
OWASP Top 10 Project
Muhammad Shehata
 
PPTX
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
PPTX
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
PPT
Web Application Security Testing
Marco Morana
 
PDF
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Survey Presentation About Application Security
Nicholas Davis
 
Introduction to security testing
Nagasahas DS
 
Explore Security Testing
shwetaupadhyay
 
OWASP Top 10 Project
Muhammad Shehata
 
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
Web Application Security Testing
Marco Morana
 
Security-testing presentation
Ezhilan Elangovan (Eril)
 

What's hot (20)

PPTX
Mobile security services 2012
Tjylen Veselyj
 
PPT
OWASP Serbia - A6 security misconfiguration
Nikola Milosevic
 
PDF
IT system security principles practices
gufranresearcher
 
PPTX
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum
 
PPTX
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
PDF
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
DefCamp
 
PPTX
Security misconfiguration
Micho Hayek
 
PDF
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
PDF
Unisys_AppDefender_Symantec_CFD_0_1_final
Koko Fontana
 
PPTX
Security misconfiguration
Jiri Danihelka
 
PDF
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
PPTX
App sec - code insecurity basics
Christopher Hamm
 
PDF
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
PPTX
Assess all the things
Jerod Brennen
 
PPT
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
PDF
Developing a Threat Modeling Mindset
Robert Hurlbut
 
PPTX
Ethical Hacking & Penetration Testing
ecmee
 
PPTX
Application Threat Modeling
Rochester Security Summit
 
PPTX
A bug's life - Decoupled Drupal Security and Vulnerability Management
Balázs Tatár
 
Mobile security services 2012
Tjylen Veselyj
 
OWASP Serbia - A6 security misconfiguration
Nikola Milosevic
 
IT system security principles practices
gufranresearcher
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
DefCamp
 
Security misconfiguration
Micho Hayek
 
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
Unisys_AppDefender_Symantec_CFD_0_1_final
Koko Fontana
 
Security misconfiguration
Jiri Danihelka
 
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
App sec - code insecurity basics
Christopher Hamm
 
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
Assess all the things
Jerod Brennen
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Developing a Threat Modeling Mindset
Robert Hurlbut
 
Ethical Hacking & Penetration Testing
ecmee
 
Application Threat Modeling
Rochester Security Summit
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
Balázs Tatár
 
Ad

Viewers also liked (14)

PDF
Neira jones pci london january 2013 pdf ready
Neira Jones
 
PDF
RSA 2015 Realities of Private Cloud Security
Scott Carlson
 
PPTX
How to Make a Decent PowerPoint
Adam Fowler
 
PDF
Tactical Edge - How Much Security Do You Really Need?
Wendy Nather
 
PDF
Distributed Denial Of Service Introduction
wremes
 
PPTX
Just Trust Everyone and We Will Be Fine, Right?
Scott Carlson
 
PDF
AusCERT - Mikko Hypponen
Mikko Hypponen
 
PPTX
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Dan Kaminsky
 
PDF
The InfoSec Avengers
Tripwire
 
PPTX
Security Configuration Management for Dummies
Tripwire
 
PDF
RDF and other linked data standards — how to make use of big localization data
Dave Lewis
 
PPTX
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
Tripwire
 
PPTX
Data security brian honan
Brian Honan
 
PPTX
The dark side of the internet
Brian Honan
 
Neira jones pci london january 2013 pdf ready
Neira Jones
 
RSA 2015 Realities of Private Cloud Security
Scott Carlson
 
How to Make a Decent PowerPoint
Adam Fowler
 
Tactical Edge - How Much Security Do You Really Need?
Wendy Nather
 
Distributed Denial Of Service Introduction
wremes
 
Just Trust Everyone and We Will Be Fine, Right?
Scott Carlson
 
AusCERT - Mikko Hypponen
Mikko Hypponen
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Dan Kaminsky
 
The InfoSec Avengers
Tripwire
 
Security Configuration Management for Dummies
Tripwire
 
RDF and other linked data standards — how to make use of big localization data
Dave Lewis
 
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
Tripwire
 
Data security brian honan
Brian Honan
 
The dark side of the internet
Brian Honan
 
Ad

Similar to Break it while you make it: writing (more) secure software (20)

PPTX
Appsec2013 assurance tagging-robert martin
drewz lin
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPT
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
PPTX
Security Best Practices
Clint Edmonson
 
PDF
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales
 
PPT
OWASP Top10 2010
Tommy Tracx Xaypanya
 
PDF
How to Secure Web Apps — A Web App Security Checklist
PixelCrayons
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
Secure programming with php
Mohmad Feroz
 
PDF
Best Practices for Developing Secure Web Applications
ScalaCode
 
PDF
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
PDF
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
PDF
Owasp Top 10-2013
n|u - The Open Security Community
 
PPTX
Web app security essentials
Rafał Hryniewski
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
PDF
C01461422
IOSR Journals
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Appsec2013 assurance tagging-robert martin
drewz lin
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Security Best Practices
Clint Edmonson
 
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales
 
OWASP Top10 2010
Tommy Tracx Xaypanya
 
How to Secure Web Apps — A Web App Security Checklist
PixelCrayons
 
Secure coding guidelines
Zakaria SMAHI
 
Secure programming with php
Mohmad Feroz
 
Best Practices for Developing Secure Web Applications
ScalaCode
 
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
Owasp Top 10-2013
n|u - The Open Security Community
 
Web app security essentials
Rafał Hryniewski
 
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
C01461422
IOSR Journals
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 

Recently uploaded (20)

PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Teaching material agriculture food technology
LiaRayya
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 

Break it while you make it: writing (more) secure software

  • 1. Break it while you make it writing (more) secure software Leigh Honeywell HackLab.to [email_address] http://twitter.com/hypatiadotca
  • 2. About Me Co-Founder and Board Member of HackLab.TO
  • 3. Advisor to the SecTor Security Conference
  • 4. U of T student
  • 5. Malware Operations Engineer at a major anti-virus vendor (who I am not speaking as a representative of)
  • 6. Why I'm here To talk about the core security principles developers need to know
  • 7. To get you thinking like the people who will try to break your app
  • 8. To show some nifty tools
  • 9. Maybe to scare you a little?
  • 10. To get you breaking your own apps :)
  • 11. #3hotsecurewords There are three core “pillars” of information security: Confidentiality
  • 14. Confidentiality Only allow access to data for which the user is permitted.
  • 15. The user may not be permitted anything!
  • 16. Sometimes called secrecy or privacy
  • 17. There are real consequences for failing at this – PIPEDA, HIPAA, PCI-DSS, and various other acronyms.
  • 18. Integrity Ensure data is not tampered with or altered by unauthorized users.
  • 19. Availability Ensure systems and data are available to authorized users when they need it.
  • 20. Without this, the others don't matter.
  • 23. Vulnerabilities A vulnerability is an error made in a program, causing unintended behavior of the program in a way that affects security negatively. FIRST defines a vulnerability as: “a bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability.”
  • 24. Vulnerabilities Examples of vulnerabilities: Weak passwords
  • 28. Cross-site scripting and request forgery
  • 30. Exploits An exploit is a specific example of triggering a vulnerability. If the vulnerability is a missile, the exploit is the warhead.
  • 31. Exploits Examples of exploits: Morris Worm Almost everything at http://www.milw0rm.com/ http://www.example.com/displayfile.php?../../../../etc/passwd
  • 32. Exploits Easy way to think about it: If typing “ perl –e ‘print “A” x 10000; ” makes it crash, you’ve found a vulnerability If you end up with this, you’ve got a working exploit: bash-3.00# id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest), 45(utmp)
  • 33. The Security Mindset How many security features are there in a grocery store self-check-out?
  • 34. How can you break each of them?
  • 35. What did they forget to think of?
  • 36. Bruce Schneier on the mindset: http://tinyurl.com/2sj365
  • 37. The Security Mindset How many of you opened that tinyurl? What if I'd just dropped a Firefox 0-day on you?
  • 38. I didn't, don't worry. That would get me fired.
  • 39. This is why I suck at programming
  • 40. Finding Balance “Not all "harmless failures" lead to big trouble, but it's surprising how often a clever adversary can pile up a stack of seemingly harmless failures into a dangerous tower of trouble. Harmless failures are bad hygiene. We try to stamp them out when we can.” – Ed Felten, Freedom to Tinker http://preview.tinyurl.com/c6ewzv
  • 41. Security Architecture The OWASP Secure Coding Principles puts it thus: “ Security architecture starts on the day the business requirements are modeled, and never finish until the last copy of your application is decommissioned. Security is a life-long process, not a one shot accident.” http://www.owasp.org/index.php/Secure_Coding_Principles
  • 42. Right from the Start When starting a new application or re-factoring an existing application, you should consider each functional feature, and consider: Is the process surrounding this feature as safe as possible? In other words, is this a flawed process?
  • 43. If I were evil, how would I abuse this feature?
  • 44. Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature?
  • 46. Security in the Bones Software design, as well as implementation, must consider the three pillars of information security. Otherwise, you're going to fail.
  • 47. 10 Principles Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Don’t trust services Separation of duties Avoid security through obscurity Keep security simple Fix security issues correctly The OWASP guide gives 10 principles for writing secure code:
  • 48. 10 Principles Minimize attack surface area
  • 49. Give the attacker the absolute minimum possible to work with when trying to discover an attack. By reducing complexity of an application, the number of possible vulnerabilities is also reduced.
  • 51. If a variable level of security is desired, have the default be high, and leave it up to the user to make the decision to lower it. This prevents “out of the box” insecurities.
  • 52. 10 Principles Least privilege
  • 53. Any component of a system should have only as much privilege as necessary to function properly. This is best known for permissions on user accounts, but also applies to software components.
  • 55. Adding on more security methods is a good thing, but they must approach the problem in different ways.
  • 57. 10 Principles Fail securely
  • 58. A system should be designed with the idea of failing securely in mind. At any point, if something goes wrong, the system should not be left in a less secure state.
  • 60. Even if external data is coming from a trustworthy source, give it the same level of validation as any input that isn’t trusted.
  • 62. System roles should be considered when giving out privileges. Administrators of a system generally aren’t also users; while some super-user privileges may be needed to run the system, administrators don’t necessarily need the ability to do anything.
  • 64. Security through obscurity isn’t real security. Use Kerckhoff’s assumption: the attacker knows all of the details as to how the system works.
  • 65. 10 Principles Keep security simple
  • 66. Simple things are harder to break. The least complex solution which achieves a goal is probably the better solution.
  • 67. Fix security issues correctly
  • 68. Any problem that is being fixed needs to be treated as an actual problem, and not a symptom. The fix must go through the entire security process the same as new code; a fix isn’t a real fix if it introduces new problems.
  • 69. Fix Security Issues Correctly It was in the news again days later, when it turned out the fix wasn't a fix.
  • 71. C? C++? Buffer Overflows (stack and heap)
  • 72. Read this, it's ancient but seminal: http://insecure.org/stf/smashstack.html
  • 80. Don't turn off Valgrind unless you know what you're doing (o hai OpenSSL)
  • 81. Another OWASP List! Top Ten Most Critical Web Application Security Vulnerabilities 2007 Version
  • 82. A1 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
  • 83. A1 – Cross Site Scripting (XSS) <script>window.alert(&quot;meow&quot;)</script>
  • 84. A1 – Cross Site Scripting (XSS)
  • 85. A2 – Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.
  • 87. A3 - Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
  • 88. A4 - Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
  • 89. A5 - Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
  • 90. A6 - Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.
  • 91. A6 - Information Leakage and Improper Error Handling http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
  • 92. A7 - Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
  • 93. A8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
  • 94. A9 - Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
  • 95. A9 - Insecure Communications
  • 96. A10 - Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.
  • 98. Do some learning http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
  • 99. I can't speak highly enough of this project
  • 101. Foundstone teaching tools (the “HacMe” series, in a variety of languages)
  • 103. The Hacker Media archive – decades / terabytes worth of Defcon and other talks.
  • 104. Local AppSec Resources TASK - http://task.to , security user group
  • 105. OWASP Toronto Chapter - http://www.owasp.org/index.php/Toronto
  • 106. SECtor Security Conference - http://sector.ca , October 5-7
  • 107. HackLabTO - http://hacklab.to , free workshops and classes starting this spring
  • 108. Further Reading And just about everything on http://www.owasp.org Writing Secure Code, 2nd Edition: Michael Howard and David LeBlanc, Microsoft Press (2003) Hacking: The Art Of Exploitation, 2nd Edition: Jon Erickson, No Starch Press (2008)
  • 109. Thanks My coworker Seth Hardy, whose appsec notes I built on
  • 110. SecurityCompass for making awesome tools
  • 111. OWASP for being such a great resource
  • 112. Remember one thing! Never trust user-supplied data. Any Questions?