SlideShare une entreprise Scribd logo

Is your python application secure? - PyCon Canada - 2015-11-07

Frédéric Harper
Frédéric Harper

In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Python application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.

Technologie
1  sur  43
Télécharger pour lire hors ligne
Is your Python application secure? Frédéric Harper @fharper http://immun.io Sr. Technical Evangelist @ IMMUNIO Pycon Canada – 2015-11-07 CreativeCommons:https://flic.kr/p/34T4Z
is security important? Creative Commons: https://flic.kr/p/s8hvJo
do you have time? CreativeCommons:https://flic.kr/p/b7wRTX
do you have the expertise? Creative Commons: https://flic.kr/p/n7qDvJ
do you have the money? Creative Commons: https://flic.kr/p/rAG5dm
is your app that secure? CreativeCommons:https://flic.kr/p/bY6uU7
what about legacy apps? Creative Commons: https://flic.kr/p/7fFQug
it’s probably happening, now Creative Commons: https://flic.kr/p/acnkbU
...
warning Creative Commons: https://flic.kr/p/oosB
I succeed if… Creative Commons: https://flic.kr/p/ehZRGj
mess with the best die like the rest
SQL injection vulnerabilities allow attackers to modify the structure of SQL queries in ways that allow for data exfiltration or manipulation of existing data. SQL Injection (SQLi)
MIT: http://j.mp/1kKuced no password require
Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on your pages in your customers' browsers. §  Hijack of legitimate user sessions §  Disclosure of sensitive information §  Access to privileged services and functionality §  Delivery of malware and browser exploits from our trusted domain Cross-Site Scripting
MIT: http://j.mp/1kKuced Search or not
Remote Command Execution vulnerabilities allow attackers to run arbitrary code on your servers. There are two classes of Remote Command Execution: 1.  Shell Command Execution 2.  Eval Execution. Remote Command Execution
•  Brute force •  Common username •  Cookie tampering •  CSRF tampering •  Excessive 4XX & 5XX •  HTTP method tampering •  HTTP response splitting •  Redirect •  Session farming •  Session hijack •  Stolen account •  Shellshock •  Suspicious Exception •  Suspicious HTTP header •  Unauthorized file access •  Username hijack …
follow the white rabbit
anything from users is unsafe Creative Commons: https://flic.kr/p/m2BKPn
cp = subprocess.Popen(['ls', '-l'], shell=True) # disables shell based features (like no pipe) cp= subprocess.Popen(['ls', '-l’) filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(filename) print(command) # noooooooooo >>> ls -l somefile; rm -rf ~ filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(quote(filename)) print(command) # better luck next time >>> ls -l 'somefile; rm -rf ~’ shell & quote
# unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using escape function from flask import escape @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % escape(name) escape
use a framework Creative Commons: https://flic.kr/p/cHto9S
# unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using template @app.route("/") def hello(): name = request.args.get('name') return render('hello.html', name=name) # where hello.html is: # <html>Hello {{ name }}</html> templates
# Unsafe example using the Python DB API cmd = "update people set name='%s' where id='%s'" % (name, id) curs.execute(cmd) # Sanitize your parameters cmd = "update people set name=%s where id=%s" curs.execute(cmd, (name, id)) # Placeholder syntax depends on the database sanitize
# Unsafe example using the Python DB API cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode) curs.execute(cmd) # Using Django ORM, we assign the data to users variable users = Users.objects.filter(zip_code=zipcode) object-relational mapper
# My awesome Python skills s = "print("Hello, World!")" exec s # Refactor using function def print_hello_world(): print("Hello, World!") print_hello_world() avoid exec (if possible)
ORM libraries Source: http://www.fullstackpython.com/object-relational-mappers-orms.html
OWASP XSS Cheat Sheet
Strengths •  Scales Well •  Find issues like buffer overflows, SQL Injection Flaws with high confidence Weaknesses •  Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. •  High numbers of false positives. •  Frequently can't find configuration issues, since they are not represented in the code. •  Difficulty analyzing code that can't be compiled (using librairies as an example). static code analysis
MIT: http://j.mp/1kKuced XSScrapy
Runtime application self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. RASP
IMMUNIO
Developers §  Use a cryptographically slow hash function (bcrypt & PBKDF2) to store password §  Stored procedures if possible §  Up-to-date frameworks & libraries Devops §  HTTPS §  Web Application Firewall (WAF) §  Intrusion prevention systems (IPS) §  Up-to-date platform & infrastructure truist… or not
to infinity... and beyond! Creative Commons: https://flic.kr/p/8Z1Cxm
thanks but no thanks
stop Creative Commons: https://flic.kr/p/gpVdD
I’m serious! CreativeCommons:https://flic.kr/p/9CG51N
plan for it Creative Commons: https://flic.kr/p/5bn2nD
now. Creative Commons: https://flic.kr/p/fA6vnM
nothing is 100% bulletproof Creative Commons: https://flic.kr/p/hpE97
IMMUNIO – Real-time web application security - https://www.immun.io/ OWASP (Open Web Application Security Project) - https://www.owasp.org/ Security in Django - http://j.mp/1Q8VMBP Security system in Pyramid - http://j.mp/1Q8VHxT Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/ XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW XSScrapy - https://github.com/DanMcInerney/xsscrapy www
Frédéric Harper fharper@immun.io @fharper http://outofcomfortzone.net http://immun.io

Recommandé

PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secureIMMUNIO
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 Sasaya Hu
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Java Cloud and Container Ready
Java Cloud and Container ReadyJava Cloud and Container Ready
Java Cloud and Container ReadyCodeOps Technologies LLP
 

Recommandé

PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secureIMMUNIO
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 Sasaya Hu
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Java Cloud and Container Ready
Java Cloud and Container ReadyJava Cloud and Container Ready
Java Cloud and Container ReadyCodeOps Technologies LLP
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
PHPUnit Automated Unit Testing Framework
PHPUnit Automated Unit Testing FrameworkPHPUnit Automated Unit Testing Framework
PHPUnit Automated Unit Testing FrameworkDave Ross
 
Pharo JS
Pharo JSPharo JS
Pharo JSPharo
 
Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resourcesAdam Baldwin
 
Debugging Your Plone Site
Debugging Your Plone SiteDebugging Your Plone Site
Debugging Your Plone Sitecdw9
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Enginesc0c0n - International Cyber Security and Policing Conference
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at ØredevMatthew McCullough
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Kiwipycon command line
Kiwipycon command lineKiwipycon command line
Kiwipycon command lineMichael Hudson-Doyle
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxC4Media
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 

Contenu connexe

Tendances

Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
PHPUnit Automated Unit Testing Framework
PHPUnit Automated Unit Testing FrameworkPHPUnit Automated Unit Testing Framework
PHPUnit Automated Unit Testing FrameworkDave Ross
 
Pharo JS
Pharo JSPharo JS
Pharo JSPharo
 
Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resourcesAdam Baldwin
 
Debugging Your Plone Site
Debugging Your Plone SiteDebugging Your Plone Site
Debugging Your Plone Sitecdw9
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 

Tendances (20)

Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
PHPUnit Automated Unit Testing Framework
PHPUnit Automated Unit Testing FrameworkPHPUnit Automated Unit Testing Framework
PHPUnit Automated Unit Testing Framework
 
Pharo JS
Pharo JSPharo JS
Pharo JS
 
Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resources
 
Debugging Your Plone Site
Debugging Your Plone SiteDebugging Your Plone Site
Debugging Your Plone Site
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at Øredev
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Kiwipycon command line
Kiwipycon command lineKiwipycon command line
Kiwipycon command line
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 

Similaire à Is your python application secure? - PyCon Canada - 2015-11-07

Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxC4Media
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Slides
SlidesSlides
Slidesvti
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Presentation on Japanese doc sprint
Presentation on Japanese doc sprintPresentation on Japanese doc sprint
Presentation on Japanese doc sprintGo Chiba
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesciklum_ods
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...Magno Logan
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with PythonAndrii Soldatenko
 

Similaire à Is your python application secure? - PyCon Canada - 2015-11-07 (20)

Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Slides
SlidesSlides
Slides
 
Web application security
Web application securityWeb application security
Web application security
 
Presentation on Japanese doc sprint
Presentation on Japanese doc sprintPresentation on Japanese doc sprint
Presentation on Japanese doc sprint
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Origins of Serverless
Origins of ServerlessOrigins of Serverless
Origins of Serverless
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Api Design
Api DesignApi Design
Api Design
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devices
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with Python
 

Plus de Frédéric Harper

2017-11-09 - Fitbit Norcal Developers Meetup (fred)
2017-11-09 - Fitbit Norcal Developers Meetup (fred)2017-11-09 - Fitbit Norcal Developers Meetup (fred)
2017-11-09 - Fitbit Norcal Developers Meetup (fred)Frédéric Harper
 
2018-06-07 - Singapore Fitbit Developers - Fitbit SDK & Web API Overview
2018-06-07 - Singapore Fitbit Developers - Fitbit SDK & Web API Overview2018-06-07 - Singapore Fitbit Developers - Fitbit SDK & Web API Overview
2018-06-07 - Singapore Fitbit Developers - Fitbit SDK & Web API OverviewFrédéric Harper
 
2018 06-05 - Tokyo Fitbit Developers - Fitbit SDK & Web API Overview
2018 06-05 - Tokyo Fitbit Developers - Fitbit SDK & Web API Overview2018 06-05 - Tokyo Fitbit Developers - Fitbit SDK & Web API Overview
2018 06-05 - Tokyo Fitbit Developers - Fitbit SDK & Web API OverviewFrédéric Harper
 
Public speaking - FDP tech leads summit - 2018-04-30
Public speaking - FDP tech leads summit - 2018-04-30Public speaking - FDP tech leads summit - 2018-04-30
Public speaking - FDP tech leads summit - 2018-04-30Frédéric Harper
 
From employee to freelance developer in 10 steps - DevTeach - 2017-07-04
From employee to freelance developer in 10 steps - DevTeach - 2017-07-04From employee to freelance developer in 10 steps - DevTeach - 2017-07-04
From employee to freelance developer in 10 steps - DevTeach - 2017-07-04Frédéric Harper
 
Infrastructure as a service to its maximum, a cultural change - S2LQ - 2016-0...
Infrastructure as a service to its maximum, a cultural change - S2LQ - 2016-0...Infrastructure as a service to its maximum, a cultural change - S2LQ - 2016-0...
Infrastructure as a service to its maximum, a cultural change - S2LQ - 2016-0...Frédéric Harper
 
With great power comes great responsibility - Microsoft Canada Open Source co...
With great power comes great responsibility - Microsoft Canada Open Source co...With great power comes great responsibility - Microsoft Canada Open Source co...
With great power comes great responsibility - Microsoft Canada Open Source co...Frédéric Harper
 
Frédéric harper i don’t like open source, and you shouldn't like it eithe...
Frédéric harper i don’t like open source, and you shouldn't like it eithe...Frédéric harper i don’t like open source, and you shouldn't like it eithe...
Frédéric harper i don’t like open source, and you shouldn't like it eithe...Frédéric Harper
 
Responsive Web Design, the secret sauce - MSDEVMTL - 2016-01-25
Responsive Web Design, the secret sauce - MSDEVMTL - 2016-01-25Responsive Web Design, the secret sauce - MSDEVMTL - 2016-01-25
Responsive Web Design, the secret sauce - MSDEVMTL - 2016-01-25Frédéric Harper
 
Responsive Web Design: the secret sauce - JavaScript Open Day Montreal - 2015...
Responsive Web Design: the secret sauce - JavaScript Open Day Montreal - 2015...Responsive Web Design: the secret sauce - JavaScript Open Day Montreal - 2015...
Responsive Web Design: the secret sauce - JavaScript Open Day Montreal - 2015...Frédéric Harper
 
Personal branding for developers - West Island developers and entrepreneurs m...
Personal branding for developers - West Island developers and entrepreneurs m...Personal branding for developers - West Island developers and entrepreneurs m...
Personal branding for developers - West Island developers and entrepreneurs m...Frédéric Harper
 
Responsive Web Design, get the best out of your designs - JavaScript Open Day...
Responsive Web Design, get the best out of your designs - JavaScript Open Day...Responsive Web Design, get the best out of your designs - JavaScript Open Day...
Responsive Web Design, get the best out of your designs - JavaScript Open Day...Frédéric Harper
 
Differentiating yourself humber college - 2015-03-30
Differentiating yourself humber college - 2015-03-30Differentiating yourself humber college - 2015-03-30
Differentiating yourself humber college - 2015-03-30Frédéric Harper
 
Differentiating yourself - Hack Western - 2015-03-28
Differentiating yourself - Hack Western - 2015-03-28Differentiating yourself - Hack Western - 2015-03-28
Differentiating yourself - Hack Western - 2015-03-28Frédéric Harper
 
Le personal branding, plus important que jamais - PHP Québec - 2015-03-05
Le personal branding, plus important que jamais - PHP Québec - 2015-03-05Le personal branding, plus important que jamais - PHP Québec - 2015-03-05
Le personal branding, plus important que jamais - PHP Québec - 2015-03-05Frédéric Harper
 
Building a personal brand in the developer community - Codementor Office Hour...
Building a personal brand in the developer community - Codementor Office Hour...Building a personal brand in the developer community - Codementor Office Hour...
Building a personal brand in the developer community - Codementor Office Hour...Frédéric Harper
 
Ma Carrière Techno - École secondaire St-Henri - 2014-11-27
Ma Carrière Techno - École secondaire St-Henri - 2014-11-27Ma Carrière Techno - École secondaire St-Henri - 2014-11-27
Ma Carrière Techno - École secondaire St-Henri - 2014-11-27Frédéric Harper
 
Mozilla - HEC Open Source Business Models - 2014-11-24
Mozilla - HEC Open Source Business Models - 2014-11-24Mozilla - HEC Open Source Business Models - 2014-11-24
Mozilla - HEC Open Source Business Models - 2014-11-24Frédéric Harper
 

Plus de Frédéric Harper (20)

2017-11-09 - Fitbit Norcal Developers Meetup (fred)
2017-11-09 - Fitbit Norcal Developers Meetup (fred)2017-11-09 - Fitbit Norcal Developers Meetup (fred)
2017-11-09 - Fitbit Norcal Developers Meetup (fred)
 
2018 04-25 - HLTH hackathon
2018 04-25 - HLTH hackathon2018 04-25 - HLTH hackathon
2018 04-25 - HLTH hackathon
 
2018-06-07 - Singapore Fitbit Developers - Fitbit SDK & Web API Overview
2018-06-07 - Singapore Fitbit Developers - Fitbit SDK & Web API Overview2018-06-07 - Singapore Fitbit Developers - Fitbit SDK & Web API Overview
2018-06-07 - Singapore Fitbit Developers - Fitbit SDK & Web API Overview
 
2018 06-05 - Tokyo Fitbit Developers - Fitbit SDK & Web API Overview
2018 06-05 - Tokyo Fitbit Developers - Fitbit SDK & Web API Overview2018 06-05 - Tokyo Fitbit Developers - Fitbit SDK & Web API Overview
2018 06-05 - Tokyo Fitbit Developers - Fitbit SDK & Web API Overview
 
Public speaking - FDP tech leads summit - 2018-04-30
Public speaking - FDP tech leads summit - 2018-04-30Public speaking - FDP tech leads summit - 2018-04-30
Public speaking - FDP tech leads summit - 2018-04-30
 
2018 04-25 - HLTH hackathon
2018 04-25 - HLTH hackathon2018 04-25 - HLTH hackathon
2018 04-25 - HLTH hackathon
 
From employee to freelance developer in 10 steps - DevTeach - 2017-07-04
From employee to freelance developer in 10 steps - DevTeach - 2017-07-04From employee to freelance developer in 10 steps - DevTeach - 2017-07-04
From employee to freelance developer in 10 steps - DevTeach - 2017-07-04
 
Infrastructure as a service to its maximum, a cultural change - S2LQ - 2016-0...
Infrastructure as a service to its maximum, a cultural change - S2LQ - 2016-0...Infrastructure as a service to its maximum, a cultural change - S2LQ - 2016-0...
Infrastructure as a service to its maximum, a cultural change - S2LQ - 2016-0...
 
With great power comes great responsibility - Microsoft Canada Open Source co...
With great power comes great responsibility - Microsoft Canada Open Source co...With great power comes great responsibility - Microsoft Canada Open Source co...
With great power comes great responsibility - Microsoft Canada Open Source co...
 
Frédéric harper i don’t like open source, and you shouldn't like it eithe...
Frédéric harper i don’t like open source, and you shouldn't like it eithe...Frédéric harper i don’t like open source, and you shouldn't like it eithe...
Frédéric harper i don’t like open source, and you shouldn't like it eithe...
 
Responsive Web Design, the secret sauce - MSDEVMTL - 2016-01-25
Responsive Web Design, the secret sauce - MSDEVMTL - 2016-01-25Responsive Web Design, the secret sauce - MSDEVMTL - 2016-01-25
Responsive Web Design, the secret sauce - MSDEVMTL - 2016-01-25
 
Responsive Web Design: the secret sauce - JavaScript Open Day Montreal - 2015...
Responsive Web Design: the secret sauce - JavaScript Open Day Montreal - 2015...Responsive Web Design: the secret sauce - JavaScript Open Day Montreal - 2015...
Responsive Web Design: the secret sauce - JavaScript Open Day Montreal - 2015...
 
Personal branding for developers - West Island developers and entrepreneurs m...
Personal branding for developers - West Island developers and entrepreneurs m...Personal branding for developers - West Island developers and entrepreneurs m...
Personal branding for developers - West Island developers and entrepreneurs m...
 
Responsive Web Design, get the best out of your designs - JavaScript Open Day...
Responsive Web Design, get the best out of your designs - JavaScript Open Day...Responsive Web Design, get the best out of your designs - JavaScript Open Day...
Responsive Web Design, get the best out of your designs - JavaScript Open Day...
 
Differentiating yourself humber college - 2015-03-30
Differentiating yourself humber college - 2015-03-30Differentiating yourself humber college - 2015-03-30
Differentiating yourself humber college - 2015-03-30
 
Differentiating yourself - Hack Western - 2015-03-28
Differentiating yourself - Hack Western - 2015-03-28Differentiating yourself - Hack Western - 2015-03-28
Differentiating yourself - Hack Western - 2015-03-28
 
Le personal branding, plus important que jamais - PHP Québec - 2015-03-05
Le personal branding, plus important que jamais - PHP Québec - 2015-03-05Le personal branding, plus important que jamais - PHP Québec - 2015-03-05
Le personal branding, plus important que jamais - PHP Québec - 2015-03-05
 
Building a personal brand in the developer community - Codementor Office Hour...
Building a personal brand in the developer community - Codementor Office Hour...Building a personal brand in the developer community - Codementor Office Hour...
Building a personal brand in the developer community - Codementor Office Hour...
 
Ma Carrière Techno - École secondaire St-Henri - 2014-11-27
Ma Carrière Techno - École secondaire St-Henri - 2014-11-27Ma Carrière Techno - École secondaire St-Henri - 2014-11-27
Ma Carrière Techno - École secondaire St-Henri - 2014-11-27
 
Mozilla - HEC Open Source Business Models - 2014-11-24
Mozilla - HEC Open Source Business Models - 2014-11-24Mozilla - HEC Open Source Business Models - 2014-11-24
Mozilla - HEC Open Source Business Models - 2014-11-24
 

Dernier

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Dernier (20)

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Is your python application secure? - PyCon Canada - 2015-11-07

  • 1. Is your Python application secure? Frédéric Harper @fharper http://immun.io Sr. Technical Evangelist @ IMMUNIO Pycon Canada – 2015-11-07 CreativeCommons:https://flic.kr/p/34T4Z
  • 2. is security important? Creative Commons: https://flic.kr/p/s8hvJo
  • 3. do you have time? CreativeCommons:https://flic.kr/p/b7wRTX
  • 4. do you have the expertise? Creative Commons: https://flic.kr/p/n7qDvJ
  • 5. do you have the money? Creative Commons: https://flic.kr/p/rAG5dm
  • 6. is your app that secure? CreativeCommons:https://flic.kr/p/bY6uU7
  • 7. what about legacy apps? Creative Commons: https://flic.kr/p/7fFQug
  • 8. it’s probably happening, now Creative Commons: https://flic.kr/p/acnkbU
  • 9. ...
  • 11. I succeed if… Creative Commons: https://flic.kr/p/ehZRGj
  • 12. mess with the best die like the rest
  • 13. SQL injection vulnerabilities allow attackers to modify the structure of SQL queries in ways that allow for data exfiltration or manipulation of existing data. SQL Injection (SQLi)
  • 15. Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on your pages in your customers' browsers. §  Hijack of legitimate user sessions §  Disclosure of sensitive information §  Access to privileged services and functionality §  Delivery of malware and browser exploits from our trusted domain Cross-Site Scripting
  • 17. Remote Command Execution vulnerabilities allow attackers to run arbitrary code on your servers. There are two classes of Remote Command Execution: 1.  Shell Command Execution 2.  Eval Execution. Remote Command Execution
  • 18. •  Brute force •  Common username •  Cookie tampering •  CSRF tampering •  Excessive 4XX & 5XX •  HTTP method tampering •  HTTP response splitting •  Redirect •  Session farming •  Session hijack •  Stolen account •  Shellshock •  Suspicious Exception •  Suspicious HTTP header •  Unauthorized file access •  Username hijack …
  • 20. anything from users is unsafe Creative Commons: https://flic.kr/p/m2BKPn
  • 21. cp = subprocess.Popen(['ls', '-l'], shell=True) # disables shell based features (like no pipe) cp= subprocess.Popen(['ls', '-l’) filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(filename) print(command) # noooooooooo >>> ls -l somefile; rm -rf ~ filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(quote(filename)) print(command) # better luck next time >>> ls -l 'somefile; rm -rf ~’ shell & quote
  • 22. # unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using escape function from flask import escape @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % escape(name) escape
  • 23. use a framework Creative Commons: https://flic.kr/p/cHto9S
  • 24. # unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using template @app.route("/") def hello(): name = request.args.get('name') return render('hello.html', name=name) # where hello.html is: # <html>Hello {{ name }}</html> templates
  • 25. # Unsafe example using the Python DB API cmd = "update people set name='%s' where id='%s'" % (name, id) curs.execute(cmd) # Sanitize your parameters cmd = "update people set name=%s where id=%s" curs.execute(cmd, (name, id)) # Placeholder syntax depends on the database sanitize
  • 26. # Unsafe example using the Python DB API cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode) curs.execute(cmd) # Using Django ORM, we assign the data to users variable users = Users.objects.filter(zip_code=zipcode) object-relational mapper
  • 27. # My awesome Python skills s = "print("Hello, World!")" exec s # Refactor using function def print_hello_world(): print("Hello, World!") print_hello_world() avoid exec (if possible)
  • 30. Strengths •  Scales Well •  Find issues like buffer overflows, SQL Injection Flaws with high confidence Weaknesses •  Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. •  High numbers of false positives. •  Frequently can't find configuration issues, since they are not represented in the code. •  Difficulty analyzing code that can't be compiled (using librairies as an example). static code analysis
  • 32. Runtime application self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. RASP
  • 34. Developers §  Use a cryptographically slow hash function (bcrypt & PBKDF2) to store password §  Stored procedures if possible §  Up-to-date frameworks & libraries Devops §  HTTPS §  Web Application Firewall (WAF) §  Intrusion prevention systems (IPS) §  Up-to-date platform & infrastructure truist… or not
  • 35. to infinity... and beyond! Creative Commons: https://flic.kr/p/8Z1Cxm
  • 39. plan for it Creative Commons: https://flic.kr/p/5bn2nD
  • 41. nothing is 100% bulletproof Creative Commons: https://flic.kr/p/hpE97
  • 42. IMMUNIO – Real-time web application security - https://www.immun.io/ OWASP (Open Web Application Security Project) - https://www.owasp.org/ Security in Django - http://j.mp/1Q8VMBP Security system in Pyramid - http://j.mp/1Q8VHxT Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/ XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW XSScrapy - https://github.com/DanMcInerney/xsscrapy www