SlideShare a Scribd company logo
1 of 82
“ Con un grande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello
Who are you? Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles
What are you on about?
flickr.com/photos/jurvetson
flickr.com/photos/meg
flickr.com/photos/muehlinghaus
flickr.com/photos/purpleslog
flickr.com/photos/pixelfrenzy
flickr.com/photos/kogakure
flickr.com/photos/elfsternberg
flickr.com/photos/a_mason
flickr.com/photos/rzrxtion
flickr.com/photos/bahkubean
flickr.com/photos/kevinsteele
flickr.com/photos/helfyland
flickr.com/photos/meg
flickr.com/photos/fbouly
[object Object],[object Object],[object Object],[object Object]
One out of 11 minutes is spent Social networking
“ The most recent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending March 13.”
flickr.com/photos/alancleaver
 
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
flickr.com/photos/sebastiagiralt
flickr.com/photos/herry
flickr.com/photos/23905174@N00
[object Object]
[object Object]
[object Object]
[object Object],Javelin Strategy & Research 2010 Identity Fraud Survey Report
flickr.com/photos/hmvh
flickr.com/photos/negatyf
[object Object],[object Object],[object Object],[object Object],[object Object]
(Ab)use case - example
[object Object]
[object Object]
flickr.com/photos/8363028@N08
(Ab)use case - example
Internet Management Interface (HTTPS) Admin
Internet Management Interface (HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin
Internet Management Interface (HTTPS) 2. Browse the Net Admin
Internet Management Interface (HTTPS) 3. Check mail Admin
Internet Management Interface (HTTPS) 3. Check mail CSRF-able Admin
Internet Management Interface (HTTPS) 4. Receives mail from ex employee Admin
Internet Management Interface (HTTPS) 5. Automatic, unauthorised request ie: <img src=“https://10.0.0.10/Admin/Shutdown.aspx?t=now” /> GET /Admin/Shutdown.aspx?t=now HTTP/1.1 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Admin
Internet Management Interface (HTTPS) 5. No more SAN. Admin
[object Object],[object Object],[object Object]
flickr.com/photos/soloflight
Recommendations ,[object Object],[object Object],[object Object],[object Object]
flickr.com/photos/tambako
flickr.com/photos/delhaye
flickr.com/photos/sarflondondunc
http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
 
 
flickr.com/photos/fabiogis50
flickr.com/photos/markop
www.owasp.org
flickr.com/photos/st3f4n
flickr.com/photos/kolya
 
[object Object],[object Object],[object Object],[object Object],[object Object]
 
 
 
 
 
 
[object Object]
[object Object]
[object Object],[object Object]
[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Authenticator interface ,[object Object],[object Object],[object Object],[object Object]
AccessController Interface ,[object Object],[object Object],[object Object]
HTTPUtilities Interface ,[object Object],[object Object],[object Object],[object Object]
flickr.com/photos/st3f4n
flickr.com/photos/onkel_wart
flickr.com/photos/sophistechate
flickr.com/photos/dalbera
[object Object]

More Related Content

Similar to Barcamp Perth 4.0 Web Security

Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Api security-eic-prabath
Api security-eic-prabathApi security-eic-prabath
Api security-eic-prabathWSO2
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAThuy_Dang
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at MozillaDevDay.org
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Falljtmelton
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Joe Ferguson
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Common hacking practices
Common hacking practicesCommon hacking practices
Common hacking practicesMarian Marinov
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemWSO2
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 

Similar to Barcamp Perth 4.0 Web Security (20)

Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
 
Api security-eic-prabath
Api security-eic-prabathApi security-eic-prabath
Api security-eic-prabath
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEA
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
 
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Fall
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Application Security
Application SecurityApplication Security
Application Security
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Common hacking practices
Common hacking practicesCommon hacking practices
Common hacking practices
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 

Recently uploaded

9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 

Recently uploaded (20)

20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 

Barcamp Perth 4.0 Web Security

Editor's Notes

  1. With Great Power Comes Great Responsibility… &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/ilcello/3000073881/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/ilcello/&amp;quot;&gt;http://www.flickr.com/photos/ilcello/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt; http://en.wikipedia.org/wiki/Uncle_Ben#.22With_great_power_comes_great_responsibility.22
  2. Who is this guy?, I hear you thinking.. Well. Hi, I’m Christian Frichot and I’m VERY happy to be presenting here this morning. By Night I’m a drummer, by day I’m an information security specialist for a Bank and I’m 100% geek. (I’m not in management and still try and get my hands dirty as much as I can) &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/lwr/2728818878/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/lwr/&amp;quot;&gt;http://www.flickr.com/photos/lwr/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt; &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/jmilles/319926762/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/jmilles/&amp;quot;&gt;http://www.flickr.com/photos/jmilles/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  3. But what am I on about?
  4. Well I’ll be talking about the Internet… &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/jurvetson/916142/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/jurvetson/&amp;quot;&gt;http://www.flickr.com/photos/jurvetson/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  5. .. web applications.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/meg/3537830117/in/set-72157618229062033/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/meg/&amp;quot;&gt;http://www.flickr.com/photos/meg/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  6. And Security.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/muehlinghaus/241755891/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/muehlinghaus/&amp;quot;&gt;http://www.flickr.com/photos/muehlinghaus/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  7. Well.. Web Application security specifically. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/purpleslog/2880224058/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/purpleslog/&amp;quot;&gt;http://www.flickr.com/photos/purpleslog/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  8. Before I begin though I need to let you know that I’m probably less of a “hacker” (()) than most of you.. Whilst I still develop a bit, my current role only gives me freedom to tinker and help build process improving tools..so that’s a bit of…. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/pixelfrenzy/3772504547/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/pixelfrenzy/&amp;quot;&gt;http://www.flickr.com/photos/pixelfrenzy/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  9. Django…. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/kogakure/2225768345/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/kogakure/&amp;quot;&gt;http://www.flickr.com/photos/kogakure/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-sa/2.0/&amp;quot;&gt;CC BY-SA 2.0&lt;/a&gt;&lt;/div&gt;
  10. Perl.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/elfsternberg/4198688510/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/elfsternberg/&amp;quot;&gt;http://www.flickr.com/photos/elfsternberg/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  11. And Linux misc shhhhtuff.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/a_mason/4021444/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/a_mason/&amp;quot;&gt;http://www.flickr.com/photos/a_mason/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  12. First though lets talk about the Internet.. It’s ubiquitous, it’s enormous, it’s cute (()). &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/rzrxtion/2698016803/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/rzrxtion/&amp;quot;&gt;http://www.flickr.com/photos/rzrxtion/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  13. Really.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/bahkubean/549310317/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/bahkubean/&amp;quot;&gt;http://www.flickr.com/photos/bahkubean/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  14. Damn… &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/kevinsteele/533314156/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/kevinsteele/&amp;quot;&gt;http://www.flickr.com/photos/kevinsteele/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nd/2.0/&amp;quot;&gt;CC BY-ND 2.0&lt;/a&gt;&lt;/div&gt;
  15. Cute. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/helfyland/644620280/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/helfyland/&amp;quot;&gt;http://www.flickr.com/photos/helfyland/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nd/2.0/&amp;quot;&gt;CC BY-ND 2.0&lt;/a&gt;&lt;/div&gt;
  16. And it’s FILLED with these.. Web applications.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/meg/3537830117/in/set-72157618229062033/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/meg/&amp;quot;&gt;http://www.flickr.com/photos/meg/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  17. Lets not even mention this guy. NetNeilsen’s have reported on the fact that “Social Networking was the global phenomena of 2008” .. 2008.. That was ages ago now.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/fbouly/3568409530/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/fbouly/&amp;quot;&gt;http://www.flickr.com/photos/fbouly/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nd/2.0/&amp;quot;&gt;CC BY-ND 2.0&lt;/a&gt;&lt;/div&gt;
  18. You remember what happened in 2008?
  19. “ Two Thirds of the world’s Internet population visit social networking or blogging sites” Back then Social networking use to consume 1 in every 15 minutes of global Internet time. (()) Now it’s 1 in every 11.
  20. And then the other week Facebook overtook Google as the most hit website… http://www.smartcompany.com.au/internet/20100318-how-facebook-overtook-google-in-the-us-and-why-your-business-needs-to-act.html
  21. .. And where there are people – there is crime. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/alancleaver/4121423119/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/alancleaver/&amp;quot;&gt;http://www.flickr.com/photos/alancleaver/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  22. In the old days cybercrime was very different.. Crackers were toying with exploitation of web servers for infamy. Usually leading to Defacement. Initially these attackers displayed a degree of “technical skill”.
  23. Things changed as the malware and exploitation industry matured.. Everything started to become available as “Kits” Mpack is one such web exploitation kit that could cost anywhere between $500 – 1000 US and is used to inject malicious code into web pages, either by iframes or PDFs or whatever – install keyloggers, or whatever the user wanted. Soon there was IcePack, FirePack, Traffic Pro and more. This screenshot is of the MPack management interface, so the implementers of the kit could monitor how many PCs they were infecting. http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
  24. Whilst MPack was focusing on how to put malicious payloads onto computers, the other end of the malware world was also advancing. The Zeus malware, sometimes called a botnet, is a really nasty keylogger that is well known for evading anti virus and being one of the most effective bank targetting keyloggers out there.. What was happening was the consumerisation of malware construction, maintenance, deployment and implementation This decreased the technical skills required to perform complicated attacks. This is where terms like Script Kiddies and that would come from, people who didn’t necessarily have the knowledge to perform an attack, but knew how to use the tool. http://www.flickr.com/photos/sebastiagiralt/2251661156/
  25. The attackers started to realise that there was a lot of money to be made, not just by installing keyloggers but by stealing peoples identities. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/herry/3321548259/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/herry/&amp;quot;&gt;http://www.flickr.com/photos/herry/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  26. ID theft can lead to all sorts of impacts on consumers: - Using your credit card details - Opening of bank accounts - Taking out loans - Conducting business under your names. Now I know that ID theft is a misnomer because it’s impossible to steal an identity, so it’s often interchanged with identity fraud. There are numerous types including, not just the typical type to gain access to funds but: - Business/commercial identity theft – to use a business name to obtain credit - Criminal identity fraud – if you pose as another when apprehended for a crime - medical identity theft – to obtain access to medicare or drugs. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/23905174@N00/1594411528/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/23905174@N00/&amp;quot;&gt;http://www.flickr.com/photos/23905174@N00/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  27. Some statistics on id theft in australia (()): - in 2008 about 23% of the population affected
  28. In 2009 26% were affected
  29. The cost of ID theft against Australia is reported to be 3.5 billion dollars annually
  30. Another interesting statistic
  31. But what has this got to do with web apps I’m building? More often than not malicious content that makes its way on to the Internet is not legitimately purchased by the attackers. You think they buy a slicehost Virtual Private Server and host their nasties on there? Supposedly 80% of all phishing sites are hosted on legitimate websites through compromise. Web application vulnerabilities lead to hijacking of legitimate content, for example through the use of file injection attacks. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/hmvh/58185411/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/hmvh/&amp;quot;&gt;http://www.flickr.com/photos/hmvh/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-sa/2.0/&amp;quot;&gt;CC BY-SA 2.0&lt;/a&gt;&lt;/div&gt;
  32. But what about if I’m only developing internal apps? Particular types of vulnerabilities thrive in perimeterised networks. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/negatyf/361668397/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/negatyf/&amp;quot;&gt;http://www.flickr.com/photos/negatyf/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  33. Back in 2006 Jeremiah Grossman of WhiteHat Security presented on some of the things that can be done from the Internet against Internal networks through the browser, including: … Everything is web-enabled now. The perimeter is diminishing.
  34. For example… Cross Site Request Forgery attacks. .. Before I continue I’ll explain what cross site request forgery, or CSRF, attacks are. Simply put, a system vulnerable to this will change its state upon the receipt of a request, without any sort of verification (except for the automatically included authentication tokens such as cookies or Authorization HTTP headers).
  35. This is the definition from wiki
  36. If Bob’s bank keeps his authentication information in a cookie, and the cookie hasn’t expired, then the attempt above to load the image will submit the withdrawal form with this cookie, thus authorising the transaction without bob’s approval.
  37. This type of attack is known as a “confused deputy attack”. The deputy in the example is Bob’s web browser which is confused into misusing bob’s authority at mallory’s direction. http://www.flickr.com/photos/8363028@N08/4209230521/
  38. So lets get back to our example.
  39. Lets set the scene.. Here we have a really typical environment.. An admin who sits on an internal network segmented off from the Internet via all sorts of good stuff like firewalls and that. And on this internal network is the management interface for .. Lets say.. Their storage system .. Their SAN.
  40. The admin gets to work and opens a browser and logs into the interface on his SAN. The system is just using BASIC HTTP authentication, but even internally it’s over HTTPS so those credentials are protected from eavesdropping. ..
  41. The status on the SAN looks fine .. So he then does what he normally does and opens up a bunch of tabs to browse around the sites he normally visits.
  42. Maybe this company uses web-mail for their corporate mail ..
  43. I can’t remember if I mentioned that this interface here is susceptible to cross-site request forgeries.. Which means it will change its state upon the receipt of a request, without any sort of verification..
  44. So our admin sees there is an email from an ex employee and opens it up – and within it there is an embedded &lt;img&gt; tag.
  45. Because his browser had previously authenticated, when it submits this IMG request in the form of a HTTP GET to the management interface it includes the Authorization header
  46. Voila..
  47. You’re probably wondering whether or not these actually happen? 1 – 2009 – Moot, the 20-something year old founder of 4chan becomes “the world’s most influential person in government, science, technology and the arts” 2 – Mikeyy Mooney uses a combination of CSRF and XSS to get numerous people tweeting about his site, stalkdaily 3 – 2008 – Trojan utilises CSRF to modify the DNS server configuration of popular DNS routers.
  48. But don’t give up all hope.. There are some good recommendations to help reduce the likelihood of this attack. http://www.flickr.com/photos/soloflight/3010505750/
  49. 1 – Although POSTs can also be automated via Actionscript, javascript, etc 2 – It’s generally accepted that the inclusion of a random nonce, or parameter included within the request and verified through session data is effective, because an attacker will be unlikely to know to include this “parameter” in their forged request.
  50. Confusing? Well I just try and think about all the legacy code out there and the poor chance that the developers would’ve had knowing what to do about these types of issues. http://www.flickr.com/photos/tambako/3593686294/
  51. When web developing firms started to take their application security seriously they used to have to bring in penetration testers, or security testers, to validate their systems at the end of the development lifecycle. These are typically known as.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/delhaye/2276967083/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/delhaye/&amp;quot;&gt;http://www.flickr.com/photos/delhaye/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  52. Breakers. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/sarflondondunc/630250409/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/sarflondondunc/&amp;quot;&gt;http://www.flickr.com/photos/sarflondondunc/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  53. It is commonly recognised that this is the most expensive time to rectify security faults. http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
  54. Security therefore becomes much cheaper and effective during the earlier stages of the lifecycle. The requirements gathering, design and development phases. We like to think of people who assist security in the earlier phases as “builders”.
  55. This shift is happening .. Which means that the responsibility for these issues is also changing. Perhaps to people like yourselves (( ))
  56. But don’t worry – the sky is NOT falling. There are a lot of resources out there.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/fabiogis50/3749609312/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/fabiogis50/&amp;quot;&gt;http://www.flickr.com/photos/fabiogis50/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  57. Including (()) OWASP. .. Which unfortunately has nothing to do with wasps. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/markop/1401429588/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/markop/&amp;quot;&gt;http://www.flickr.com/photos/markop/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  58. The Open Web Application Security Project is an “Open Community dedicated to enabling organisations and individuals to conceive, develop, acquire, operate and maintain applications that can be trusted” Open .. And security? .. I know that sounds like a ..
  59. Paradox..Historically security seemed to be based on secrets and degrees of trust and clearance.. We know generally acknowledge that security through obscurity.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/st3f4n/4356185807/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/st3f4n/&amp;quot;&gt;http://www.flickr.com/photos/st3f4n/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  60. Just doesn’t work. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/kolya/1307365789/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/kolya/&amp;quot;&gt;http://www.flickr.com/photos/kolya/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  61. So what does OWASP do? .. What’s it about?
  62. These projects include:
  63. The OWASP Guide – which “is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services.”
  64. The Software Assurance Maturity Model, or SAMM – which “is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. “ (If you’re interested in this look out for an upcoming Australian Information Security Association presentation)..
  65. The OWASP Top Ten, which “represents a broad consensus about what the most critical web application security flaws are”
  66. WebGoat which “is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons”
  67. Webscarab, which “is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.”
  68. And finally the Enterprise Security API or ESAPI. The purpose is simple…
  69. ESAPI is NOT a framework, like Spring or Struts, it’s a set of foundational security controls.
  70. To allow for language-specific differences ESAPI is based on the follow design principles.
  71. These are the controls that are implemented.. And here is a an example using the ESAPI Locator class .. This allows you to retrieve singleton instances of a particular control
  72. This example shows utilising the input validator and output escaping to guard against SQL injection.
  73. To tie back to our previous example of our back end web management interface here are a few controls that ESAPI can bring. Including the Authenticator
  74. Access controller .. So with these two interfaces we no longer have to rely on HTTP Authorization headers
  75. And CSRF tokens.
  76. So where is the ESAPI project at at the moment? Well, the Java version is up to version 2.0 release candidate 6, which means they’ve got a full reference implementation. PHP is well underway with a number of completed controls, but there are some yet to be done. .NET is at around versin 0.2.1, but have implemented a number of controls They’re also working on Cold Fusion Python Javascript Haskell Force.com http://www.flickr.com/photos/st3f4n/2860706946/
  77. So don’t re-invent the wheel..well at least the security wheel. http://www.flickr.com/photos/onkel_wart/4038437003/
  78. And don’t be concerned.. http://www.flickr.com/photos/sophistechate/2758739495/
  79. You guys are empowered to build new ways in which we can communicate.. http://www.flickr.com/photos/dalbera/2738451853/
  80. Just remember what uncle ben didn’t say :P