Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Security presentation

  • Identifiez-vous pour voir les commentaires

  • Soyez le premier à aimer ceci

Security presentation

  1. 1. SECURITY IN WEB DEVELOPMENT Agenda Demonstration Problems Implementations Conclusion Reflections I will be touching upon the following: ● Basic web application security concepts ● Security flaws in web applications ● Our security challenges
  2. 2. Demonstration Agenda Demonstration Problems Implementations Conclusion Reflections
  3. 3. Problems detected Agenda Demonstration Problems Implementations Conclusion Reflections Security related problems in our web application ● All forms are vulnerable ● Passwords needs protection ● Authorized access in backend ● Restrictions in comment area ● Logging of behavior necessary for better understanding of the attacker ● Possibility to ban users if they don't behave ● Image uploader needs protection
  4. 4. Implementations Agenda Demonstration Problems Implementations Conclusion Reflections Security related implementations we did: ● Tokens and referer header to prevent CSRF attacks ● re-CAPTCHA to exclude bots from filling out forms ● 5 tries and out! to prevent hackers from trying out different command attacks ● Authorization of users for the backend ● html entities to prevent XSS ● Prepared statements to avoid SQL-injections ● File extension checker to avoid script attack disguised as images
  5. 5. Conclusion Agenda Demonstration Problems Implementations Conclusion Reflections We have some kind of security, we prevent: ● CSRF ● XSS ● SQL Injection ● Bots from filling out forms ● Script attacks disguised as images But security is a dynamic process ● Logging makes it possible to learn from the attackers ● A honeyput system would help us even more
  6. 6. Reflections Agenda Demonstration Problems Implementations Conclusion Reflections We have some kind of security, we prevent: ● Confirmation process - email confirmation ● Honeypot implementation ● Securing our logged text files ● We should avoid passwords as "passwords" and "1234".

×