SlideShare a Scribd company logo

Application Security for the masses

Codemotion
Codemotion

La presentazione di Andrea Pompili in occasione del Codemotion, Roma 5 marzo 2011 http://www.codemotion.it

Technology
1 of 30
5 marzo 2011 – www.codemotion.it There are only 10 types of people in the world: Those who understand binary, and those who don't (Who + What) && (Where + When) == Why APPLICATION SECURITY FOR THE MASSES Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Running Normal PROGRAM INTEGER DATA CHAR DATA POINTER INSTRUCTIONS BUFFER BUFFER Which program line runs next Program jumps to next address Running Hacked Program jumps to overwritten address PROGRAM INTEGER DATA CHAR DATA CORRUPTED INSTRUCTIONS BUFFER INJECTED CODE Pointer execute injected code Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it The Onion Application Framework DATI Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it To Code or not to Code Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Utenti=UtOnti In questo momento voi ha ricevuto il "virus albanese" Siccome noi di Albania non ha esperienza di software e programmazione, questo virus albanese funziona su principio di fiducia e cooperazione. Allora noi prega voi adesso cancella tutti i file di vostro ard disc e spedisce questo virus a tutti amici di vostra rubrica. Grazie per fiducia e cooperazione. Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Frodi informatiche in numeri Frodi creditizie sul web durante Costo di un’identità il 2010 compromessa Danno complessivo Danni causati dalle derivante dalle truffe false identità Denunce al Servizio della Polizia Postale nel 2010 Fonte: CRIS per il Sole 24 Ore del novembre 2010 Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Il progetto OWASP OWASP Top 10 – 2007 (Previous) OWASP Top 10 – 2010 (New) A2 – Injection Flaws A1 - Injection A1 – Cross Site Scripting (XSS) A2 – Cross-Site Scripting (XSS) A7 – Broken Authentication and Session Management A3 - Broken Authentication and Session Management A4 – Insecure Direct Object Reference A4 – Insecure Direct Object Reference A5 – Cross Site Request Forgery (CSRF) A5 – Cross Site Request Forgery (CSRF) <was T10 2004 A10 – Insecure Configuration Management> A6 – Security Misconfiguration (NEW) A8 – Insecure Cryptographic Storage A7 – Insecure Cryptographic Storage A10 – Failure to Restrict URL Access A8 – Failure to Restrict URL Access A9 – Insecure Communications A9 – Insufficient Transport Layer Protection <not in T10 2007> A10 – Unvalidated Redirects and Forwards (NEW) A3 – Malicious File Execution <dropped from T10 2010> A6 – Information Leakage and Improper Error Handling <dropped from T10 2010> Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it The way to Application Security Files Databases Applications Development ICT Operations IT Security Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Current Application Security market Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it -Enforcement Infrastructures FAM DAM DLP Classificazione Files Databases IAM Autenticazione Applications Autorizzazione Usage Policy WAF Interne Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Attacco a Poste Italiane Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Cosa è andato storto? http://unu1234567.baywords.com/2009/09/05/poste-italiane-hacked-sql-injection/ Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it SQL Injection OWASP A1 – Injection Le Injection Flaws, come SQL Injection, OS Injection, e LDAP injection, si verificano quando dati non validati vengono inviati come parte di un comando o di una query al loro interprete. Il dato infetto può quindi ingannare tale interprete, eseguendo comandi non previsti o accedendo a dati per i quali non si ha l’autorizzazione. Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it redirect del sito Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Application Firewall POST http://www.sito.it/vulnpage.php HTTP/1.1 username: test password: x'; DROP TABLE users; -- Applications Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Ricariche e Contatori elettrici Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Cosa è andato storto? ESME 29 00229 51 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 30 00237 51 1/2 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) UCP 31 00237 51 2/2 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 32 00237 51 1/3 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 33 00237 51 2/3 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 34 00237 51 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 35 00237 51 1/4 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 36 00237 51 2/4 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 37 00237 51 3/4 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Il caso Wikileaks Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Cosa è andato storto? Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it File Security & Monitoring 1 • Crawl File Systems 2 Build Data/Permission Map 3 Enforce Policies • Find name, type, owner, permissions… Who Group What Class Who What Action • Apply Classification Policies • Owner, Org, Location Joe, Fin-CC Read Financials Non Update Block IT cc.xls Finance Financials • Automatic content classification Jim, HR-Exec Read PII Any Read PII Audit HR PII.doc Joe, IT NAS X Jim, HR FAM File Servers OK Audit Log Who What When Action Joe Read CC.xls 1/1/2010 12:50 Block Jim Read PII.doc 1/1/2010 Audit 12:51 Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Into the Wireless World Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Cosa è andato storto? Application DROP DATABASE cms; CREATE TABLE contents (…); CREATE TABLE news (…); CREATE INDEX idx1; ... ../main/init/initdb.jsp Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Database Security & Monitoring Chi, Dove, Come e Quando Chi Come Dove Cosa Quando DAS URM DAM Who Is? Sensitive? What Rights? When Used? Is it dormant? JOE Dept? CCTAB Credit JOE CCTAB JOE CCTAB Card update Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it La n Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5 marzo 2011 – www.codemotion.it Questions? ¿Preguntas? English Spanish вопросы? Arabic Russian Domande? Ερωτήσεις? Italian Greek Sindarin tupoQghachmey Klingon Japanese Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.

Recommended

Broaden Your Market with Windows Live
Broaden Your Market with Windows LiveBroaden Your Market with Windows Live
Broaden Your Market with Windows Live
goodfriday
 
How To Protect and Commercialize Intellectual Property
How To Protect and Commercialize Intellectual PropertyHow To Protect and Commercialize Intellectual Property
How To Protect and Commercialize Intellectual Property
MaRS Discovery District
 
Enterprise Communication beyond 2.0
Enterprise Communication beyond 2.0Enterprise Communication beyond 2.0
Enterprise Communication beyond 2.0
Massimo Canducci
 
Families and alcohol
Families and alcohol Families and alcohol
Families and alcohol
localinsight
 
Leading the older peoples prevention project
Leading the older peoples prevention projectLeading the older peoples prevention project
Leading the older peoples prevention project
localinsight
 
Building modular Java application in the cloud age - Ertman
Building modular Java application in the cloud age - ErtmanBuilding modular Java application in the cloud age - Ertman
Building modular Java application in the cloud age - Ertman
Codemotion
 
You wrong-you die - Huynh
You wrong-you die - Huynh You wrong-you die - Huynh
You wrong-you die - Huynh
Codemotion
 
Introduction to Web application development with Vaadin 7.1 - Tzukanov
Introduction to Web application development with Vaadin 7.1 - TzukanovIntroduction to Web application development with Vaadin 7.1 - Tzukanov
Introduction to Web application development with Vaadin 7.1 - Tzukanov
Codemotion
 

Recommended

Broaden Your Market with Windows Live
Broaden Your Market with Windows LiveBroaden Your Market with Windows Live
Broaden Your Market with Windows Live
goodfriday
 
How To Protect and Commercialize Intellectual Property
How To Protect and Commercialize Intellectual PropertyHow To Protect and Commercialize Intellectual Property
How To Protect and Commercialize Intellectual Property
MaRS Discovery District
 
Enterprise Communication beyond 2.0
Enterprise Communication beyond 2.0Enterprise Communication beyond 2.0
Enterprise Communication beyond 2.0
Massimo Canducci
 
Families and alcohol
Families and alcohol Families and alcohol
Families and alcohol
localinsight
 
Leading the older peoples prevention project
Leading the older peoples prevention projectLeading the older peoples prevention project
Leading the older peoples prevention project
localinsight
 
Building modular Java application in the cloud age - Ertman
Building modular Java application in the cloud age - ErtmanBuilding modular Java application in the cloud age - Ertman
Building modular Java application in the cloud age - Ertman
Codemotion
 
You wrong-you die - Huynh
You wrong-you die - Huynh You wrong-you die - Huynh
You wrong-you die - Huynh
Codemotion
 
Introduction to Web application development with Vaadin 7.1 - Tzukanov
Introduction to Web application development with Vaadin 7.1 - TzukanovIntroduction to Web application development with Vaadin 7.1 - Tzukanov
Introduction to Web application development with Vaadin 7.1 - Tzukanov
Codemotion
 
The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili
Codemotion
 
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
Codemotion
 
Enterprise Open Source Fccs March
Enterprise Open Source Fccs MarchEnterprise Open Source Fccs March
Enterprise Open Source Fccs March
arnaudblandin
 
More than the Sum of its parts, the API's whole
More than the Sum of its parts, the API's wholeMore than the Sum of its parts, the API's whole
More than the Sum of its parts, the API's whole
3scale
 
Disclosing Vulnerabilities for Fun and Profit
Disclosing Vulnerabilities for Fun and ProfitDisclosing Vulnerabilities for Fun and Profit
Disclosing Vulnerabilities for Fun and Profit
n|u - The Open Security Community
 
A lap around monotouch
A lap around monotouchA lap around monotouch
A lap around monotouch
mecurioJ
 
Attacchi, bugie e underground digitale by Andrea Pompili
Attacchi, bugie e underground digitale by Andrea PompiliAttacchi, bugie e underground digitale by Andrea Pompili
Attacchi, bugie e underground digitale by Andrea Pompili
Codemotion
 
Infinitytech New
Infinitytech NewInfinitytech New
Infinitytech New
Shashwat Shriparv
 
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
Codemotion
 
Going Mobile With Mobile 2.0 (V0.2)
Going Mobile With Mobile 2.0 (V0.2)Going Mobile With Mobile 2.0 (V0.2)
Going Mobile With Mobile 2.0 (V0.2)
Paul Golding
 
Andrea Pompili - The Dark Side of Malware Analysis
Andrea Pompili - The Dark Side of Malware AnalysisAndrea Pompili - The Dark Side of Malware Analysis
Andrea Pompili - The Dark Side of Malware Analysis
Codemotion
 
Human vs Bot: Giocare a Sasso-Carta-Forbici - Matteo Valoriani, Antimo Musone...
Human vs Bot: Giocare a Sasso-Carta-Forbici - Matteo Valoriani, Antimo Musone...Human vs Bot: Giocare a Sasso-Carta-Forbici - Matteo Valoriani, Antimo Musone...
Human vs Bot: Giocare a Sasso-Carta-Forbici - Matteo Valoriani, Antimo Musone...
Codemotion
 
AI Machine vs Human
AI Machine vs HumanAI Machine vs Human
AI Machine vs Human
antimo musone
 
Pompili - The miracle of sprite multiplication (C64)
Pompili - The miracle of sprite multiplication (C64)Pompili - The miracle of sprite multiplication (C64)
Pompili - The miracle of sprite multiplication (C64)
Codemotion
 
Can't Handle My Scale
Can't Handle My ScaleCan't Handle My Scale
Can't Handle My Scale
Michele Titolo
 
Thesis
ThesisThesis
Thesis
Jeremy Clark
 
IzPack - fOSSa 2009
IzPack - fOSSa 2009IzPack - fOSSa 2009
IzPack - fOSSa 2009
julien.ponge
 
Mobile Application Development with WP7 & Others
Mobile Application Development with WP7 & OthersMobile Application Development with WP7 & Others
Mobile Application Development with WP7 & Others
Andri Yadi
 
Stefano Fornari - Come creare e far crescere un progetto ed una community ope...
Stefano Fornari - Come creare e far crescere un progetto ed una community ope...Stefano Fornari - Come creare e far crescere un progetto ed una community ope...
Stefano Fornari - Come creare e far crescere un progetto ed una community ope...
Better Software
 
Landmines for Open Source in the Mobile Space
Landmines for Open Source in the Mobile SpaceLandmines for Open Source in the Mobile Space
Landmines for Open Source in the Mobile Space
Robert Sutor
 
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Codemotion
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
Codemotion
 

More Related Content

Similar to Application Security for the masses

IzPack - fOSSa 2009
IzPack - fOSSa 2009IzPack - fOSSa 2009
IzPack - fOSSa 2009
julien.ponge
 

Similar to Application Security for the masses (20)

The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili
 
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion M...
 
Enterprise Open Source Fccs March
Enterprise Open Source Fccs MarchEnterprise Open Source Fccs March
Enterprise Open Source Fccs March
 
More than the Sum of its parts, the API's whole
More than the Sum of its parts, the API's wholeMore than the Sum of its parts, the API's whole
More than the Sum of its parts, the API's whole
 
Disclosing Vulnerabilities for Fun and Profit
Disclosing Vulnerabilities for Fun and ProfitDisclosing Vulnerabilities for Fun and Profit
Disclosing Vulnerabilities for Fun and Profit
 
A lap around monotouch
A lap around monotouchA lap around monotouch
A lap around monotouch
 
Attacchi, bugie e underground digitale by Andrea Pompili
Attacchi, bugie e underground digitale by Andrea PompiliAttacchi, bugie e underground digitale by Andrea Pompili
Attacchi, bugie e underground digitale by Andrea Pompili
 
Infinitytech New
Infinitytech NewInfinitytech New
Infinitytech New
 
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
 
Going Mobile With Mobile 2.0 (V0.2)
Going Mobile With Mobile 2.0 (V0.2)Going Mobile With Mobile 2.0 (V0.2)
Going Mobile With Mobile 2.0 (V0.2)
 
Andrea Pompili - The Dark Side of Malware Analysis
Andrea Pompili - The Dark Side of Malware AnalysisAndrea Pompili - The Dark Side of Malware Analysis
Andrea Pompili - The Dark Side of Malware Analysis
 
Human vs Bot: Giocare a Sasso-Carta-Forbici - Matteo Valoriani, Antimo Musone...
Human vs Bot: Giocare a Sasso-Carta-Forbici - Matteo Valoriani, Antimo Musone...Human vs Bot: Giocare a Sasso-Carta-Forbici - Matteo Valoriani, Antimo Musone...
Human vs Bot: Giocare a Sasso-Carta-Forbici - Matteo Valoriani, Antimo Musone...
 
AI Machine vs Human
AI Machine vs HumanAI Machine vs Human
AI Machine vs Human
 
Pompili - The miracle of sprite multiplication (C64)
Pompili - The miracle of sprite multiplication (C64)Pompili - The miracle of sprite multiplication (C64)
Pompili - The miracle of sprite multiplication (C64)
 
Can't Handle My Scale
Can't Handle My ScaleCan't Handle My Scale
Can't Handle My Scale
 
Thesis
ThesisThesis
Thesis
 
IzPack - fOSSa 2009
IzPack - fOSSa 2009IzPack - fOSSa 2009
IzPack - fOSSa 2009
 
Mobile Application Development with WP7 & Others
Mobile Application Development with WP7 & OthersMobile Application Development with WP7 & Others
Mobile Application Development with WP7 & Others
 
Stefano Fornari - Come creare e far crescere un progetto ed una community ope...
Stefano Fornari - Come creare e far crescere un progetto ed una community ope...Stefano Fornari - Come creare e far crescere un progetto ed una community ope...
Stefano Fornari - Come creare e far crescere un progetto ed una community ope...
 
Landmines for Open Source in the Mobile Space
Landmines for Open Source in the Mobile SpaceLandmines for Open Source in the Mobile Space
Landmines for Open Source in the Mobile Space
 

More from Codemotion

More from Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Application Security for the masses

  • 1. 5 marzo 2011 – www.codemotion.it There are only 10 types of people in the world: Those who understand binary, and those who don't (Who + What) && (Where + When) == Why APPLICATION SECURITY FOR THE MASSES Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 2. 5 marzo 2011 – www.codemotion.it Running Normal PROGRAM INTEGER DATA CHAR DATA POINTER INSTRUCTIONS BUFFER BUFFER Which program line runs next Program jumps to next address Running Hacked Program jumps to overwritten address PROGRAM INTEGER DATA CHAR DATA CORRUPTED INSTRUCTIONS BUFFER INJECTED CODE Pointer execute injected code Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 3. 5 marzo 2011 – www.codemotion.it The Onion Application Framework DATI Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 4. 5 marzo 2011 – www.codemotion.it To Code or not to Code Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 5. 5 marzo 2011 – www.codemotion.it Utenti=UtOnti In questo momento voi ha ricevuto il "virus albanese" Siccome noi di Albania non ha esperienza di software e programmazione, questo virus albanese funziona su principio di fiducia e cooperazione. Allora noi prega voi adesso cancella tutti i file di vostro ard disc e spedisce questo virus a tutti amici di vostra rubrica. Grazie per fiducia e cooperazione. Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 6. 5 marzo 2011 – www.codemotion.it Frodi informatiche in numeri Frodi creditizie sul web durante Costo di un’identità il 2010 compromessa Danno complessivo Danni causati dalle derivante dalle truffe false identità Denunce al Servizio della Polizia Postale nel 2010 Fonte: CRIS per il Sole 24 Ore del novembre 2010 Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 7. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 8. 5 marzo 2011 – www.codemotion.it Il progetto OWASP OWASP Top 10 – 2007 (Previous) OWASP Top 10 – 2010 (New) A2 – Injection Flaws A1 - Injection A1 – Cross Site Scripting (XSS) A2 – Cross-Site Scripting (XSS) A7 – Broken Authentication and Session Management A3 - Broken Authentication and Session Management A4 – Insecure Direct Object Reference A4 – Insecure Direct Object Reference A5 – Cross Site Request Forgery (CSRF) A5 – Cross Site Request Forgery (CSRF) <was T10 2004 A10 – Insecure Configuration Management> A6 – Security Misconfiguration (NEW) A8 – Insecure Cryptographic Storage A7 – Insecure Cryptographic Storage A10 – Failure to Restrict URL Access A8 – Failure to Restrict URL Access A9 – Insecure Communications A9 – Insufficient Transport Layer Protection <not in T10 2007> A10 – Unvalidated Redirects and Forwards (NEW) A3 – Malicious File Execution <dropped from T10 2010> A6 – Information Leakage and Improper Error Handling <dropped from T10 2010> Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 9. 5 marzo 2011 – www.codemotion.it The way to Application Security Files Databases Applications Development ICT Operations IT Security Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 10. 5 marzo 2011 – www.codemotion.it Current Application Security market Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 11. 5 marzo 2011 – www.codemotion.it -Enforcement Infrastructures FAM DAM DLP Classificazione Files Databases IAM Autenticazione Applications Autorizzazione Usage Policy WAF Interne Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 12. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 13. 5 marzo 2011 – www.codemotion.it Attacco a Poste Italiane Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 14. 5 marzo 2011 – www.codemotion.it Cosa è andato storto? http://unu1234567.baywords.com/2009/09/05/poste-italiane-hacked-sql-injection/ Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 15. 5 marzo 2011 – www.codemotion.it SQL Injection OWASP A1 – Injection Le Injection Flaws, come SQL Injection, OS Injection, e LDAP injection, si verificano quando dati non validati vengono inviati come parte di un comando o di una query al loro interprete. Il dato infetto può quindi ingannare tale interprete, eseguendo comandi non previsti o accedendo a dati per i quali non si ha l’autorizzazione. Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 16. 5 marzo 2011 – www.codemotion.it redirect del sito Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 17. 5 marzo 2011 – www.codemotion.it Application Firewall POST http://www.sito.it/vulnpage.php HTTP/1.1 username: test password: x'; DROP TABLE users; -- Applications Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 18. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 19. 5 marzo 2011 – www.codemotion.it Ricariche e Contatori elettrici Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 20. 5 marzo 2011 – www.codemotion.it Cosa è andato storto? ESME 29 00229 51 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 30 00237 51 1/2 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) UCP 31 00237 51 2/2 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 32 00237 51 1/3 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 33 00237 51 2/3 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 34 00237 51 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 35 00237 51 1/4 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 36 00237 51 2/4 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 37 00237 51 3/4 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 21. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 22. 5 marzo 2011 – www.codemotion.it Il caso Wikileaks Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 23. 5 marzo 2011 – www.codemotion.it Cosa è andato storto? Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 24. 5 marzo 2011 – www.codemotion.it File Security & Monitoring 1 • Crawl File Systems 2 Build Data/Permission Map 3 Enforce Policies • Find name, type, owner, permissions… Who Group What Class Who What Action • Apply Classification Policies • Owner, Org, Location Joe, Fin-CC Read Financials Non Update Block IT cc.xls Finance Financials • Automatic content classification Jim, HR-Exec Read PII Any Read PII Audit HR PII.doc Joe, IT NAS X Jim, HR FAM File Servers OK Audit Log Who What When Action Joe Read CC.xls 1/1/2010 12:50 Block Jim Read PII.doc 1/1/2010 Audit 12:51 Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 25. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 26. 5 marzo 2011 – www.codemotion.it Into the Wireless World Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 27. 5 marzo 2011 – www.codemotion.it Cosa è andato storto? Application DROP DATABASE cms; CREATE TABLE contents (…); CREATE TABLE news (…); CREATE INDEX idx1; ... ../main/init/initdb.jsp Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 28. 5 marzo 2011 – www.codemotion.it Database Security & Monitoring Chi, Dove, Come e Quando Chi Come Dove Cosa Quando DAS URM DAM Who Is? Sensitive? What Rights? When Used? Is it dormant? JOE Dept? CCTAB Credit JOE CCTAB JOE CCTAB Card update Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 29. 5 marzo 2011 – www.codemotion.it La n Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  • 30. 5 marzo 2011 – www.codemotion.it Questions? ¿Preguntas? English Spanish вопросы? Arabic Russian Domande? Ερωτήσεις? Italian Greek Sindarin tupoQghachmey Klingon Japanese Except where otherwise noted, this work is licensed under Page  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.