RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities

•

1 like•292 views

Rails comes with many powerful security protections out of the box, but no code is perfect. This talk will highlight a new approach to web app security, one focusing on a higher level of abstraction than current techniques. We will take a look at current security processes and tools and some common vulnerabilities still found in many Rails apps. Then we will investigate novel ways to protect against these vulnerabilities.

Technology

Metasecurity: Beyond
Patching Vulnerabilities
Chase Douglas
Immun.io

Anatomy of a security attack
Vulnerability Attacker

PHP: Over 24
vulnerabilities reported
every year!
cvedetails.com
Rails: Over 7
vulnerabilities reported
every year!

Vulnerabilities sold
remain private for an
average of 151 days
The Known Unknowns - Stefan Frei - NSS Labs
https://www.nsslabs.com/reports/known-unknowns-0

How many vulnerabilities
are lurking, unfound?

Anatomy of a security attack
Vulnerability Attacker
Exploitation

Exploitations
• SQL Injection
• Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
But I didn’t click
on anything!

Rails Rendering
Start with an empty SafeBuffer
Buffer:

Rails Rendering
Append template after calling html_safe on it
Buffer: <head>
<title>

Rails Rendering
Append expression result
Buffer: <head>
<title><script>alert(1)</script>
I tried to inject <script>alert(1)</script> here!

Rails Rendering
Append template after calling html_safe on it
Buffer: <head>
<title><script>alert(1)</script></title>

Rails Rendering
Append expression result
Buffer: <head>
<title><script>alert(1)</script></title>
<script src=“/application.js”></script>
javascript_include_tag returned a SafeBuffer

Rails Rendering
Append template after calling html_safe on it
Buffer: <head>
<title><script>alert(1)</script></title>
<script src=“/application.js”></script>
</head>

XSS
params => {id: “<script>alert(1)</script>”}
<div class=“alert”>
User id
<script>alert(1)</script>
does not exist
</div>
Rendered HTML:

How to Fix SQL Injection
• Check that args for all `Calculate` methods are actual table names
• Always use hashes or arrays when using `delete_all`/`destroy_all`/
`where`
• Always use hashes when using `ﬁnd_by`/`ﬁnd_by!`
• Always convert user input to strings when passed to `exists?`
• Never pass user input to `group`/`joins`/`order`/`reorder`/`pluck`/
`select`/`having`
• Don’t use `ﬁnd` unless you are a security guru
• etc. etc.

“Once you’re done with
that, can you audit all our
dependencies too?”

“Can you teach everyone
else about security?”

“All changes will be
reviewed by the security
team”
“It won’t be a bottleneck,
we’ve got two security
engineers”

Metasecurity for XSS
Should there be
script tags here?

Metasecurity for XSS
• Wrap `html_safe` method
• If called from a known good location, like a Rails
helper, let the string through unimpeded
• Otherwise, escape any <script> tags ﬁrst

Metasecurity for SQL
Injection
Structure
Eoknkno1
Structure
Eoknkno1&1o1
Structure
Eoknkno1;Tkn

How do we determine
expected structures?

Every Query is Executed at
the Top of a Call Stack

Match Call Stack to a
Learned Structure
Eoknk

Verify Structure
Eoknk
Ok!
Eoknkno1&1o1
Bad!
Block and
respond with 403
Expected Structure: Eoknk

Metasecurity
Vulnerability Attacker
Exploitation

Immunio is Metasecurity
Automatic protection against:
Cross Site Scripting
SQL Injection
Remote Command Execution
ShellShock
Open Redirects
Unauthorized File I/O
CSRF Tampering
Brute Force Authentication Attempts
HTTP Header Split
HTTP Method Tampering
Automated Scanners
And more…

What's hot

Windows Phone should be gone by now. But somehow it survived, hanging around few percent of mobile OS market share. Maybe good camera which is in those phones does it. Sometimes even an application dedicated to WP platform shows up on pentest. How to do it? What tools to use? What to check? This talk will give you an overview of WP application security assessment, including some tips & tricks as well. We will cover topics like: - application internal structure - data storage - traffic interception - testing on emulator vs testing on rooted phone - code analysis of WP application - overview of security mechanisms available on WP There even will be a real phone with Windows Phone on it to see.

Approaching the unknown - Windows Phone application security assessment guide

SecuRing

Csrf not all defenses are created equal

Ari Elias-Bachrach

Android mobile app security offensive security workshop

Abhinav Sejpal

WordPress Security 101 for developers

Ran Bar-Zik

Passwords, Attakcks, and Security, oh my!

Michele Butcher

ESAPI

n|u - The Open Security Community

Slides from a SiteGround webinar by SiteGround Joomla Performance Guru, Daniel Kanchev. He reveals the 8 most common ways a Joomla website can get hacked and what you can do to protect yourself from each of those hacks. Outdated Extensions & Themes Vulnerable Extensions & Themes Stolen or Weak Login Details Outdated / Vulnerable Server Software Incorrectly Configured Web Server Vulnerable Joomla on a Host Server Incorrect Joomla Permissions Local PC Malware

8 Most Popular Joomla Hacks & How To Avoid Them

SiteGround.com

DEFCON 17 Presentation: CSRF - Yeah, It Still Works

Russ McRee

The recent spike of hack attempts on various Joomla sites has made it more urgent than ever to take actions and secure your Joomla in the best possible way. In this webinar the SiteGround Joomla Performance Guru Daniel Kanchev shows the best practices and shares insightful tricks how to protect your Joomla from getting hacked: - Joomla administrator security settings - Bullet-proof password tips - Vulnerable extensions to avoid - Web application firewall configurations - Recommended server settings - Intrusion detection and protection tools - Disaster recovery plans

Secrets to a Hack-Proof Joomla Revealed

SiteGround.com

Are you a developer who works with PHP? Then this webinar was made for you. Even though PHP is a simple and practical language, it is easy to make code with the help of unorthodox solutions, also known as "kludges", that can endanger your website. In this webinar, Jean will explore some examples of PHP coding done incorrectly. Jean will also show you how badly written code is an invitation for hackers to exploit a website.

Kludges and PHP. Why Should You Use a WAF?

Sucuri

Security testing for web developers

matthewhughes

AtlasCamp 2010: Securing your Plugin - Penny Wyatt

Atlassian

8 Simple Ways to Hack Your Joomla

SiteGround.com

Case Study of Django: Web Frameworks that are Secure by Default

Mohammed ALDOUB

Introduction to CSRF Attacks & Defense

Surya Subhash

HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS

Elsner Technologies Pvt Ltd

Hacking WebApps for fun and profit : how to approach a target?

Yassine Aboukir

Passwords, Attacks, and Security oh my!

Michele Butcher-Jones

Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker. I will show: how to find hidden API interfaces ways to detect available methods and parameters fuzzing and pentesting techniques for API calls typical problems I will share several interesting cases from public bug bounty reports and personal experience, for example: * how I got various credentials with one API call * how to cause DoS by running Garbage Collector from API

REST API Pentester's perspective

SecuRing

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities

Anant Shrivastava

What's hot (20)

Approaching the unknown - Windows Phone application security assessment guide

Csrf not all defenses are created equal

Android mobile app security offensive security workshop

WordPress Security 101 for developers

Passwords, Attakcks, and Security, oh my!

ESAPI

8 Most Popular Joomla Hacks & How To Avoid Them

DEFCON 17 Presentation: CSRF - Yeah, It Still Works

Secrets to a Hack-Proof Joomla Revealed

Kludges and PHP. Why Should You Use a WAF?

Security testing for web developers

AtlasCamp 2010: Securing your Plugin - Penny Wyatt

8 Simple Ways to Hack Your Joomla

Case Study of Django: Web Frameworks that are Secure by Default

Introduction to CSRF Attacks & Defense

HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS

Hacking WebApps for fun and profit : how to approach a target?

Passwords, Attacks, and Security oh my!

REST API Pentester's perspective

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities

Similar to RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities

Threat stack aws

Jen Andre

SECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования

SECON

Effective approaches to web application security

Zane Lackey

Secure Coding 101 - OWASP University of Ottawa Workshop

Paul Ionescu

Today everybody wants to deploy the app and infrastructure faster without any disputes. An Even, Agile framework can help to deploy faster in real-time. But Continuous Innovation may conflict with stability and security. Without security at every stage, DevOps merely introduces vulnerabilities into application quickly. To resolve such conflict, the gap in recursive feedback loops need to be eliminated. Mostly, teams are not effectively working in a collaboration and interacting with each other smoothly. This results in gaps and produce problems with code development and quality, meaning slower delivery plans and serious vulnerabilities that create security risk at most. Fortunately, these shortcomings can be addressed very well, as developers/testers are set to launch off into the DevSecOps world or via adopting rugged DevOps model.

Defining DevSecOps

Uchit Vyas ☁

The Principles of Secure Development - BSides Las Vegas 2009

Security Ninja

Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive. Key Takeaways: -Great places in the user journey to inject security tests - Ways to augment existing test approaches to cover security concerns - Typical security tools that are free, cheap, and easy for software testers

Zen and the art of Security Testing

TEST Huddle

Security incident response is a reactive and chaotic exercise. What if it were possible to flip the scenario on its head? Security focused chaos engineering takes the approach of advancing the security incident response apparatus by reversing the postmortem and preparation phases. Contrary to Purple Team or Red Team game days, Security Chaos Engineering does not use threat actor tactics, techniques and procedures. It develops teams through unique configuration, cyber threat and user error scenarios that challenge responders to react to events outside their playbooks and comfort zones. Security Chaos Engineering allows incident response and product teams to derive new information about the state of security within their distributed systems that was previously unknown. Within this new paradigm of instrumentation where we proactively conduct “Pre-Incident” vs. “Post-Incident” reviews we are now able to more accurately measure how effective our security incident response teams, tools, skills, and procedures are during the manic of the Incident Response function. In this session Aaron Rinehart, the mind behind the first Open Source Security Chaos Engineering tool ChaoSlingr, will introduce how Security Chaos Engineering can be applied to create highly secure, performant, and resilient distributed systems.

Craft 2019 - Security Chaos Engineering - Security Precognition

Aaron Rinehart

Agile development is a powerful tool for the creation of high-quality software products. It has however scared the life out of many security managers and risk leaders. Once the job of a dedicated security team, security is now the responsibility of all members of our Agile teams. So how do we bring continuous security to our lifecycles without compromising velocity and innovation? What tools and techniques do we need and when should we apply them? In this talk, we will examine why security is the new key skills for successful Agile development teams and what you can do to bring it to your teams. This is a talk of war stories from the SCRUM team trenches and real world tools, techniques and processes that are less about 'managing' security than they are about building amazing(secure) things, fast.

Continuous Security - NDC Sydney 2017

Laura Bell

Truth and Consequences

Mohammed Almeshekah

Slides

vti

Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)

Steve Poole

Break it while you make it: writing (more) secure software

Leigh Honeywell

王峰不太愿意提子允和周晨晨的那种关系，结果还是触碰了，唉，别人的情网也法力无边。但事已至此，不好过分，作为好朋友，关键的时候怎么也该撑场子。那去就是，为了弟兄哪怕被王秀粘上四辈子也心甘，但你注意，我的灯泡很亮，菲利普2500瓦，够亮吧？我是它两个亮。没事，我本身光明正大，而且身上还背着发电机的。你老弟可要当心，别因为短路把身体给烧糊了。没事，那我就可以在烈火中永生了。《Y滋味》显文具店里中午放学后，四人汇聚到校门口边上的文具店里。显然两位女士没想到王峰会来，吃了一小惊。这又给了王秀展示厉害的机会，尽管香港六合彩平日与王峰不大熟，此时却搞得像三十年的老相识。哟，你也来啦？好啊，人多热闹。说完侧过脸坏笑着看子允，只不过赵大财主又要多破费了。子允跟王峰相视一笑，对香港六合彩说，如果钱不够，留下你给老板的儿子做童养媳。去，去，去，把晨晨留下差不多。哎，正经点儿，去哪吃饭？王秀向每个人扫一遍，一句话问了三个人。去麦当劳。王峰说。麦当劳吧。周晨晨跟道。我随便。子允的声音显得很突出。三个人很配合，被王秀这么一问，同时说出自己的想法。哎，香港六合彩两搞什么？回答得这么整齐？赵子允你可要小心了，王峰和晨晨很默契，强有力的竞争对手喔。王秀这句话很具煽动性，把王峰和晨晨弄得满脸通红。子允被牵其中，也红着脸不知看哪好。王秀，你说什么呀。周晨晨扯着香港六合彩的衣角小声责怪。就是，你这是挑拨香港六合彩兄弟感情，小心吃饭时王峰送你蹲厕所。子允趁机乱中添乱。打破混乱最好的方法就是让事情更混乱，子允一直这么认为。好，我同意，让香港六合彩吃不了兜着走。王峰扬起还在红着的脸，而且是在厕所吃不了兜着走。谈到厕所，女人最不好接招，王秀毫无还手之力，跟着傻笑。一般来说，一对一开损的时候不容易分出伯仲，如果二对一，那个一可就难有招架之力。假使三对一，那一的日子估计只有撕下脸自嘲一番才能逃过此劫。好了，既然两人都要去麦当劳，那香港六合彩抓紧时间吧，中午时间可不充裕。显然，子允对王秀的话很不在心，惦记着找机会用三对一的架式让香港六合彩乖巧一下嘴。到了麦当劳，子允和王峰主动担当起点餐任务，问清两位女生的需要后一起来到柜台排队点餐。周晨晨选了个靠窗的四人位子，然后单手托腮望着窗外卖红薯的老太太发呆。王秀则叽叽喳喳说终于敲诈到子允了。这头，子允正窃笑着王秀嘴大胃小，原以为香港六合彩真会让自己大把挥银，想不到香港六合彩只要了两对(又鸟)翅和一包大薯条，连饮料都是子允过意不去死活让香港六合彩要的。

香港六合彩

baoyin

Due to the recent, well-publicized events involving celebrities and their private photos, the phrase “brute-force attack” has become the web’s newest buzzword. As an IT professional, it’s vital that you detect brute force attacks as quickly as possible so you can shut them down before the damage is done. Join us for a live demo, where we’ll demonstrate a brute force attack (simulated, of course!) and show how AlienVault USM can help you detect an (attempted) intruder and investigate the attack. You'll learn: How attackers can use brute force attacks to gain access to your network Measures you can take to better secure your environment and prevent these attacks How AlienVault USM alerts you immediately of brute force attack attempts, giving you valuable time to shut it down How to use AlienVault USM to investigate an attack and identify compromised assets

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...

AlienVault

RSA Conference 2010 San Francisco

Aditya K Sood

The Fault Injection attack surface of Secure Boot implementations is determined by the specifics of their design and implementation. Using a generic Secure Boot design we detail multiple vulnerabilities (~10) using examples in source code, disassembly and hardware. We will determine what the impact is of the target's design on its Fault Injection attack surface: from high-level architecture to low-level implementation details. Research originally presented in November 2016 at BlackHat Europe.

Bypassing Secure Boot using Fault Injection

Riscure

Geecon 2017 Anatomy of Java Vulnerabilities

Steve Poole

Essential security measures in ASP.NET MVC

Rafał Hryniewski

Secure coding - Balgan - Tiago Henriques

Tiago Henriques

Similar to RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities (20)

Threat stack aws

SECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования

Effective approaches to web application security

Secure Coding 101 - OWASP University of Ottawa Workshop

Defining DevSecOps

The Principles of Secure Development - BSides Las Vegas 2009

Zen and the art of Security Testing

Craft 2019 - Security Chaos Engineering - Security Precognition

Continuous Security - NDC Sydney 2017

Truth and Consequences

Slides

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)

Break it while you make it: writing (more) secure software

香港六合彩

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...

RSA Conference 2010 San Francisco

Bypassing Secure Boot using Fault Injection

Geecon 2017 Anatomy of Java Vulnerabilities

Essential security measures in ASP.NET MVC

Secure coding - Balgan - Tiago Henriques

Recently uploaded

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

ICT role in 21st century education and its challenges

rafiqahmad00786416

MINDCTI Revenue Release Quarter One 2024

MIND CTI

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Architecting Cloud Native Applications

WSO2

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

ICT role in 21st century education and its challenges

MINDCTI Revenue Release Quarter One 2024

[BuildWithAI] Introduction to Gemini.pdf

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Architecting Cloud Native Applications

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

MS Copilot expands with MS Graph connectors

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Boost Fertility New Invention Ups Success Rates.pdf

Strategies for Landing an Oracle DBA Job as a Fresher

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

AWS Community Day CPH - Three problems of Terraform

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities

1. Metasecurity: Beyond Patching Vulnerabilities Chase Douglas Immun.io

2. Anatomy of a security attack Vulnerability Attacker

3. How to defend against vulnerabilities?

5. PHP: Over 24 vulnerabilities reported every year! cvedetails.com Rails: Over 7 vulnerabilities reported every year!

6. How fast can you spin this wheel?

7. Vulnerabilities sold remain private for an average of 151 days The Known Unknowns - Stefan Frei - NSS Labs https://www.nsslabs.com/reports/known-unknowns-0

8. How many vulnerabilities are lurking, unfound?

9. How to defend against attackers?

10. Web Application Firewalls

11. Web Application Firewalls

12. Field Trip! Castle Gaillard

13. False Positives

14. Anatomy of a security attack Vulnerability Attacker Exploitation

15. Metasecurity: Blocking Exploitations

16. Exploitations • SQL Injection • Cross Site Scripting (XSS)

25. Cross Site Scripting (XSS) But I didn’t click on anything!

26. +? XSS

27. XSS In someone else’s browser! +

28. String.html_safe

29. String.html_safe Escaped!

30. String.html_safe Not Escaped!

31. Rails Rendering Start with an empty SafeBuffer Buffer:

32. Rails Rendering Append template after calling html_safe on it Buffer: <head> <title>

33. Rails Rendering Append expression result Buffer: <head> <title><script>alert(1)</script> I tried to inject <script>alert(1)</script> here!

34. Rails Rendering Append template after calling html_safe on it Buffer: <head> <title><script>alert(1)</script></title>

35. Rails Rendering Append expression result Buffer: <head> <title><script>alert(1)</script></title> <script src=“/application.js”></script> javascript_include_tag returned a SafeBuffer

36. Rails Rendering Append template after calling html_safe on it Buffer: <head> <title><script>alert(1)</script></title> <script src=“/application.js”></script> </head>

37. XSS

38. XSS params => {id: 5}

39. XSS params => {id: “<script>alert(1)</script>”} <div class=“alert”> User id <script>alert(1)</script> does not exist </div> Rendered HTML:

40. XSS

41. XSS

42. XSS

43. XSS params => {id: “<script>alert(1)</script>”} <div class=“alert”> User id <script>alert(1)</script> does not exist </div> Rendered HTML: +

44. XSS

45. How to Fix?

46. How to Fix XSS

47. How to Fix SQL Injection • Check that args for all `Calculate` methods are actual table names • Always use hashes or arrays when using `delete_all`/`destroy_all`/ `where` • Always use hashes when using `find_by`/`find_by!` • Always convert user input to strings when passed to èxists?` • Never pass user input to `group`/`joins`/òrder`/`reorder`/`pluck`/ `select`/`having` • Don’t use `find` unless you are a security guru • etc. etc.

48. “Once you’re done with that, can you audit all our dependencies too?”

49. “Can you teach everyone else about security?”

50. “All changes will be reviewed by the security team” “It won’t be a bottleneck, we’ve got two security engineers”

51. Metasecurity Defense

52. Metasecurity for XSS Should there be script tags here?

53. Metasecurity for XSS • Wrap `html_safe` method • If called from a known good location, like a Rails helper, let the string through unimpeded • Otherwise, escape any <script> tags ﬁrst

54. Metasecurity for SQL Injection Structure Eoknkno1 Structure Eoknkno1&1o1 Structure Eoknkno1;Tkn

55. How do we determine expected structures?

56. Every Query is Executed at the Top of a Call Stack

57. Match Call Stack to a Learned Structure Eoknk

58. Verify Structure Eoknk Ok! Eoknkno1&1o1 Bad! Block and respond with 403 Expected Structure: Eoknk

59. Metasecurity Vulnerability Attacker Exploitation

60. Immunio is Metasecurity Automatic protection against: Cross Site Scripting SQL Injection Remote Command Execution ShellShock Open Redirects Unauthorized File I/O CSRF Tampering Brute Force Authentication Attempts HTTP Header Split HTTP Method Tampering Automated Scanners And more…

RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities

Similar to RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities (20)

Recently uploaded

Recently uploaded (20)

RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities