SlideShare une entreprise Scribd logo

Opa @ owasp 2010

Télécharger en tant que KEY, PDF
I
IamYoric

Web applications and services have critical needs in terms of safety, security and privacy: they need to remain available constantly and can at any time be the object of attacks by malicious and anonymous distant users attempting to take control, alter data or steal it, or cause unwanted behaviors. Unfortunately, recent history shows numerous cases of popular web applications falling victim to such attacks, despite careful attempts to secure them. In this talk, we introduce OPA (One Pot Application), a new platform based on formal methods, designed to make web development sane, safe and secure. OPA provides an integrated methodology where the complete application is written with one simple language with consistent semantics, enforces safe use of the infrastructure through compile-time static checking and a novel programming paradigm suited to the web and encourages correct-by-construction development.

Technologie
1  sur  61
OPA: Language Support for a Sane, Safe and Secure Web David Rajchenbach-Teller Head of R&D MLstate David.Teller@mlstate.com OWASP twitter.com/mlstate +33 1 55 43 76 55 June 24th, 2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
What Automated Solutions Miss What it’s all about !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP OWASP 26
What it’s all about What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP 6 “Automated vs. Manual: You can’t filter The Stupid” Charles Henderson, David Byrne AppSec DC 2009 + 2010 OWASP 2
What it’s all about What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP 6 “Automated vs. Manual: You can’t filter The Stupid” Charles Henderson, David Byrne AppSec DC 2009 + 2010 “Oh, yeah?” The MLstate team AppSec Research 2010 OWASP 2
OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 3
OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 3
Web Applications (high-level design) Logics App App Storage Delivery UI User User OWASP 4
Web Applications (what we see) JavaScript Web Web Browser Server PHP? Language Database OWASP 5
Web Applications (what we see) Web Server JavaScript Web Web Web Browser Web Server Server Server PHP? +scripts Who knows? Web Language Language Framework Browser Database Database Database Java? Language OWASP 5
Web Applications (what we see) Web Server JavaScript Config Web Web Web error? Browser Web Server Server Server PHP? +scripts Who knows? Config Web error? Language Language Framework Browser Config error? Config Database error? Database Database Java? Language OWASP 5
Web Applications (what we see) Web Server Protocol JavaScript ? Config Web Web Web error? Browser Protocol Web Server ? Server Server PHP? +scripts Who knows? Config Web error? Language Language Framework Browser Config error? Protocol Protocol ? ? Config Database error? Database Database Java? Language OWASP 5
Web Applications (what we see) Web Server Protocol CSRF exploit Protocol JavaScript ? Info leak Config Web Web Web error? Browser Protocol Web Server Sniffing ? Server Server Data injection Memory injection PHP? +scripts Who knows? Config Web XSS error? Language injection SQL Language Framework Browser injection Config error? Protocol Protocol ? Memory Contami ? injection nation Config Database error? Database Database Java? Language OWASP 5
Web Applications (what we see) Web Server Protocol CSRF exploit Protocol JavaScript ? Info leak Contami Config Web Web Web nation error? Browser Protocol Web Server Sniffing ? Server Server Data injection Memory injection PHP? +scripts Protocol Who exploit Known knows? Config Web XSS error? exploit Language injection SQL Language Framework Browser Protocol injection exploit Config error? Protocol Protocol ? Memory Contami ? injection nation Config + Phishing Database error? Protocol + (D)DoS, economic (D)DoS Database Database Java? exploit + Flash, Silverlight, Gears, XPCOM, Language Java(FX), NativeClient, Acrobat, QT... + Keyloggers + ... OWASP 5
The general idea OWASP 6
The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 OWASP 6
The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) OWASP 6
The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. OWASP 6
The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. “What if the problem is that Joe Developer is stupid?” (Joe Meta-Developer) OWASP 6
The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. “What if the problem is that Joe Developer is stupid?” (Joe Meta-Developer) “Haven’t I answered that question already?” Ferengi Rule of Acquisition #408, contd. “...oh, and don’t forget to make sure that Joe can still use the tools!” Ferengi Rule of Acquisition #408, contd. OWASP 6
Web applications (with OPA) Logics OPA App App Storage Delivery UI User User OWASP 7
Web applications (with OPA) Logics OPA App App Storage Delivery UI User User OWASP 7
Web applications (with OPA) Logics OPA App App Untrusted Storage Delivery UI User User OWASP 7
General OPA design OWASP 8
General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up OWASP 8
General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Glue & checks generated automatically No impedance mismatch OWASP 8
General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Glue & checks generated automatically No impedance mismatch “Just” a distributed system In which not all principals are trusted And communications use web standards Security is (mostly) automatic OWASP 8
General OPA design Joe doesn’t need to know Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Simpler than LAMP Glue & checks generated automatically No impedance mismatch “Just” a distributed system Joe doesn’t need to know In which not all principals are trusted And communications use web standards Security is (mostly) automatic OWASP 8
OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 9
OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 9
Hello, web OWASP 10
Hello, web server = one_page_server("Hello, web", -> <>Hello, web</>) 1) Compile Complete web opa hello.opa application. 2) Run ./hello.exe 3) Test browse http://localhost:8080 OWASP 10
URL shortener (22 loc) db /abbrevs: intmap(string) db /abbrevs[_] = "/" make_shorter(url:string):string =   key = Db.fresh_key(/abbrevs)   do /abbrevs[key] <- url   "{key}" _ = @server(make_shorter) do_shorten(_) = exec([#shortened <- make_shorter(Page.getVal(#origin))]) urls = parser | "/" dest=Rule.integer ->     Resource.redirection_page("Please wait a second", <div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest]) | .* ->     Resource.html("MLstate redirector",     <>Please enter a URL you wish to shorten<br/>     <input id="origin"/><button onclick={do_shorten}>Shorten</button>     <div id="shortened"></div>     </>) server = simple_server(urls) OWASP 11
URL shortener (22 loc) db /abbrevs: intmap(string) Database db /abbrevs[_] = "/" make_shorter(url:string):string =   key = Db.fresh_key(/abbrevs)   do /abbrevs[key] <- url   "{key}" _ = @server(make_shorter) Control do_shorten(_) = exec([#shortened <- make_shorter(Page.getVal(#origin))]) UI urls = parser | "/" dest=Rule.integer ->     Resource.redirection_page("Please wait a second", <div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest]) | .* ->     Resource.html("MLstate redirector",     <>Please enter a URL you wish to shorten<br/>     <input id="origin"/><button onclick={do_shorten}>Shorten</button>     <div id="shortened"></div>     </>) server = simple_server(urls) OWASP 11
Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Real-time   Resource.full_page(title, body, web <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Real-time   Resource.full_page(title, body, web <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start URLs resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
There’s more Games Productivity tools Development tools Security applications e-Commerce applications ... OWASP 13
Things we can do (and check!) OWASP 14
Things we can do (and check!) Programmable security policies Ajax SOAP Complex database ... XML processing Comet Fine-grained sessions Time-unlimited rollback Distribution Multitasking Higher-order database User interface Concurrent transactions WSDL Higher-order programming Data history Capabilities OWASP 14
OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 15
OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 15
Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) All insertions user_update(x:mess) = ( = ( are checked user_update(x:mess)   line = <div class="opa-line">   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>     <div class="opa-message">{x.message}</div></div>   </div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show)   do exec([#show +<- line ]) )   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
Transparent protections All communications type mess = {id: string; message: string} are checked room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)       styled_page("Chat",  //Display styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div> Per-user      <div id="show"></div>      <div id="header"><div id="logo"></div></div> capability?*      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>      <div id="show"></div>      )    <input id="entry"/> )      <div class="opa-button" onclick={broadcast}>Send!</div>    urls      = parser .* -> start ) resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
More A1-Injection A6-Security Misconfiguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufficient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17
More A1-Injection A6-Security Misconfiguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufficient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17
More A1-Injection A6-Security Misconfiguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufficient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17
progress) What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP OWASP 16 18 6
progress) What Automated Solutions Miss ^ other !!Theoretical "!Logic flaws (business and application) (in progress) "!Design flaws "!The Stupid (what we do best) !!Practical (been there, done that) "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) (been there, done that) "!Cross-Site Request Forgery (CSRF) (in progress) "!Uncommon or custom infrastructure (abstract&specify them away!) "!Authorization enforcement (been there, done that) "!Abstract information leakage (been there, done that) OWASP OWASP 16 18 6
OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 19
OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 19
Theoretical foundations Building on 30+ years of research in formal methods & language theory. Key for precise analysis. Key for precise optimizations. OWASP 20
False positives False positives are annoying but not that bad -- as long as they are predictable and there’s a workaround. Experienced developers make safety/security mistakes quite often. False positives often later reveal themselves as true positives. OWASP 21
Future Eliminate CSRF. Extend per-application security policy. Extend per-library/per-data safety policy. Plenty of additional features! Hiring you? OWASP 22
That’s all, folks! http://www.mlstate.com OWASP 23
That’s all, folks! Thanks and apologies to David Byrne & Charles Anderson for hijacking their slides http://www.mlstate.com OWASP 23

Recommandé

FraSCAti@rivieradev
FraSCAti@rivieradevFraSCAti@rivieradev
FraSCAti@rivieradevdemarey
 
Milton smith 2013
Milton smith 2013Milton smith 2013
Milton smith 2013jowen_evansdata
 
Ofer Maor - OWASP Top 10
Ofer Maor - OWASP Top 10Ofer Maor - OWASP Top 10
Ofer Maor - OWASP Top 10CSAIsrael
 
Introduction to application security (Arabic)
Introduction to application security (Arabic)Introduction to application security (Arabic)
Introduction to application security (Arabic)Sameh Deabes
 
ajn20 GAEで進捗管理アプリ、無料枠で奮闘
ajn20 GAEで進捗管理アプリ、無料枠で奮闘ajn20 GAEで進捗管理アプリ、無料枠で奮闘
ajn20 GAEで進捗管理アプリ、無料枠で奮闘Andoh Kazuma
 
Bluemixの基本を知る -全体像-
Bluemixの基本を知る -全体像-Bluemixの基本を知る -全体像-
Bluemixの基本を知る -全体像-IBMソリューション
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 

Recommandé

FraSCAti@rivieradev
FraSCAti@rivieradevFraSCAti@rivieradev
FraSCAti@rivieradevdemarey
 
Milton smith 2013
Milton smith 2013Milton smith 2013
Milton smith 2013jowen_evansdata
 
Ofer Maor - OWASP Top 10
Ofer Maor - OWASP Top 10Ofer Maor - OWASP Top 10
Ofer Maor - OWASP Top 10CSAIsrael
 
Introduction to application security (Arabic)
Introduction to application security (Arabic)Introduction to application security (Arabic)
Introduction to application security (Arabic)Sameh Deabes
 
ajn20 GAEで進捗管理アプリ、無料枠で奮闘
ajn20 GAEで進捗管理アプリ、無料枠で奮闘ajn20 GAEで進捗管理アプリ、無料枠で奮闘
ajn20 GAEで進捗管理アプリ、無料枠で奮闘Andoh Kazuma
 
Bluemixの基本を知る -全体像-
Bluemixの基本を知る -全体像-Bluemixの基本を知る -全体像-
Bluemixの基本を知る -全体像-IBMソリューション
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Avatar 2.0
Avatar 2.0Avatar 2.0
Avatar 2.0David Delabassee
 
Apiworld
ApiworldApiworld
ApiworldOwen Rubel
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Do We Need Esb Any More
Do We Need Esb Any MoreDo We Need Esb Any More
Do We Need Esb Any Morekaraznie
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP BulgariaZero Science Lab
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Our Brave Modular Future
Our Brave Modular FutureOur Brave Modular Future
Our Brave Modular FutureOrchestrate
 
Workflows in the Virtual Observatory
Workflows in the Virtual ObservatoryWorkflows in the Virtual Observatory
Workflows in the Virtual ObservatoryJose Enrique Ruiz
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelHubert Gregoire
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory LectureG. Geshev
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
Lotus Mashups, Foundations, Protector - Symposium 2009 Prague
Lotus Mashups, Foundations, Protector - Symposium 2009 PragueLotus Mashups, Foundations, Protector - Symposium 2009 Prague
Lotus Mashups, Foundations, Protector - Symposium 2009 PraguePetr Kunc
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Christian Frichot
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Complex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBaseComplex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBasedarach
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Contenu connexe

Similaire à Opa @ owasp 2010

OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Do We Need Esb Any More
Do We Need Esb Any MoreDo We Need Esb Any More
Do We Need Esb Any Morekaraznie
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Our Brave Modular Future
Our Brave Modular FutureOur Brave Modular Future
Our Brave Modular FutureOrchestrate
 
Workflows in the Virtual Observatory
Workflows in the Virtual ObservatoryWorkflows in the Virtual Observatory
Workflows in the Virtual ObservatoryJose Enrique Ruiz
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelHubert Gregoire
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory LectureG. Geshev
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
Lotus Mashups, Foundations, Protector - Symposium 2009 Prague
Lotus Mashups, Foundations, Protector - Symposium 2009 PragueLotus Mashups, Foundations, Protector - Symposium 2009 Prague
Lotus Mashups, Foundations, Protector - Symposium 2009 PraguePetr Kunc
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Christian Frichot
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Complex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBaseComplex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBasedarach
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
 

Similaire à Opa @ owasp 2010 (20)

OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Avatar 2.0
Avatar 2.0Avatar 2.0
Avatar 2.0
 
Apiworld
ApiworldApiworld
Apiworld
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Do We Need Esb Any More
Do We Need Esb Any MoreDo We Need Esb Any More
Do We Need Esb Any More
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP Bulgaria
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Our Brave Modular Future
Our Brave Modular FutureOur Brave Modular Future
Our Brave Modular Future
 
Workflows in the Virtual Observatory
Workflows in the Virtual ObservatoryWorkflows in the Virtual Observatory
Workflows in the Virtual Observatory
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de Noel
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
 
Lotus Mashups, Foundations, Protector - Symposium 2009 Prague
Lotus Mashups, Foundations, Protector - Symposium 2009 PragueLotus Mashups, Foundations, Protector - Symposium 2009 Prague
Lotus Mashups, Foundations, Protector - Symposium 2009 Prague
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Complex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBaseComplex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBase
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo Meucci
 

Dernier

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Dernier (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

Opa @ owasp 2010

  • 1. OPA: Language Support for a Sane, Safe and Secure Web David Rajchenbach-Teller Head of R&D MLstate David.Teller@mlstate.com OWASP twitter.com/mlstate +33 1 55 43 76 55 June 24th, 2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. What Automated Solutions Miss What it’s all about !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP OWASP 26
  • 3. What it’s all about What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP 6 “Automated vs. Manual: You can’t filter The Stupid” Charles Henderson, David Byrne AppSec DC 2009 + 2010 OWASP 2
  • 4. What it’s all about What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP 6 “Automated vs. Manual: You can’t filter The Stupid” Charles Henderson, David Byrne AppSec DC 2009 + 2010 “Oh, yeah?” The MLstate team AppSec Research 2010 OWASP 2
  • 5. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 3
  • 6. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 3
  • 7. Web Applications (high-level design) Logics App App Storage Delivery UI User User OWASP 4
  • 8. Web Applications (what we see) JavaScript Web Web Browser Server PHP? Language Database OWASP 5
  • 9. Web Applications (what we see) Web Server JavaScript Web Web Web Browser Web Server Server Server PHP? +scripts Who knows? Web Language Language Framework Browser Database Database Database Java? Language OWASP 5
  • 10. Web Applications (what we see) Web Server JavaScript Config Web Web Web error? Browser Web Server Server Server PHP? +scripts Who knows? Config Web error? Language Language Framework Browser Config error? Config Database error? Database Database Java? Language OWASP 5
  • 11. Web Applications (what we see) Web Server Protocol JavaScript ? Config Web Web Web error? Browser Protocol Web Server ? Server Server PHP? +scripts Who knows? Config Web error? Language Language Framework Browser Config error? Protocol Protocol ? ? Config Database error? Database Database Java? Language OWASP 5
  • 12. Web Applications (what we see) Web Server Protocol CSRF exploit Protocol JavaScript ? Info leak Config Web Web Web error? Browser Protocol Web Server Sniffing ? Server Server Data injection Memory injection PHP? +scripts Who knows? Config Web XSS error? Language injection SQL Language Framework Browser injection Config error? Protocol Protocol ? Memory Contami ? injection nation Config Database error? Database Database Java? Language OWASP 5
  • 13. Web Applications (what we see) Web Server Protocol CSRF exploit Protocol JavaScript ? Info leak Contami Config Web Web Web nation error? Browser Protocol Web Server Sniffing ? Server Server Data injection Memory injection PHP? +scripts Protocol Who exploit Known knows? Config Web XSS error? exploit Language injection SQL Language Framework Browser Protocol injection exploit Config error? Protocol Protocol ? Memory Contami ? injection nation Config + Phishing Database error? Protocol + (D)DoS, economic (D)DoS Database Database Java? exploit + Flash, Silverlight, Gears, XPCOM, Language Java(FX), NativeClient, Acrobat, QT... + Keyloggers + ... OWASP 5
  • 14. The general idea OWASP 6
  • 15. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 OWASP 6
  • 16. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) OWASP 6
  • 17. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. OWASP 6
  • 18. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. “What if the problem is that Joe Developer is stupid?” (Joe Meta-Developer) OWASP 6
  • 19. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. “What if the problem is that Joe Developer is stupid?” (Joe Meta-Developer) “Haven’t I answered that question already?” Ferengi Rule of Acquisition #408, contd. “...oh, and don’t forget to make sure that Joe can still use the tools!” Ferengi Rule of Acquisition #408, contd. OWASP 6
  • 20. Web applications (with OPA) Logics OPA App App Storage Delivery UI User User OWASP 7
  • 21. Web applications (with OPA) Logics OPA App App Storage Delivery UI User User OWASP 7
  • 22. Web applications (with OPA) Logics OPA App App Untrusted Storage Delivery UI User User OWASP 7
  • 24. General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up OWASP 8
  • 25. General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Glue & checks generated automatically No impedance mismatch OWASP 8
  • 26. General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Glue & checks generated automatically No impedance mismatch “Just” a distributed system In which not all principals are trusted And communications use web standards Security is (mostly) automatic OWASP 8
  • 27. General OPA design Joe doesn’t need to know Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Simpler than LAMP Glue & checks generated automatically No impedance mismatch “Just” a distributed system Joe doesn’t need to know In which not all principals are trusted And communications use web standards Security is (mostly) automatic OWASP 8
  • 28. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 9
  • 29. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 9
  • 30. Hello, web OWASP 10
  • 31. Hello, web server = one_page_server("Hello, web", -> <>Hello, web</>) 1) Compile Complete web opa hello.opa application. 2) Run ./hello.exe 3) Test browse http://localhost:8080 OWASP 10
  • 32. URL shortener (22 loc) db /abbrevs: intmap(string) db /abbrevs[_] = "/" make_shorter(url:string):string =   key = Db.fresh_key(/abbrevs)   do /abbrevs[key] <- url   "{key}" _ = @server(make_shorter) do_shorten(_) = exec([#shortened <- make_shorter(Page.getVal(#origin))]) urls = parser | "/" dest=Rule.integer ->     Resource.redirection_page("Please wait a second", <div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest]) | .* ->     Resource.html("MLstate redirector",     <>Please enter a URL you wish to shorten<br/>     <input id="origin"/><button onclick={do_shorten}>Shorten</button>     <div id="shortened"></div>     </>) server = simple_server(urls) OWASP 11
  • 33. URL shortener (22 loc) db /abbrevs: intmap(string) Database db /abbrevs[_] = "/" make_shorter(url:string):string =   key = Db.fresh_key(/abbrevs)   do /abbrevs[key] <- url   "{key}" _ = @server(make_shorter) Control do_shorten(_) = exec([#shortened <- make_shorter(Page.getVal(#origin))]) UI urls = parser | "/" dest=Rule.integer ->     Resource.redirection_page("Please wait a second", <div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest]) | .* ->     Resource.html("MLstate redirector",     <>Please enter a URL you wish to shorten<br/>     <input id="origin"/><button onclick={do_shorten}>Shorten</button>     <div id="shortened"></div>     </>) server = simple_server(urls) OWASP 11
  • 34. Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
  • 35. Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
  • 36. Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Real-time   Resource.full_page(title, body, web <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
  • 37. Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Real-time   Resource.full_page(title, body, web <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start URLs resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
  • 38. There’s more Games Productivity tools Development tools Security applications e-Commerce applications ... OWASP 13
  • 39. Things we can do (and check!) OWASP 14
  • 40. Things we can do (and check!) Programmable security policies Ajax SOAP Complex database ... XML processing Comet Fine-grained sessions Time-unlimited rollback Distribution Multitasking Higher-order database User interface Concurrent transactions WSDL Higher-order programming Data history Capabilities OWASP 14
  • 41. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 15
  • 42. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 15
  • 43. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
  • 44. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) All insertions user_update(x:mess) = ( = ( are checked user_update(x:mess)   line = <div class="opa-line">   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>     <div class="opa-message">{x.message}</div></div>   </div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show)   do exec([#show +<- line ]) )   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
  • 45. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
  • 46. Transparent protections All communications type mess = {id: string; message: string} are checked room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
  • 47. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
  • 48. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)       styled_page("Chat",  //Display styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div> Per-user      <div id="show"></div>      <div id="header"><div id="logo"></div></div> capability?*      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>      <div id="show"></div>      )    <input id="entry"/> )      <div class="opa-button" onclick={broadcast}>Send!</div>    urls      = parser .* -> start ) resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
  • 49. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
  • 50. More A1-Injection A6-Security Misconfiguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufficient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17
  • 51. More A1-Injection A6-Security Misconfiguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufficient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17
  • 52. More A1-Injection A6-Security Misconfiguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufficient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17
  • 53. progress) What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP OWASP 16 18 6
  • 54. progress) What Automated Solutions Miss ^ other !!Theoretical "!Logic flaws (business and application) (in progress) "!Design flaws "!The Stupid (what we do best) !!Practical (been there, done that) "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) (been there, done that) "!Cross-Site Request Forgery (CSRF) (in progress) "!Uncommon or custom infrastructure (abstract&specify them away!) "!Authorization enforcement (been there, done that) "!Abstract information leakage (been there, done that) OWASP OWASP 16 18 6
  • 55. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 19
  • 56. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 19
  • 57. Theoretical foundations Building on 30+ years of research in formal methods & language theory. Key for precise analysis. Key for precise optimizations. OWASP 20
  • 58. False positives False positives are annoying but not that bad -- as long as they are predictable and there’s a workaround. Experienced developers make safety/security mistakes quite often. False positives often later reveal themselves as true positives. OWASP 21
  • 59. Future Eliminate CSRF. Extend per-application security policy. Extend per-library/per-data safety policy. Plenty of additional features! Hiring you? OWASP 22
  • 60. That’s all, folks! http://www.mlstate.com OWASP 23
  • 61. That’s all, folks! Thanks and apologies to David Byrne & Charles Anderson for hijacking their slides http://www.mlstate.com OWASP 23

Notes de l'éditeur

  1. 7 years project coming to fruition I had to swear upon everything I hold sacred that I would not attempt to sell anything to you. So, I&amp;#x2019;m going to do by something else. I&amp;#x2019;m going to steal one of yesterday&amp;#x2019;s presentations.
  8. I&amp;#x2019;d like to introduce you to a concept that may be new to some in this room. In technical terms, we call it a web application.
  9. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  10. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  11. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  12. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  13. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  14. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  15. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  16. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  17. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  18. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  19. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  20. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  21. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  22. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  23. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  24. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  25. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  26. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  27. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  28. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  29. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  30. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  31. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  32. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  33. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  34. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  35. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  36. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  37. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  38. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  39. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  40. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  41. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  42. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  43. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  44. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  45. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  46. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  47. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  48. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  49. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  50. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  51. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  52. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  53. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  54. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  55. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  56. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  57. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  58. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  59. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  60. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  61. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  62. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  63. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  64. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  65. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  66. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  67. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  68. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  69. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  70. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  71. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  72. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  73. And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself. Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.