SlideShare une entreprise Scribd logo

Security 101

Télécharger en tant que PPT, PDF
Red Gate Software
Red Gate Software

David Simner talks about how designing secure systems is often much harder than it seems at first.

Technologie
1  sur  12
Security 101: Just don’t do it
Recently… Yammer
A hypothetical world… • You’re working for a company that has: • a web browser used by 45% of internet users • a web server visited by 90% of internet users (Stats made up) http://www.w3schools.com/browsers/browsers_stats.asp http://www.guardian.co.uk/technology/2012/nov/06/google-bing-uk-search-share
Your product manager says… • FASTER! • Our web browser and our web server must work awesomely fast together • Users have slow internet connections, especially their upload
So… • I want you to embrace, extend and extinguish the HTTP/HTTPS standard • We’re going to add a proprietary extension so that our web browser & our web server compress HTTP headers (even over HTTPS)
Your response? • Okay • Nope, that would introduce a security vulnerability • Interesting, I’d need to work out what our threat model is
Threat model • “Attacker-centric threat modelling starts with an attacker, and evaluates their goals, and how they might achieve them” • Implicit in this is what their capabilities are http://en.wikipedia.org/wiki/Threat_model
The attack… • The attacker’s goal is to obtain your login cookie so that they can impersonate you on the target site. • Whilst observing your network traffic (e.g. on a public Wi-Fi network), • and whilst you are logged in to the target site, • the attacker gets you to visit their evil site, • which has a whole bunch of Javascript that (slowly) adds images to the DOM. http://en.wikipedia.org/wiki/CRIME_(security_exploit)
HTTP headers GET / HTTP/1.1 Host: deploymentmanager.red-gate.com Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 DNT: 1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-GB,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: DeploymentManagerAuthenticationTicket=0166AE259D1D0CE54C73A0FB 69E6A550E153A196C381EF4F2C5F96D96FA2D768E65621... Fiddler
Images of the form… GET /404.png?DeploymentManagerAuthenticationTicket=0 HTTP/1.1 ... Cookie: DeploymentManagerAuthenticationTicket=0166AE259D1D0CE54C73A0FB 69E6A550E153A196C381EF4F2C5F96D96FA2D768E65621... GET /404.png?DeploymentManagerAuthenticationTicket=1 HTTP/1.1 ... Cookie: DeploymentManagerAuthenticationTicket=0166AE259D1D0CE54C73A0FB 69E6A550E153A196C381EF4F2C5F96D96FA2D768E65621... GET /404.png?DeploymentManagerAuthenticationTicket=2 HTTP/1.1 ... Cookie: DeploymentManagerAuthenticationTicket=0166AE259D1D0CE54C73A0FB 69E6A550E153A196C381EF4F2C5F96D96FA2D768E65621... http://en.wikipedia.org/wiki/CRIME_(security_exploit)
Takeaway…
Takeaways… • Just don’t do it! • Writing software where security matters is hard • If you can, use an existing library to do all the functionality (in as few method calls as possible). If that library doesn’t have the feature you want, there’s probably a reason • If you can’t, then you’ve got a big problem

Recommandé

Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
Digamber Pradhan
 
WebHosting Performance / WordPress - Pubcon Vegas - Hendison
WebHosting Performance / WordPress - Pubcon Vegas - HendisonWebHosting Performance / WordPress - Pubcon Vegas - Hendison
WebHosting Performance / WordPress - Pubcon Vegas - Hendison
Search Commander, Inc.
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
Mickey Mellen
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
SiteGround.com
 
Wordpress optimization
Wordpress optimizationWordpress optimization
Wordpress optimization
paudelvinay
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
5 Ways to Optimize Your WordPress Site
5 Ways to Optimize Your WordPress Site5 Ways to Optimize Your WordPress Site
5 Ways to Optimize Your WordPress Site
MarkupBox
 

Recommandé

Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
Digamber Pradhan
 
WebHosting Performance / WordPress - Pubcon Vegas - Hendison
WebHosting Performance / WordPress - Pubcon Vegas - HendisonWebHosting Performance / WordPress - Pubcon Vegas - Hendison
WebHosting Performance / WordPress - Pubcon Vegas - Hendison
Search Commander, Inc.
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
Mickey Mellen
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
SiteGround.com
 
Wordpress optimization
Wordpress optimizationWordpress optimization
Wordpress optimization
paudelvinay
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
5 Ways to Optimize Your WordPress Site
5 Ways to Optimize Your WordPress Site5 Ways to Optimize Your WordPress Site
5 Ways to Optimize Your WordPress Site
MarkupBox
 
WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User Meetup
Chris Burgess
 
Javascript issues and tools in production for developers
Javascript issues and tools in production for developersJavascript issues and tools in production for developers
Javascript issues and tools in production for developers
Michael Haberman
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF
knaddison
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sites
GovLoop
 
Word press security checklist
Word press security checklistWord press security checklist
Word press security checklist
Sanjay Dabhoya
 
Word press security 101 2018
Word press security 101 2018 Word press security 101 2018
Word press security 101 2018
Laura Hartwig
 
Word camp pune 2013 security
Word camp pune 2013 securityWord camp pune 2013 security
Word camp pune 2013 security
Gaurav Singh
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
Primary Image Ltd
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009
Brian Lockrey
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku
 
Sucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNsSucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNs
Sucuri
 
Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup march
Fadi Nicolas Zahhar
 
Word press security basics
Word press security basicsWord press security basics
Word press security basics
East Bay WordPress Meetup
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPress
Barry Abrahamson
 
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
Valent Mustamin
 
How it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfHow it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConf
Maarten Balliauw
 
WordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insightsWordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insights
Blogwerk AG
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPress
vnsavage
 
Why wordpress is not completely safe
Why wordpress is not completely safeWhy wordpress is not completely safe
Why wordpress is not completely safe
Brainwork Technologies
 
Security - 101 - ISSA
Security - 101 - ISSASecurity - 101 - ISSA
Security - 101 - ISSA
Pedro Serrano
 
Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001
Donald E. Hester
 

Contenu connexe

Tendances

Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF
knaddison
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku
 
How it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfHow it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConf
Maarten Balliauw
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPress
vnsavage
 

Tendances (20)

WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User Meetup
 
Javascript issues and tools in production for developers
Javascript issues and tools in production for developersJavascript issues and tools in production for developers
Javascript issues and tools in production for developers
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
 
Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sites
 
Word press security checklist
Word press security checklistWord press security checklist
Word press security checklist
 
Word press security 101 2018
Word press security 101 2018 Word press security 101 2018
Word press security 101 2018
 
Word camp pune 2013 security
Word camp pune 2013 securityWord camp pune 2013 security
Word camp pune 2013 security
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
 
Sucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNsSucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNs
 
Word press beirut 9th meetup march
Word press beirut 9th meetup marchWord press beirut 9th meetup march
Word press beirut 9th meetup march
 
Word press security basics
Word press security basicsWord press security basics
Word press security basics
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPress
 
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
 
How it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfHow it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConf
 
WordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insightsWordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insights
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPress
 
Why wordpress is not completely safe
Why wordpress is not completely safeWhy wordpress is not completely safe
Why wordpress is not completely safe
 

En vedette

Security - 101 - ISSA
Security - 101 - ISSASecurity - 101 - ISSA
Security - 101 - ISSA
Pedro Serrano
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
Jerod Brennen
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & Privacy
Samudin Kassan
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
Miguel Rebollo
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Stephen Lahanas
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
Lipsita Behera
 

En vedette (18)

Security - 101 - ISSA
Security - 101 - ISSASecurity - 101 - ISSA
Security - 101 - ISSA
 
Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001
 
Computer security 101
Computer security 101Computer security 101
Computer security 101
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & Privacy
 
Computer Security 101
Computer Security 101Computer Security 101
Computer Security 101
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similaire à Security 101

Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
DefconRussia
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
Priyanka Aash
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 

Similaire à Security 101 (20)

VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 

Plus de Red Gate Software

The future of DevOps: fully left-shifted deployments with version control and...
The future of DevOps: fully left-shifted deployments with version control and...The future of DevOps: fully left-shifted deployments with version control and...
The future of DevOps: fully left-shifted deployments with version control and...
Red Gate Software
 
Mizuho Financial: Launching our Database DevOps journey
Mizuho Financial: Launching our Database DevOps journeyMizuho Financial: Launching our Database DevOps journey
Mizuho Financial: Launching our Database DevOps journey
Red Gate Software
 
Level up your deployments for SQL Source Control
Level up your deployments for SQL Source Control Level up your deployments for SQL Source Control
Level up your deployments for SQL Source Control
Red Gate Software
 
Key findings from the 2020 state of database dev ops report
Key findings from the 2020 state of database dev ops reportKey findings from the 2020 state of database dev ops report
Key findings from the 2020 state of database dev ops report
Red Gate Software
 
The Ultimate Guide to Choosing and Implementing the Right Monitoring Tool
The Ultimate Guide to Choosing and Implementing the Right Monitoring ToolThe Ultimate Guide to Choosing and Implementing the Right Monitoring Tool
The Ultimate Guide to Choosing and Implementing the Right Monitoring Tool
Red Gate Software
 
Using Redgate, AKS and Azure to bring DevOps to your Database
Using Redgate, AKS and Azure to bring DevOps to your DatabaseUsing Redgate, AKS and Azure to bring DevOps to your Database
Using Redgate, AKS and Azure to bring DevOps to your Database
Red Gate Software
 
Taming the Wild West
Taming the Wild West Taming the Wild West
Taming the Wild West
Red Gate Software
 

Plus de Red Gate Software (20)

The future of DevOps: fully left-shifted deployments with version control and...
The future of DevOps: fully left-shifted deployments with version control and...The future of DevOps: fully left-shifted deployments with version control and...
The future of DevOps: fully left-shifted deployments with version control and...
 
Embracing DevOps through database migrations with Flyway
Embracing DevOps through database migrations with FlywayEmbracing DevOps through database migrations with Flyway
Embracing DevOps through database migrations with Flyway
 
Database DevOps for Managed Service Providers
Database DevOps for Managed Service ProvidersDatabase DevOps for Managed Service Providers
Database DevOps for Managed Service Providers
 
Mizuho Financial: Launching our Database DevOps journey
Mizuho Financial: Launching our Database DevOps journeyMizuho Financial: Launching our Database DevOps journey
Mizuho Financial: Launching our Database DevOps journey
 
7 steps to effective SQL Server monitoring
7 steps to effective SQL Server monitoring7 steps to effective SQL Server monitoring
7 steps to effective SQL Server monitoring
 
Level up your deployments for SQL Source Control
Level up your deployments for SQL Source Control Level up your deployments for SQL Source Control
Level up your deployments for SQL Source Control
 
Key findings from the 2020 state of database dev ops report
Key findings from the 2020 state of database dev ops reportKey findings from the 2020 state of database dev ops report
Key findings from the 2020 state of database dev ops report
 
Extend DevOps to Your SQL Server Databases
Extend DevOps to Your SQL Server DatabasesExtend DevOps to Your SQL Server Databases
Extend DevOps to Your SQL Server Databases
 
2019 year in review slides
2019 year in review slides2019 year in review slides
2019 year in review slides
 
What we learned at PASS Summit in 2019
What we learned at PASS Summit in 2019What we learned at PASS Summit in 2019
What we learned at PASS Summit in 2019
 
Quality in Software Development: Anglia Ruskin University
Quality in Software Development: Anglia Ruskin UniversityQuality in Software Development: Anglia Ruskin University
Quality in Software Development: Anglia Ruskin University
 
How SQL Change Automation helps you deliver value faster
How SQL Change Automation helps you deliver value fasterHow SQL Change Automation helps you deliver value faster
How SQL Change Automation helps you deliver value faster
 
DevOps essentials from Abel Wang and Steve Jones
DevOps essentials from Abel Wang and Steve JonesDevOps essentials from Abel Wang and Steve Jones
DevOps essentials from Abel Wang and Steve Jones
 
Successfully migrating existing databases to Azure
Successfully migrating existing databases to AzureSuccessfully migrating existing databases to Azure
Successfully migrating existing databases to Azure
 
The Ultimate Guide to Choosing and Implementing the Right Monitoring Tool
The Ultimate Guide to Choosing and Implementing the Right Monitoring ToolThe Ultimate Guide to Choosing and Implementing the Right Monitoring Tool
The Ultimate Guide to Choosing and Implementing the Right Monitoring Tool
 
Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...
Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...
Everything You Need to Know About the 2019 DORA Accelerate State of DevOps Re...
 
Using Redgate, AKS and Azure to bring DevOps to your database
Using Redgate, AKS and Azure to bring DevOps to your databaseUsing Redgate, AKS and Azure to bring DevOps to your database
Using Redgate, AKS and Azure to bring DevOps to your database
 
Using Redgate, AKS and Azure to bring DevOps to your Database
Using Redgate, AKS and Azure to bring DevOps to your DatabaseUsing Redgate, AKS and Azure to bring DevOps to your Database
Using Redgate, AKS and Azure to bring DevOps to your Database
 
How to Pitch a Software Development Initiative and Ignite Culture Change
How to Pitch a Software Development Initiative and Ignite Culture ChangeHow to Pitch a Software Development Initiative and Ignite Culture Change
How to Pitch a Software Development Initiative and Ignite Culture Change
 
Taming the Wild West
Taming the Wild West Taming the Wild West
Taming the Wild West
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Dernier (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Security 101

  • 3. A hypothetical world… • You’re working for a company that has: • a web browser used by 45% of internet users • a web server visited by 90% of internet users (Stats made up) http://www.w3schools.com/browsers/browsers_stats.asp http://www.guardian.co.uk/technology/2012/nov/06/google-bing-uk-search-share
  • 4. Your product manager says… • FASTER! • Our web browser and our web server must work awesomely fast together • Users have slow internet connections, especially their upload
  • 5. So… • I want you to embrace, extend and extinguish the HTTP/HTTPS standard • We’re going to add a proprietary extension so that our web browser & our web server compress HTTP headers (even over HTTPS)
  • 6. Your response? • Okay • Nope, that would introduce a security vulnerability • Interesting, I’d need to work out what our threat model is
  • 7. Threat model • “Attacker-centric threat modelling starts with an attacker, and evaluates their goals, and how they might achieve them” • Implicit in this is what their capabilities are http://en.wikipedia.org/wiki/Threat_model
  • 8. The attack… • The attacker’s goal is to obtain your login cookie so that they can impersonate you on the target site. • Whilst observing your network traffic (e.g. on a public Wi-Fi network), • and whilst you are logged in to the target site, • the attacker gets you to visit their evil site, • which has a whole bunch of Javascript that (slowly) adds images to the DOM. http://en.wikipedia.org/wiki/CRIME_(security_exploit)
  • 9. HTTP headers GET / HTTP/1.1 Host: deploymentmanager.red-gate.com Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 DNT: 1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-GB,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: DeploymentManagerAuthenticationTicket=0166AE259D1D0CE54C73A0FB 69E6A550E153A196C381EF4F2C5F96D96FA2D768E65621... Fiddler
  • 10. Images of the form… GET /404.png?DeploymentManagerAuthenticationTicket=0 HTTP/1.1 ... Cookie: DeploymentManagerAuthenticationTicket=0166AE259D1D0CE54C73A0FB 69E6A550E153A196C381EF4F2C5F96D96FA2D768E65621... GET /404.png?DeploymentManagerAuthenticationTicket=1 HTTP/1.1 ... Cookie: DeploymentManagerAuthenticationTicket=0166AE259D1D0CE54C73A0FB 69E6A550E153A196C381EF4F2C5F96D96FA2D768E65621... GET /404.png?DeploymentManagerAuthenticationTicket=2 HTTP/1.1 ... Cookie: DeploymentManagerAuthenticationTicket=0166AE259D1D0CE54C73A0FB 69E6A550E153A196C381EF4F2C5F96D96FA2D768E65621... http://en.wikipedia.org/wiki/CRIME_(security_exploit)
  • 12. Takeaways… • Just don’t do it! • Writing software where security matters is hard • If you can, use an existing library to do all the functionality (in as few method calls as possible). If that library doesn’t have the feature you want, there’s probably a reason • If you can’t, then you’ve got a big problem