Presentation is loading. Please wait.

Presentation is loading. Please wait.

A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware."— Presentation transcript:

1 A case for business

2  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware

3  Xss or Cross site scripting  Sql Injection  Overflows  Format String

4  Bug is reported  Programmer spends time learning about it  Implements fix  Increase in development time and cost  Later patch might overwrite previous fix  Vulnerability reintroduced

5  Security/input/output validation framework  How?  Identify risks posing tasks in the application: Grabbing user input reading/writing to files Displaying data Using Sql Displaying sensitive user data buying an item

6  Identify common vulnerability types to each risky task as well as best practice approach to locking them down  Created in conjunction with senior member of development team and security consultant.

7  Grabbing User Input: Utilize strong data types when applicable Identify and enforce data length restrictions Identify and enforce acceptable character white lists when utilizing strings.  Reading/writing to files Perform and enforce lowest rights permission checking.

8  Displaying Data: Create whitelist of acceptable characters Characters not on list should be escaped, stripped or HTML encoded before display.  Using Sql: Enforce using character whitelist to prevent sql injection.  Perform important application functionality: proper session validation(Authentication) object access checking(Authorization)

9  Consider using existing frameworks  Well known issues already addressed  Saves development time  Bug fixes can be applied in central location as opposed to multiple.

10  Java validation Library for java  Xwork validator for java struts  JSTL for JSP  Anti-Xss library for microsoft.NET

11  Create best practices document outlining how to address risky tasks  Short training course  Q & A sessions to address concerns of dev. Team  Emphasize code management advantages and security checking consistency

12  Time savings essential for developer acceptance.  Initially adds to development time.  Management and future code audits easier.

13  Enforce utilization of framework a project requirement with consequence for failure to implement without a good reason.  Else developers treat as optional step

14  The business case for security frameworks By Robert Auger http://www.webappsec.org/projects/articles/ 042307.shtml http://www.webappsec.org/projects/articles/ 042307.shtml  The Cross Site Scripting (XSS) FAQ http://www.cgisecurity.com/articles/xss- faq.shtml

Download ppt "A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware."

Similar presentations

A Blackboard Building Block™ Crash Course for Web Developers

A Blackboard Building Block™ Crash Course for Web Developers
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.

Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits

March Intensive: XSS Exploits
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
JSP Standard Tag Library

JSP Standard Tag Library
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack

Similar presentations

Ads by Google