Domain Driven Security at Internetdagarna-2014
-
Upload
dan-berghjohnsson -
Category
Technology
-
view
411 -
download
0
Transcript of Domain Driven Security at Internetdagarna-2014
Domain Driven Security
- Dan Bergh Johnsson & Daniel Deogun, Omegapoint
Twitter: @danbjson @DanielDeogun Internetdagarna, 2014-11-24
About…
Daniel Deogun
Senior consultant at Omegapoint in Stockholm. His extensive experience ranges from patient critical pacemaker software to high performant reactive systems. Very passionate about high quality software and was an early adopter of DDD. Combining this with his interest in security has made him a strong advocate of Domain Driven Security.
Dan Bergh Johnsson
Agile aficionado; Domain Driven Design enthusiast; code quality craftsman, with a long time interest in security. The combination made him use quality practices from DDD to adress application security issues - thus being one of the founders of the field Domain Driven Security around 2009
owasp top 10 (2013)A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10 - Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Top_10_2013-Top_10
owasp top 10 (2013)A1 - Injection
A3 - Cross-Site Scripting (XSS)
https://www.owasp.org/index.php/Top_10_2013-Top_10
Security and Quality
Security is not the most important quality attribute
but
quality is the most important security attribute.
- Dr John Wilander (OWASP Champion)
A1 - Injection
“Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
- OWASP top 10
Domain-Driven Security
Domain Driven Design applied to Application Security
Coined in 2009 by John Wilander, Dan Bergh Johnsson, and Erlend Oftedal (aka @webtonull); later embraced by Daniel Deogun
A3 - Cross-Site Scripting (XSS)
“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.”
- OWASP top 10
Example - Coder’s Blog…
• Let’s say we’re running a website where anyone can ask questions about code
• Is it possible to avoid XSS?
Stored XSS & Broken Context Mapping
<script>alert(’42’)</script>
Writer Context Reader Context
Browser
Food For Thought
• Developers cannot think about security all the time
• Quality attitude leads to security
• Code should mean something, not just do stuff.
• There is no such thing as just a string (Dr. John Wilander)
• Validate input and map everything to domain objects
• Security through clarity
Next Step
Green-field Trivial, uninterestingBrown-field w/ service-API Domain types for all API-method parametersBrown-field spaghetti Extract a module Stuck?Google ”Domain Driven Security” Watch http://bit.ly/dds-video-2013 Call us, we have lots of tricks
Thanks
Twitter: @danbjson @DanielDeogun
https://github.com/Omegapoint/dds-demo-voSlides on SlideShare