Secure development automatic identification and mitigation of application vulnerabilities
-
Upload
peihsin1980 -
Category
Technology
-
view
89 -
download
1
description
Transcript of Secure development automatic identification and mitigation of application vulnerabilities
![Page 1: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/1.jpg)
Secure Development: Automatic Identification and Mitigation of Application Vulnerabilities
JIM LIU
CHIEF GEEK, LUCENT SKY
![Page 2: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/2.jpg)
• What’re application vulnerabilities and why they’re bad
• How to identify vulnerabilities
• How to mitigate vulnerabilities + shameless self plug
![Page 3: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/3.jpg)
What’re application vulnerabilities
• Application vulnerabilities are bugs in source code that allow hackers to bypass security features such as authentication or firewall
![Page 4: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/4.jpg)
Application Security Feels Like an Uphill Battle
of web applications vulnerable to data theft
average vulnerabilitiesper application
70%
480
![Page 5: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/5.jpg)
They’re expensive problems, and also are expensive to fix
![Page 6: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/6.jpg)
What’s wrong with this code?
<% String eid = request.getParameter("eid"); %>
Employee ID: <%= eid %>
![Page 7: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/7.jpg)
What about this one?
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = '"
+ itemName + "'";
List items = sess.createSQLQuery(query).list();
![Page 8: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/8.jpg)
The most common vulnerabilities: cross-site scripting
• Allow the execution of arbitrary JavaScript on website visitors browsers
• Almost every popular website has been hit with XSS in the past
http://youtu.be/LhbUTEccdPs
![Page 9: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/9.jpg)
The most common vulnerabilities: SQL injection
• Allow the execution of arbitrary SQL queries and system commands on the database server
• Over 80% of e-commerce sites in Taiwan currentlyhave SQL injections
http://youtu.be/f5qSs85eGVI
![Page 10: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/10.jpg)
• What’re application vulnerabilities and why they’re bad
• How to identify vulnerabilities
• How to mitigate vulnerabilities + shameless self plug
![Page 11: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/11.jpg)
Beer time!
• What did you do to identify vulnerabilities in your applications?
• What steps were taken to prevent vulnerable applications from being published?
![Page 12: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/12.jpg)
Three different kinds of static code analysis tools
![Page 13: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/13.jpg)
Dynamic or static testing?
![Page 14: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/14.jpg)
SAST is accurate, but what does it really do?
![Page 15: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/15.jpg)
• What’re application vulnerabilities and why they’re bad
• How to identify vulnerabilities
• How to mitigate vulnerabilities + shameless self plug
![Page 16: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/16.jpg)
What do you do with vulnerabilities?
<% String eid = request.getParameter("eid"); %>
Employee ID: <%= eid %>
![Page 17: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/17.jpg)
What do you do with vulnerabilities?
<% String eid = request.getParameter("eid"); %>
Employee ID: <%= ESAPI.encoder().encodeForHTMLAttribute(eid) %>
![Page 18: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/18.jpg)
What about this one?
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = '"
+ itemName + "'";
List items = sess.createSQLQuery(query).list();
![Page 19: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/19.jpg)
What about this one?
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = '"
+ ESAPI.encoder().encodeForSQL(itemName)
+ "'";
List items = sess.createSQLQuery(query).list();
![Page 20: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/20.jpg)
![Page 21: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/21.jpg)
AVM: it’s like autocorrect for your code
![Page 22: Secure development automatic identification and mitigation of application vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022042814/5549ab75b4c9050c708b57a5/html5/thumbnails/22.jpg)
It’ll work Eclipse/NetBeans soon… :x