KEMBAR78
App sec - code insecurity basics | PPTX
Christopher Hamm, profile picture
Uploaded byChristopher Hamm
PPTX, PDF397 views

App sec - code insecurity basics

This document summarizes an app security workshop presented by Chris Hamm. The workshop covers basics of information security including availability, integrity, and confidentiality. It discusses threat modeling and common security threats like DDoS attacks and injections. The workshop also examines insecure coding practices like injectable code and spoofing vulnerabilities. It provides examples of these issues and defenses to code securely, such as input validation and session management. Attendees are encouraged to consider how to code with security in mind rather than coding insecurely.

Download to read offline
App Sec Workshop by Chris Hamm
Background Name: Chris Hamm Life before CNET » Was in 151st/387th Infantry and MP unit for Army National Guard – Training in intelligence gathering and physical security. » Research and development for University of Louisville ITRC working on communication package for Public Safety funded by DHS. Familiarized with DoD/NSA/FBI security measures, standards, and equipment. Now » General interest in infoSec » Member of 502Sec group
Agenda » Basics in Security » Why you should you be worried? - Threat modeling » Code in security - examples of » Tools? » Questions
Basics in Info Security - All Info security revolves around managing 3 things » Availability – Can you get to your sh*t? » Integrity – Can you believe what you see? » Confidentiality – Anything we don’t want others knowing about The denial or disruption of any of these items and an attacker was basically successful. So what happens is there must be a ranking of how much of an impact something has in order to prioritize it.
Basics in Info Security - It is all about risk management » Vulnerability * Probability * Impact = RISK » How do you gather this information to determine RISK? » Answer = Threat Modeling » Understanding the threats will help you see how important security and how you might mitigate(*control) the risk of said threat.
Threat Modeling - Starting point » Threat statement » $ACTOR » does $ACTION » to $ASSET » resulting in $OUTCOME » because of $MOTIVATION
Threat Modeling - $ACTOR » NATION State » Organized Crime » Insiders » Hackavist - LulzSec » Script Kiddie » Competing Sites and bloggers » ..... {Exercise: Insert Here}.....
Threat Modeling - $ACTION » DDoS » Injections – OS level – SQL » XSS » ..... {Exercise: Insert Here}.....
Threat Modeling - $ASSET » Content » Subscription Service » User log in » NGINX » Varnish » Mongo » ..... {Exercise: Insert Here}.....
Threat Modeling - $OUTCOME » Release of code » Spoofing as us » Tampering with existing content » Gain foothold to Pivot » ..... {Exercise: Insert Here}.....
Threat Modeling - $MOTIVATION » Make money » Gain notability » ..... {Exercise: Insert Here}.....
Code in security - INSECURE Framework » Injectable » Spoofable » Errors and Exceptions (un/ms- handled) » Unsafe/Unused functions/Routines » Reversible » Elevated Privileges
Code in security - Injectable » Inadequate or improperly input validation/sanitization » Input (data) can be executed » Dynamic query construction using user input » Examples: – OS level executable code – SQL/DB injection
Code in security - Spoofable » Allows Identity Impersonation » Credentials – Weak – Hard coded – Cached » Predictable Session Identifiers – Hacking and Replay
Code in security - Errors and Exceptions (un/ms- handled) » Verbose Error Messages » Unhandled Exception (No catch at all) » Throwing stack trace » Fail open - (*you allow authentication anyway)
Code in security - Unsafe/Unused functions/Routines » Banned/Insecure APIs » Unknown APIs and Interfaces » Vestigial functions (*CMD - C/X, CMD - P) » Easter Eggs
Code in security - Reversible » Unobfuscated » Textual information » Symbolic Information
Code in security - Elevated Privileges » Carry out functions or access items that should only be allowed by administrator. » Runs privileged operations without authorization checks
Code in security - Defenses » Injection defense – Input validation/ Sanitization – Parameterization of Queries – Don’t allow to exec » Spoofing defense – Avoid impersonation context code – Do not hardcode credentials – Session management - Non guessable/ non predictable session ids. » Errors & Exception mis/un - handling defense – Simple to the point error messages without unsafe info – Catch-all exception handle – Redirect to unified error handling place
Code in security - Defenses Cont » Unsafe/Unused Functions defense – Replace banned API with safer one – Delete unused functions/procedures – Delete Dangling Code (don’t just comment out) – Easter Egg Hunt » Reversible Code defense – Obfuscate – Application hardening - Remove textual and sym information » Elevated Privileges defense – Check authorization before allowing privilege ops – Non-admin accounts used for code execution – Test code in simulated environments
Code in security - Conclusion » By knowing how to Code insecurity can impact us we can can look at Coding in Security. » Are you going to – Code Insecurely (or) – Code In Security
References » Common Weakness Enumeration – http://cwe.mitre.org/index.html » How to write insecure code - Source OWASP – https://www.owasp.org/index.php/How_to_write_insecure_code » Code Insecurity or Code in Security by Mano dash4rk Paul - DerbyCon 4.0 – https://www.youtube.com/watch?v=fu4_7sJv-ro& index=96&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg » Threat Modeling for Realz by Bruce Potter - DerbyCon 4.0 – https://www.youtube.com/watch?v=WKgD305OFAQ&index=101&list=PLNhlcxQZJ Sm8o9c_2_iDDTV6tCPdMp5dg
Questions??

More Related Content

PDF
Threat Detection using Analytics & Machine Learning
byPriyanka Aash
 
PDF
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
ODP
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
PPTX
Application Security - Myth or Fact Slides
bydfgrumpy
 
PPTX
Secure coding guidelines
bySathyanarayana Panduranga
 
PPTX
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
byAlienVault
 
PPT
The Principles of Secure Development - David Rook
bySecurity B-Sides
 
PDF
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 
Threat Detection using Analytics & Machine Learning
byPriyanka Aash
 
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
Application Security - Myth or Fact Slides
bydfgrumpy
 
Secure coding guidelines
bySathyanarayana Panduranga
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
byAlienVault
 
The Principles of Secure Development - David Rook
bySecurity B-Sides
 
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 

What's hot

PPTX
Secure coding practices
byMohammed Danish Amber
 
PDF
Secure development in .NET with EPiServer Solita
byJoona Immonen
 
PPTX
The impact of sqli (sql injection)
bySqa Enthusiast
 
PDF
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
PPT
PHP Security Basics
byJohn Coggeshall
 
PPTX
Career In Information security
byAnant Shrivastava
 
PPTX
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
byNorth Texas Chapter of the ISSA
 
PDF
Reducing cyber risks in the era of digital transformation
bySergey Soldatov
 
PPT
Web Application Security Testing
byMarco Morana
 
PDF
Secure code
byddeogun
 
PDF
Finacle - Secure Coding Practices
byInfosys Finacle
 
PPTX
A5: Security Misconfiguration
byTariq Islam
 
PPT
Survey Presentation About Application Security
byNicholas Davis
 
PDF
Secure Coding for Java - An Introduction
bySebastien Gioria
 
PPTX
Secure coding practices
byScott Hurrey
 
ODP
Introduction to OWASP & Web Application Security
byOWASPKerala
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
PPTX
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 
PDF
Developing a Threat Modeling Mindset
byRobert Hurlbut
 
PDF
Web Development Security
byRafael Monteiro
 
Secure coding practices
byMohammed Danish Amber
 
Secure development in .NET with EPiServer Solita
byJoona Immonen
 
The impact of sqli (sql injection)
bySqa Enthusiast
 
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
PHP Security Basics
byJohn Coggeshall
 
Career In Information security
byAnant Shrivastava
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
byNorth Texas Chapter of the ISSA
 
Reducing cyber risks in the era of digital transformation
bySergey Soldatov
 
Web Application Security Testing
byMarco Morana
 
Secure code
byddeogun
 
Finacle - Secure Coding Practices
byInfosys Finacle
 
A5: Security Misconfiguration
byTariq Islam
 
Survey Presentation About Application Security
byNicholas Davis
 
Secure Coding for Java - An Introduction
bySebastien Gioria
 
Secure coding practices
byScott Hurrey
 
Introduction to OWASP & Web Application Security
byOWASPKerala
 
OWASP Top Ten in Practice
bySecurity Innovation
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 
Developing a Threat Modeling Mindset
byRobert Hurlbut
 
Web Development Security
byRafael Monteiro
 

Similar to App sec - code insecurity basics

PPTX
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
byVladimir Kochetkov
 
PPTX
chap-1 : Vulnerabilities in Information Systems
byKashfUlHuda1
 
PPTX
Week Topic Code Access vs Event Based.pptx
byArjayBalberan1
 
PPT
InfoSecConcepts.ppt
byMobileAntitheft
 
PDF
How to Destroy a Database
byJohn Ashmead
 
PPTX
OWASP_Training.pptx
byPradip Bhattarai
 
PDF
Application Threat Modeling In Risk Management
byMel Drews
 
PPTX
Web Security Overview
byNoah Jaehnert
 
PPT
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
PPTX
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
PPT
Essentials Of Security
byxsy
 
PPT
Information security introduction
byPrachi Gulihar
 
PPTX
Built-in Security Mindfulness for Software Developers
byPhú Phùng
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PDF
Health Information Privacy and Security
byNawanan Theera-Ampornpunt
 
PPT
software-security-intro-220901084730-8ed673b9.ppt
byAssadLeo1
 
PDF
Justifying IT Security: Managing Risk
byjudythornell
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PDF
Course Slides for CS_6035_01_Security Mindset (1)
byleoyang0406
 
PPT
PBL PROJECT - B2- (54,56,50,40) (2) (1).ppt
byItzsonya
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
byVladimir Kochetkov
 
chap-1 : Vulnerabilities in Information Systems
byKashfUlHuda1
 
Week Topic Code Access vs Event Based.pptx
byArjayBalberan1
 
InfoSecConcepts.ppt
byMobileAntitheft
 
How to Destroy a Database
byJohn Ashmead
 
OWASP_Training.pptx
byPradip Bhattarai
 
Application Threat Modeling In Risk Management
byMel Drews
 
Web Security Overview
byNoah Jaehnert
 
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
Essentials Of Security
byxsy
 
Information security introduction
byPrachi Gulihar
 
Built-in Security Mindfulness for Software Developers
byPhú Phùng
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
Health Information Privacy and Security
byNawanan Theera-Ampornpunt
 
software-security-intro-220901084730-8ed673b9.ppt
byAssadLeo1
 
Justifying IT Security: Managing Risk
byjudythornell
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
Course Slides for CS_6035_01_Security Mindset (1)
byleoyang0406
 
PBL PROJECT - B2- (54,56,50,40) (2) (1).ppt
byItzsonya
 

Recently uploaded

PPTX
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
byAlin Voinea
 
PDF
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
PDF
Metrics, logs, traces, and mayhem_ introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
PDF
OpenChain Global Update @ Open Source Tech Day 2025
byShane Coughlan
 
PDF
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
PDF
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
byNewFangledVision
 
PDF
VADY Business Intelligence – Conversational AI Analytics for Every Team Witho...
byNewFangledVision
 
PDF
Driving Stress Detection Using Multimodal CNN with Nonlinear Representation o...
byPranjal Kumar
 
PPTX
Validation testing in software engineering
bytanzeelamohsin01
 
PPTX
Declarative Process Mining with MINERful, Reloaded
byCecilia Iacometta
 
PPTX
AI-Powered Intelligent Agents for Fraud Detection
byleolucus1995
 
PDF
The 50+ First-Timer: My OpenTelemetry Contribution and How Your CNCF Journey...
byImma Valls Bernaus
 
PDF
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
PPT
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
PDF
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
PDF
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
PPTX
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
byVITS184D1
 
PDF
The Hidden Cost of Complicated PMO Tools - Using Gartner’s Guidance and OnePl...
byOnePlan Solutions
 
PPTX
How John started to like TDD (instead of hating it) (Testcon, October'25)
byNacho Cougil
 
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
byAlin Voinea
 
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
Metrics, logs, traces, and mayhem_ introducing an observability adventure gam...
byImma Valls Bernaus
 
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
OpenChain Global Update @ Open Source Tech Day 2025
byShane Coughlan
 
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
byNewFangledVision
 
VADY Business Intelligence – Conversational AI Analytics for Every Team Witho...
byNewFangledVision
 
Driving Stress Detection Using Multimodal CNN with Nonlinear Representation o...
byPranjal Kumar
 
Validation testing in software engineering
bytanzeelamohsin01
 
Declarative Process Mining with MINERful, Reloaded
byCecilia Iacometta
 
AI-Powered Intelligent Agents for Fraud Detection
byleolucus1995
 
The 50+ First-Timer: My OpenTelemetry Contribution and How Your CNCF Journey...
byImma Valls Bernaus
 
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
byVITS184D1
 
The Hidden Cost of Complicated PMO Tools - Using Gartner’s Guidance and OnePl...
byOnePlan Solutions
 
How John started to like TDD (instead of hating it) (Testcon, October'25)
byNacho Cougil
 

App sec - code insecurity basics

  • 1.
    App Sec Workshop by Chris Hamm
  • 2.
    Background Name: ChrisHamm Life before CNET » Was in 151st/387th Infantry and MP unit for Army National Guard – Training in intelligence gathering and physical security. » Research and development for University of Louisville ITRC working on communication package for Public Safety funded by DHS. Familiarized with DoD/NSA/FBI security measures, standards, and equipment. Now » General interest in infoSec » Member of 502Sec group
  • 3.
    Agenda » Basicsin Security » Why you should you be worried? - Threat modeling » Code in security - examples of » Tools? » Questions
  • 4.
    Basics in InfoSecurity - All Info security revolves around managing 3 things » Availability – Can you get to your sh*t? » Integrity – Can you believe what you see? » Confidentiality – Anything we don’t want others knowing about The denial or disruption of any of these items and an attacker was basically successful. So what happens is there must be a ranking of how much of an impact something has in order to prioritize it.
  • 5.
    Basics in InfoSecurity - It is all about risk management » Vulnerability * Probability * Impact = RISK » How do you gather this information to determine RISK? » Answer = Threat Modeling » Understanding the threats will help you see how important security and how you might mitigate(*control) the risk of said threat.
  • 6.
    Threat Modeling -Starting point » Threat statement » $ACTOR » does $ACTION » to $ASSET » resulting in $OUTCOME » because of $MOTIVATION
  • 7.
    Threat Modeling -$ACTOR » NATION State » Organized Crime » Insiders » Hackavist - LulzSec » Script Kiddie » Competing Sites and bloggers » ..... {Exercise: Insert Here}.....
  • 8.
    Threat Modeling -$ACTION » DDoS » Injections – OS level – SQL » XSS » ..... {Exercise: Insert Here}.....
  • 9.
    Threat Modeling -$ASSET » Content » Subscription Service » User log in » NGINX » Varnish » Mongo » ..... {Exercise: Insert Here}.....
  • 10.
    Threat Modeling -$OUTCOME » Release of code » Spoofing as us » Tampering with existing content » Gain foothold to Pivot » ..... {Exercise: Insert Here}.....
  • 11.
    Threat Modeling -$MOTIVATION » Make money » Gain notability » ..... {Exercise: Insert Here}.....
  • 12.
    Code in security- INSECURE Framework » Injectable » Spoofable » Errors and Exceptions (un/ms- handled) » Unsafe/Unused functions/Routines » Reversible » Elevated Privileges
  • 13.
    Code in security- Injectable » Inadequate or improperly input validation/sanitization » Input (data) can be executed » Dynamic query construction using user input » Examples: – OS level executable code – SQL/DB injection
  • 14.
    Code in security- Spoofable » Allows Identity Impersonation » Credentials – Weak – Hard coded – Cached » Predictable Session Identifiers – Hacking and Replay
  • 15.
    Code in security- Errors and Exceptions (un/ms- handled) » Verbose Error Messages » Unhandled Exception (No catch at all) » Throwing stack trace » Fail open - (*you allow authentication anyway)
  • 16.
    Code in security- Unsafe/Unused functions/Routines » Banned/Insecure APIs » Unknown APIs and Interfaces » Vestigial functions (*CMD - C/X, CMD - P) » Easter Eggs
  • 17.
    Code in security- Reversible » Unobfuscated » Textual information » Symbolic Information
  • 18.
    Code in security- Elevated Privileges » Carry out functions or access items that should only be allowed by administrator. » Runs privileged operations without authorization checks
  • 19.
    Code in security- Defenses » Injection defense – Input validation/ Sanitization – Parameterization of Queries – Don’t allow to exec » Spoofing defense – Avoid impersonation context code – Do not hardcode credentials – Session management - Non guessable/ non predictable session ids. » Errors & Exception mis/un - handling defense – Simple to the point error messages without unsafe info – Catch-all exception handle – Redirect to unified error handling place
  • 20.
    Code in security- Defenses Cont » Unsafe/Unused Functions defense – Replace banned API with safer one – Delete unused functions/procedures – Delete Dangling Code (don’t just comment out) – Easter Egg Hunt » Reversible Code defense – Obfuscate – Application hardening - Remove textual and sym information » Elevated Privileges defense – Check authorization before allowing privilege ops – Non-admin accounts used for code execution – Test code in simulated environments
  • 21.
    Code in security- Conclusion » By knowing how to Code insecurity can impact us we can can look at Coding in Security. » Are you going to – Code Insecurely (or) – Code In Security
  • 22.
    References » CommonWeakness Enumeration – http://cwe.mitre.org/index.html » How to write insecure code - Source OWASP – https://www.owasp.org/index.php/How_to_write_insecure_code » Code Insecurity or Code in Security by Mano dash4rk Paul - DerbyCon 4.0 – https://www.youtube.com/watch?v=fu4_7sJv-ro& index=96&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg » Threat Modeling for Realz by Bruce Potter - DerbyCon 4.0 – https://www.youtube.com/watch?v=WKgD305OFAQ&index=101&list=PLNhlcxQZJ Sm8o9c_2_iDDTV6tCPdMp5dg
  • 23.