Abstract image of a woman sitting on books and studying on a laptop

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps Webinar

Download as PPTX, PDF
Security Innovation, profile picture
Security Innovation

The document outlines best practices for enhancing software security and minimizing data breaches through a structured approach to privacy, data classification, and secure coding. It emphasizes the need for organizations to adopt strong goals for data collection, utilize automation, and provide developers with the necessary tools and training to prevent security vulnerabilities. The document also highlights the importance of making security an integral part of the development process rather than an afterthought.

Technology
Related topics:
Application Security Risk Mitigation
1 of 59
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps Webinar
About Security Innovation • Authority in Software Security • 18+ years research on software vulnerabilities • Security testing methodology adopted by SAP, Symantec, Microsoft and McAfee • Authors of 18 books • Helping organizations minimize risk • Assessment: Show me the gaps • Education: Guide me to the right decisions • Standards: Set goals and make it easy and natural • Tech-enabled services for both breadth and depth
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps Webinar
Simple!
Just think about…
Authentication
Authorization
Scale
DDOS
SQLi
Architecture
Data Storage
Data Transit
Passwords
Load balancing
CDNs
GDPR
Data Warehousing
Compliance
Cookie Policies
Intranet/Internet
User Education
Frameworks
Futureproofing
Browser compat
… and literally 100s of other things
Never mind! I’m leaving this piece of crap app as an installer from the 90’s
No, No, we will do this, together, securely. We will make a plan and execute it!
Break it down • Migrating to modern web technologies is analogous to building from scratch • But you get great use, abuse, mis-use, and dis-use cases • This gives you a great roadmap of what you want to build • Don’t duplicate the old app, build something better • Use good defaults, policies, wrappers, guidance to build securely and quickly
The tale of two cities apps App #1 – Colin Powell “Help! We have a great architect, but don’t know about security. We haven’t written a line of code, and need guidance on what to look out for.” App #2 – Leeroy Jenkins! “Help! We ship in three weeks! Everything’s done, but our CISO says we need a security audit before we launch. Can you push this through?”
My high-level roadmap
Minimizing the risk of a data breach
They can’t steal what you don’t have • Minimizing the risk of a data breach starts with a commitment to privacy • Set goals for data collection • Gather only what data is necessary • Create a clear and concise data classification policy
But what about Machine Learning?! “If I collect all the data now, we’ll give it to the Data Scientists and they’ll give us insights” More data == more risk
Data Classification Domains Restricted • Access – Only by limited individuals • Consequences – termination, possibly legal • Example – Financial data, Healthcare data Highly Confidential • Access - Individuals, Groups, or Senior Management and above • Consequences – Investigation, reprimand, or termination • Example – Sensitive IP, Client Lists, Billing Details Confidential • Access – Relevant or related teams • Consequences – HR reprimand • Example – Any internal company information Unrestricted • Access - Public • Consequences –N/A • Example- Public information There is no universally accepted data classification tiers, these are examples
Make privacy a priority • Privacy is a market differentiator • Agree that user privacy is important • Set goals for data collection • Set a high bar for new trackers • Gather only necessary data Again, More data == more risk
Developing Secure Code Make this as easy as possible, Like falling into a “Pit of success” Training •Identify good/bad patterns early Assessment •Verify •Detect Automation •Infrastructure as Code •Security as Code
Training • Our goals in training are twofold • Help the team develop a sense of what is right • Give them the ability to identify what doesn’t feel right • Security ”Code Smells” • Recurring coding patterns that are indicative of security weakness and can potentially lead to security breaches Learning/Following Doing/Practice Leading/Teaching
Automation The developers are taking over • Security/Infrastructure as Code • Ensures the same issue doesn’t get into production again • Automate monotonous, problematic tasks Write Code Code review Check into repository Perform unit and integration tests Find issues in dev/test/production Remediate issues in code
Assessment & Detection • Testing is the backstop of good training, design, and automation • Detect when developers have bypassed security guidance • Rollback • Remediate • Train • Vulnerabilities in… • Deployment/Infrastructure • Code • Architecture • Process
Defaults • Creating a system in which it is difficult to make mistakes is one of the best investments you can make • Provide developers: • Libraries that protect them • Frameworks that include security controls • Templating engines that minimize injection issues • Defaults that follow best practices • Wrappers for common libraries protect from mistakes
Where are we and what do we look out for?
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps Webinar
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps Webinar
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps Webinar
Now we have this?!
How did we get here?
We want to sell stuff! • These literally hooked something like perl to a web interface • Maybe you got a database or some flat text files • Security was unknown
We can do so much more Exceptionally Dynamic Location aware data from multiple sources Advertising User Tracking SSO and more Much greater code reuse Libraries and frameworks Templates More clients connect to same API Web iOS/Android Desktop API iOS Android WebDesktop Integrations
API Based issues JSON/XML injection Authorization Attacks IDOR - Insecure Direct Object Reference Exposing Sensitive Data Client Side Data filtering Just because you can’t see it, doesn’t mean it’s protected
Authorization Attacks IDOR – Insecure Direct Object Reference
Authorization Attacks Exposing Sensitive Data & Client-Side Data Filtering
JSON/XML Injection and Manipulation • Inject data, manipulate logic, or execute code • User: JoeBasirico { "action":"create", "user":"JoeBasirico", "pass":"$3cre7" } Creates a user named JoeBasirico
JSON/XML Injection and Manipulation • Inject data, manipulate logic, or execute code • User: JoeBasirico", "account":”administrator { "action":"create", "user":"JoeBasirico", "account":"administrator", "pass":"$3cre7" } Creates an Administrator named JoeBasirico
Don’t expose your data store https://blog.shodan.io/its-the-data-stupid/
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps Webinar
Always Force TLS • It’s 2020, TLS is free, easy, fast. There is no reason not to • Redirect to TLS v 1.2 or greater by default. • Do not serve data over http or SSL
APIs and Modern WebApps are powerful! • They can’t steal what you don’t collect • Make an early commitment to security and privacy • Let that drive your decision making from here on out • Create secure defaults, libraries, wrappers and guidance for your developers. • Make it difficult to make decisiosn • Make it easy to fall into a pit of success • Use automation to ”learn” from your mistakes • Detect when controls are bypassed, use it as a learning opportunity SI Community - https://community.securityinnovation.com/
Questions? Thoughts? jbasirico@securityinnovation.com linkedin.com/in/joebasirico twitter.com/joespikey Joe Basirico Security Innovation SVP Engineering

More Related Content

PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PPTX
Owasp first5 presentation
Ashwini Paranjpe
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
PDF
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
PPTX
OWASP Top Ten 2017
Michael Furman
 
PDF
Web security and OWASP
Isuru Samaraweera
 
PPTX
Beyond the OWASP Top 10
iphonepentest
 
How to Test for The OWASP Top Ten
Security Innovation
 
Owasp first5 presentation
Ashwini Paranjpe
 
OWASP Top Ten in Practice
Security Innovation
 
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
OWASP Top Ten 2017
Michael Furman
 
Web security and OWASP
Isuru Samaraweera
 
Beyond the OWASP Top 10
iphonepentest
 

What's hot (20)

PPTX
Owasp top 10 2017
ibrahimumer2
 
PPTX
Security Testing Training With Examples
Alwin Thayyil
 
PDF
Introduction to Security Testing
vodQA
 
PPS
Security testing
Tabăra de Testare
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
PPTX
Secure coding guidelines
Sathyanarayana Panduranga
 
PPT
Web attacks
husnara mohammad
 
PPTX
Application Security-Understanding The Horizon
Lalit Kale
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PDF
Owasp top 10
YasserElsnbary
 
PPTX
Owasp 2017 oveview
Shreyas N
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PDF
Security testing presentation
Confiz
 
PPTX
Security Testing
Qualitest
 
PPT
Secure code practices
Hina Rawal
 
PPTX
Secure coding practices
Mohammed Danish Amber
 
PPT
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
PPTX
Security testing
Khizra Sammad
 
Owasp top 10 2017
ibrahimumer2
 
Security Testing Training With Examples
Alwin Thayyil
 
Introduction to Security Testing
vodQA
 
Security testing
Tabăra de Testare
 
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Secure coding guidelines
Sathyanarayana Panduranga
 
Web attacks
husnara mohammad
 
Application Security-Understanding The Horizon
Lalit Kale
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
Owasp top 10
YasserElsnbary
 
Owasp 2017 oveview
Shreyas N
 
OWASP Top 10 - 2017
HackerOne
 
Security testing presentation
Confiz
 
Security Testing
Qualitest
 
Secure code practices
Hina Rawal
 
Secure coding practices
Mohammed Danish Amber
 
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Security testing fundamentals
Cygnet Infotech
 
Security testing
Khizra Sammad
 
Ad

Similar to Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps Webinar (20)

PPT
Software Security in the Real World
Mark Curphey
 
PDF
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
PDF
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
PPTX
Security in an Interconnected and Complex World of Software
Michael Coates
 
PPTX
Forget cyber, it's all about AppSec
Adrien de Beaupre
 
PDF
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
piggsadamiso
 
PPT
Intro to-ssdl--lone-star-php-2013
nanderoo
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PPTX
Demystifying Web Application Security - JSFoo 2018
shyamsesh
 
PDF
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
PDF
The Future of Software Security Assurance
Rafal Los
 
PDF
Injecting simplicity not SQL RSA Europe 2010
Security Ninja
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PPT
Security Testing for Mobile and Web Apps
DrKaramHatim
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PDF
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Capgemini
 
PDF
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
PPT
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PPT
Software Security Engineering
Marco Morana
 
Software Security in the Real World
Mark Curphey
 
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Security in an Interconnected and Complex World of Software
Michael Coates
 
Forget cyber, it's all about AppSec
Adrien de Beaupre
 
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
piggsadamiso
 
Intro to-ssdl--lone-star-php-2013
nanderoo
 
Application Security - Your Success Depends on it
WSO2
 
Demystifying Web Application Security - JSFoo 2018
shyamsesh
 
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
The Future of Software Security Assurance
Rafal Los
 
Injecting simplicity not SQL RSA Europe 2010
Security Ninja
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Security Testing for Mobile and Web Apps
DrKaramHatim
 
00. introduction to app sec v3
Eoin Keary
 
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Capgemini
 
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Software Security Engineering
Marco Morana
 
Ad

More from Security Innovation (20)

PPTX
Securing Applications in the Cloud
Security Innovation
 
PPTX
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
PPTX
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
PDF
5 Ways To Train Security Champions
Security Innovation
 
PPTX
Aligning Application Security to Compliance
Security Innovation
 
PPTX
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
PPTX
How an Attacker "Audits" Your Software Systems
Security Innovation
 
PPTX
Opening the Talent Spigot to Securing our Digital Future
Security Innovation
 
PPTX
Assessing System Risk the Smart Way
Security Innovation
 
PDF
Slashing Your Cloud Risk: 3 Must-Do's
Security Innovation
 
PPTX
A Fresh, New Look for CMD+CTRL Cyber Range
Security Innovation
 
PPTX
Security Testing for IoT Systems
Security Innovation
 
PPTX
Cyber Ranges: A New Approach to Security
Security Innovation
 
PPTX
Is Blockchain Right for You? The Million Dollar Question
Security Innovation
 
PPTX
Privacy: The New Software Development Dilemma
Security Innovation
 
PPTX
Privacy Secrets Your Systems May Be Telling
Security Innovation
 
PPTX
Secure DevOps - Evolution or Revolution?
Security Innovation
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
PDF
GDPR: The Application Security Twist
Security Innovation
 
Securing Applications in the Cloud
Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
5 Ways To Train Security Champions
Security Innovation
 
Aligning Application Security to Compliance
Security Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Opening the Talent Spigot to Securing our Digital Future
Security Innovation
 
Assessing System Risk the Smart Way
Security Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Security Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
Security Innovation
 
Security Testing for IoT Systems
Security Innovation
 
Cyber Ranges: A New Approach to Security
Security Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Security Innovation
 
Privacy: The New Software Development Dilemma
Security Innovation
 
Privacy Secrets Your Systems May Be Telling
Security Innovation
 
Secure DevOps - Evolution or Revolution?
Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
GDPR: The Application Security Twist
Security Innovation
 

Recently uploaded (20)

PDF
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
PDF
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
PPTX
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
ThousandEyes
 
PDF
Streamline Vulnerability Management From Minimal Images to SBOMs
Anchore
 
PDF
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
PDF
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
PDF
substrate PowerPoint Presentation basic one
jwaite4
 
PDF
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 
PPTX
AQUEEL MUSHTAQUE FAKIH COMPUTER CENTER .
nachanmasarrat13
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
PDF
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
PPTX
How to Convert Tickets Into Sales Opportunity in Odoo 18
Celine George
 
PPTX
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 
PDF
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
PDF
Altius execution marketplace concept.pdf
Wandor
 
PDF
Decision Optimization - From Theory to Practice
Eray Cakici
 
PPTX
Information-Technology-in-Human-Society.pptx
744tusharsingh094
 
PDF
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
ThousandEyes
 
Streamline Vulnerability Management From Minimal Images to SBOMs
Anchore
 
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
substrate PowerPoint Presentation basic one
jwaite4
 
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 
AQUEEL MUSHTAQUE FAKIH COMPUTER CENTER .
nachanmasarrat13
 
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
How to Convert Tickets Into Sales Opportunity in Odoo 18
Celine George
 
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
Altius execution marketplace concept.pdf
Wandor
 
Decision Optimization - From Theory to Practice
Eray Cakici
 
Information-Technology-in-Human-Society.pptx
744tusharsingh094
 
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps Webinar

  • 2. About Security Innovation • Authority in Software Security • 18+ years research on software vulnerabilities • Security testing methodology adopted by SAP, Symantec, Microsoft and McAfee • Authors of 18 books • Helping organizations minimize risk • Assessment: Show me the gaps • Education: Guide me to the right decisions • Standards: Set goals and make it easy and natural • Tech-enabled services for both breadth and depth
  • 10. SQLi
  • 16. CDNs
  • 17. GDPR
  • 26. … and literally 100s of other things
  • 27. Never mind! I’m leaving this piece of crap app as an installer from the 90’s
  • 28. No, No, we will do this, together, securely. We will make a plan and execute it!
  • 29. Break it down • Migrating to modern web technologies is analogous to building from scratch • But you get great use, abuse, mis-use, and dis-use cases • This gives you a great roadmap of what you want to build • Don’t duplicate the old app, build something better • Use good defaults, policies, wrappers, guidance to build securely and quickly
  • 30. The tale of two cities apps App #1 – Colin Powell “Help! We have a great architect, but don’t know about security. We haven’t written a line of code, and need guidance on what to look out for.” App #2 – Leeroy Jenkins! “Help! We ship in three weeks! Everything’s done, but our CISO says we need a security audit before we launch. Can you push this through?”
  • 32. Minimizing the risk of a data breach
  • 33. They can’t steal what you don’t have • Minimizing the risk of a data breach starts with a commitment to privacy • Set goals for data collection • Gather only what data is necessary • Create a clear and concise data classification policy
  • 34. But what about Machine Learning?! “If I collect all the data now, we’ll give it to the Data Scientists and they’ll give us insights” More data == more risk
  • 35. Data Classification Domains Restricted • Access – Only by limited individuals • Consequences – termination, possibly legal • Example – Financial data, Healthcare data Highly Confidential • Access - Individuals, Groups, or Senior Management and above • Consequences – Investigation, reprimand, or termination • Example – Sensitive IP, Client Lists, Billing Details Confidential • Access – Relevant or related teams • Consequences – HR reprimand • Example – Any internal company information Unrestricted • Access - Public • Consequences –N/A • Example- Public information There is no universally accepted data classification tiers, these are examples
  • 36. Make privacy a priority • Privacy is a market differentiator • Agree that user privacy is important • Set goals for data collection • Set a high bar for new trackers • Gather only necessary data Again, More data == more risk
  • 37. Developing Secure Code Make this as easy as possible, Like falling into a “Pit of success” Training •Identify good/bad patterns early Assessment •Verify •Detect Automation •Infrastructure as Code •Security as Code
  • 38. Training • Our goals in training are twofold • Help the team develop a sense of what is right • Give them the ability to identify what doesn’t feel right • Security ”Code Smells” • Recurring coding patterns that are indicative of security weakness and can potentially lead to security breaches Learning/Following Doing/Practice Leading/Teaching
  • 39. Automation The developers are taking over • Security/Infrastructure as Code • Ensures the same issue doesn’t get into production again • Automate monotonous, problematic tasks Write Code Code review Check into repository Perform unit and integration tests Find issues in dev/test/production Remediate issues in code
  • 40. Assessment & Detection • Testing is the backstop of good training, design, and automation • Detect when developers have bypassed security guidance • Rollback • Remediate • Train • Vulnerabilities in… • Deployment/Infrastructure • Code • Architecture • Process
  • 41. Defaults • Creating a system in which it is difficult to make mistakes is one of the best investments you can make • Provide developers: • Libraries that protect them • Frameworks that include security controls • Templating engines that minimize injection issues • Defaults that follow best practices • Wrappers for common libraries protect from mistakes
  • 42. Where are we and what do we look out for?
  • 46. Now we have this?!
  • 47. How did we get here?
  • 48. We want to sell stuff! • These literally hooked something like perl to a web interface • Maybe you got a database or some flat text files • Security was unknown
  • 49. We can do so much more Exceptionally Dynamic Location aware data from multiple sources Advertising User Tracking SSO and more Much greater code reuse Libraries and frameworks Templates More clients connect to same API Web iOS/Android Desktop API iOS Android WebDesktop Integrations
  • 50. API Based issues JSON/XML injection Authorization Attacks IDOR - Insecure Direct Object Reference Exposing Sensitive Data Client Side Data filtering Just because you can’t see it, doesn’t mean it’s protected
  • 51. Authorization Attacks IDOR – Insecure Direct Object Reference
  • 52. Authorization Attacks Exposing Sensitive Data & Client-Side Data Filtering
  • 53. JSON/XML Injection and Manipulation • Inject data, manipulate logic, or execute code • User: JoeBasirico { "action":"create", "user":"JoeBasirico", "pass":"$3cre7" } Creates a user named JoeBasirico
  • 54. JSON/XML Injection and Manipulation • Inject data, manipulate logic, or execute code • User: JoeBasirico", "account":”administrator { "action":"create", "user":"JoeBasirico", "account":"administrator", "pass":"$3cre7" } Creates an Administrator named JoeBasirico
  • 55. Don’t expose your data store https://blog.shodan.io/its-the-data-stupid/
  • 57. Always Force TLS • It’s 2020, TLS is free, easy, fast. There is no reason not to • Redirect to TLS v 1.2 or greater by default. • Do not serve data over http or SSL
  • 58. APIs and Modern WebApps are powerful! • They can’t steal what you don’t collect • Make an early commitment to security and privacy • Let that drive your decision making from here on out • Create secure defaults, libraries, wrappers and guidance for your developers. • Make it difficult to make decisiosn • Make it easy to fall into a pit of success • Use automation to ”learn” from your mistakes • Detect when controls are bypassed, use it as a learning opportunity SI Community - https://community.securityinnovation.com/

Editor's Notes

  • #3: Speaking of SI, I’d be remiss if I didn’t talk a little bit about us and what we do. Security innovation is a company dedicated to helping our customers with hard application and data security problems. We’ve spent years researching security vulnerabilities, why they occur, what they look like in production code and how to find and fix them. We have experience working with some of the largest companies in a variety of industries - from software companies such as Microsoft to e-commerce companies such as amazon, financial companies and many more. We offer solutions for all phases of the SDLC including instructor led training, computer based eLearning courses, on-site consulting and security assessments as well as technology to help secure sensitive data over the network or at rest. Over the years we’ve analyzed more than 10,000 vulnerabilities both in the course of research studies and through the assessments of software for our customers We got our start as a security testing company, grew to a products and services company that focused on breaking systems (code review, pen test, etc) and then helping fix the problems through secure design and implementation. We acquired NTRU in 2009 to expand our data protection services focused on data in transit as well as data at rest with best in class, high performance cryptography.
  • #31: Colin Powell a great general and architect, does the work necessary to understand the threat landscape before jumping in.
  • #38: Assessment verifies what you’ve built Automation improves reliability. Infrastructure and Security as Code
  • #41: You don’t expect the ball to hit the back stop every time. Similarly most issues should be caught much, much earlier. However, this remains a critical part of a mature security process.
  • #44: Remember when our architecture looked like this?
  • #45: Then we got complicated and added an application and a database
  • #46: Did somebody say security?
  • #47: Now we have this?!
  • #49: XSS in Barns and Nobel.com
  • #50: We came from https://web.archive.org/web/20031117100331/https://www.sisecure.com/ To https://yelp.com
  • #51: https://spanning.com/blog/insecure-direct-object-reference-web-based-application-security-part-6/
  • #52: https://52-53-234-118-letsee.vulnerablesites.net/account/1
  • #55: https://md5.gromweb.com/ Register View Somebody Else's Account Add an "email" field to the JSON request body with a new email address. Change the "mac" param to MD5 hash of "userX" where X is the ID of the user being edited. Forward request. 03aa1a0b0375b0461c1b8f35b234e67a
  • #56: Quick shodan demo