Créateur de présentation | Survey | Quiz | Lead-form Accédez à 1,00,000+ modèles PowerPoint (pour les utilisateurs de SlideServe) - Parcourir maintenant
Download
subtle security flaws why you must follow the basic principles of software security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Subtle Security flaws: Why you must follow the basic principles of software security. PowerPoint Presentation
Download Presentation
Subtle Security flaws: Why you must follow the basic principles of software security.

share
play prev play next
play fullscreen
1 / 17

Subtle Security flaws: Why you must follow the basic principles of software security.

123 Vues Download Presentation
Télécharger la présentation

Subtle Security flaws: Why you must follow the basic principles of software security.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Subtle Security flaws: Why you must follow the basic principles of software security. Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India

  2. Agenda • Flaw – 1 Custom Authentication • Flaw – 2 Lack of Rule based Authorization • Flaw – 3 Black list input validation • Flaw – 4 Improper use of Crypto • Flaw – 5 App layer DOS attack

  3. Flaw – 1 Custom Authentication • Site implements custom forms authentication • Buggy code • Demo

  4. Flaw – 1 Custom Authentication • Principles:- • Use well known and time tested, system provided methods for authentication. • Avoid writing custom authentication code.

  5. Flaw – 2 Authorization • Authorization implemented by disabling UI • Rule based authorization not considered • Demo

  6. Flaw – 2 Authorization • Principles:- • Do not rely on UI for authorization • Disabled buttons is not authorization • Consider rule based authorization in your design

  7. Flaw – 3 Black list Input Validation • Only set of bad characters are checked for • Becomes vulnerable in special situations • Demo

  8. Flaw – 3 Black list Input Validation • Principles:- • Validate for valid allowed values (white list) • If white list validation is not possible, • Encode to prevent XSS • Parameterize to prevent SQL Injection…

  9. Flaw – 4 Improper use of Crypto • Not knowing what services are provided by what mechanisms • For example, what services do Digital Signatures provide? • Demo

  10. Flaw – 4 Improper use of Crypto Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Signed XML POST Central Payment Site

  11. Flaw – 4 Improper use of Crypto • Principles:- • Know what service each mechanism provides • Do not implement crypto mechanisms yourself • Use system provided methods

  12. Flaw – 5 App layer Denial of service Book movie ticket Screen 1 for User 1

  13. Flaw – 5 App layer Denial of service Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- …. Click to Book

  14. Flaw – 5 App layer Denial of service Book movie ticket Screen 1 for User 2

  15. Flaw – 5 App layer Denial of service Book movie ticket Screen 1 for User 2 after 7 minutes

  16. Flaw – 5 App layer Denial of service • Principles:- • Use CAPTCHA to avoid automated attacks • Design with security in mind

  17. Thank you!