SlideShare a Scribd company logo

Arm yourself with Domain Driven Security. It's time to slay some security trolls

Omegapoint Academy
Omegapoint Academy

We all know we have people like Anonymous, LulzSec, and NSA around. With this in mind, shouldn't we start thinking about the security of our systems? Well, of course. But, could you turn your knowledge of DDD into an advantage for understanding and counteracting security vulnerabilities? Yes, you could. This session is about exactly that. "Business" and "technical" attacks are two kinds of attacks, where the latter is the most famous, e.g. SQL Injection and Cross-Site Scripting. But this doesn't mean business attacks are less harmful. On the contrary, attacks on the business tend to be extremely sophisticated and powerful as they often leave the infrastructure intact and trigger no alarms. Domain Driven Security is the field that counteracts both types of attacks by using tools and mindsets from DDD in a clever way.

1 of 50
Downloaded 36 times
Arm yourself with Domain Driven Security. It’s time to slay some security trolls… @danbjson, @DanielDeogun Omegapoint DDD Europe Brussels January 2016
About Us… Umeå Malmö Göteborg Falun New York Stockholm Daniel Deogun Security Paratrooper Dan Bergh Johnsson Secure Domain Philosopher Omegapoint
Key Take Aways • DDSec helps one to design secure software without actively thinking about security • Treat injection flaws as a modelling problem rather than a validation problem • Context mapping is essential to avoid XSS and other 2nd order injection attacks • Micro-services will be scary as hell, unless the world gets a grip on context mapping
Domain Driven Security @ DDD Europe • Presentation: Arm yourself with Domain Driven Security. It’s time to slay some security trolls… • Introduce field, get you curious • Hands-on: OWASP application security vulnerabilities and what Domain-Driven Security has to say about it • Bring a laptop, touch some code • OWASP, Injection Flaw, Cross-Site Scripting • Hands-on: Your business is under attack - a conceptual tour of Domain Driven Security state of the art • Presentation on subtle insights • In-depth discussions
Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
Purchasing “Unencyclopedia” [Encyclopedia]
Technical Approach • OWASP “indata validation” • if(value < 0) -> don’t accept • Encourage separation of validation and data • Problem whack-a-mole ahead!
Analysis á la DDD • Observation • Quantity is modelled as integer • Quantity is an implicit concept • Analysis • Modelling is incomplete or missing
Analysis á la DDD -1 : Integer -1 : Quantity OrderLine {ISBN, Quantity}
Quantity made explicit - a good start public final class Quantity { public final int value; public Quantity(final int value) { isTrue(value > 0, "Quantity must be greater than zero. Got: %s", value); this.value = value; } …
Ubiqutous Domain Primitives • Library of domain primitives • Consolidates business rules • Raises the floor void buyBook(String, int) -> buyBook(ISBN, Quantity)
Another concept made explicit public final class EmailAddress { public final String value; public EmailAddress(final String value) { isTrue( ?????????, “Not valid email. Got: %s", value); this.value = value; } …
Email according to spec • RFC 5322 3.4 Address Specification (RFC 821, RFC 2821) • Some OK examples • root@127.0.0.1 • !#$%&'*+-/=?^_`{|}~@omegapoint.se • ”Åsa Sjölander”@omegapoint.se • Regexp : (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:r n)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t]) +|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;: ".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)? [ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r ]|.|(?:(?:rn)?[ t]))*"(?:(?:rn) /… 6424 chars
You define Your domain • Bounded Context - bounded by what you need • Is “root@127.0.0.1” sensible to you? • Strength not by “how wide” but by “how specific” • Start simple - limit to your core cases • E.g. “daniel.deogun@omegapoint.se” • Let the model grow
What is DDSec? “Domain Driven Security is about taking ideas from DDD and using them as tools to address security concerns, even though the tools were not originally designed specifically for security issues.” - Dan Bergh Johnsson, Dr. John Wilander [2009] http://dearjunior.blogspot.be/2009/09/introducing-domain-driven-security.html
Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
Injection Flaw “Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.” - OWASP top 10
The Classics - Dynamic SQL String SELECT … FROM Users WHERE username = ’<?username>’ AND password = ’<?password>’ danbj catsarecute SELECT … FROM Users WHERE username = ’danbj’ AND password = ’catsarecute’ Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.
SQL Injection SELECT … FROM Users 
 WHERE username = ’<?username>’ AND password = ’<?password>’ evilhaxxOr ’OR 1=1 -- SELECT … FROM Users WHERE username = ’evilhaxxOr’ AND password = ’’OR 1=1 --’ SELECT … FROM Users 
 WHERE username = ’’OR 1=1 --’ 
 AND password = ’doesnotmatteranymore’ Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.
Demo SQL INJECTION
What’s the problem? and solution? • ‘OR 1=1 -- is not a valid username • This is implicit in the code • Needs to be made explicit • Modelling required
Prepared Statements AKA Parametrised Queries • SQL Injection is solved by prepared statements • But what if the query structure is dynamic? • Other Injection Flaws • LDAP, Command, XPath, HTTP header …
HTTP Response with Cookie [https://www.owasp.org/index.php/HTTP_Response_Splitting] String author = … /* request, database, user setting … */ ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie); HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith … <html><head><title>The real content</title> ...
HTTP Injection Hacked ‘author’ value into database/setting … author : "Wiley HackerrnHTTP/1.1 200 OKrn..." HTTP/1.1 200 OK ... Set-Cookie: author=Wiley Hacker HTTP/1.1 200 OK … <html><head><title>Hacked content</title> … ... <html><head><title>The real content</title> ... [https://www.owasp.org/index.php/HTTP_Response_Splitting]
RFC 2616 HTTP/1.1 Ch 4 HTTP Message HTTP-message = Request | Response ; HTTP/1.1 messages generic-message = start-line *(message-header CRLF) CRLF [ message-body ] start-line = Request-Line | Status-Line message-header = field-name ":" [ field-value ] field-name = token field-value = *( field-content | LWS ) field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string> http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4
DDSec to the Rescue on Injection Flaw • DDD helps one to separate data from code • Validating with respect to the model is crucial
A Quick Note On Validation • Validation order • Origin • Length • (Lexeme, content text) • Parsing, content structure • Semantics - Dr. John Wilander
Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
Cross Site Scripting (XSS) “XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” - OWASP top 10
Demo Cross Site Scripting (XSS)
Domain Perspective Text Comment Text
Domain Perspective Text Text Code Comment
Fix the Broken Mapping <script> <script> Text Code &lt;script&gt;
SQL Injection vs XSS
Code SQL Injection vs XSS Code
2nd order injection Web Srv DB Log Log Adm
Preventing Data Leakage
 read once object [Daniel Sawano] public final class SensitiveValue implements Externalizable { private final AtomicReference<String> value; public SensitiveValue(final String value) { this.value = new AtomicReference<>(validated(value)); } public String value() { return notNull(value.getAndSet(null), "Sensitive value has already been consumed"); } @Override public String toString() { return "SensitiveValue value = *****"; } @Override public void read / writeExternal(final ObjectOutput out) throws IOException { throw new UnsupportedOperationException("Not allowed on sensitive value"); }
How did DDSec Help Us? • DDD gave deeper insight in nature of XSS • Context mapping allows one to “detect” possible broken maps • Modeling confidentiality protects against accidental disclosure of sensitive data
Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
Complex Domain Attack Order Finance Storage Shipping -1 -1 -1
Micro-servicing the Monolith Payment Policy
Payment Micro-servicing the Monolith Payment Policy InsurancePurchase
Making a change with surgical precision Payment Policy Payment Confirm Reject Giro Bounce Giro Confirm Purchase Bank Insurance
What we would have done Payment Policy Cash Payment Confirm Reject Giro Bounce Giro Confirm Purchase Bank Insurance Giro Payment
Micro-Service Hell • We’re moving towards more and more micro-services • Implemented by separate teams • How do we guarantee correct context mappings?
Key Take Aways • DDSec helps one to design secure software without actively thinking about security • Treat injection flaws as a modelling problem rather than a validation problem • Context mapping is essential to avoid XSS and other 2nd order injection attacks • Micro-services will be scary as hell, unless the world gets a grip on context mapping
Current State, Future Direction • Academic research on DDSec • Two master’s thesis projects in cooperation with Royal Institute of Technology (KTH) • Cooperation with Linnaeus University, computer science dept • Industry practice • Practice every day • more needed - especially regarding how to handle micro-services • investigating DDSec as applicable to DDOS-attacks • Writing • Early stage of book by Dan Bergh Johnsson, Daniel Deogun and Daniel Sawano.
Q & A [Questions]
Thanks @danbjson, @DanielDeogun
Image References • [Questions - https://flic.kr/p/9ksxQa] by Damián Navas under license https://creativecommons.org/licenses/by-nc-nd/2.0/ • [Encyclopedia - https://www.flickr.com/photos/stewart/461099066] by Stewart Butterfield under license https://creativecommons.org/licenses/by/2.0/
Ad

Recommended

Designing software with security in mind
Designing software with security in mindDesigning software with security in mind
Designing software with security in mind
Omegapoint Academy
 
Designing software with security in mind?
Designing software with security in mind?Designing software with security in mind?
Designing software with security in mind?
Omegapoint Academy
 
Domain driven security_java_zone2016
Domain driven security_java_zone2016Domain driven security_java_zone2016
Domain driven security_java_zone2016
Omegapoint Academy
 
Domain Driven Security Jfokus 2016
Domain Driven Security Jfokus 2016Domain Driven Security Jfokus 2016
Domain Driven Security Jfokus 2016
Omegapoint Academy
 
Fighting security trolls_with_high-quality_mindsets
Fighting security trolls_with_high-quality_mindsetsFighting security trolls_with_high-quality_mindsets
Fighting security trolls_with_high-quality_mindsets
ddeogun
 
Devoxx PL 2017 - Cracking the Code to Secure Software
Devoxx PL 2017 - Cracking the Code to Secure SoftwareDevoxx PL 2017 - Cracking the Code to Secure Software
Devoxx PL 2017 - Cracking the Code to Secure Software
Daniel Sawano
 
Query DSL In Elasticsearch
Query DSL In ElasticsearchQuery DSL In Elasticsearch
Query DSL In Elasticsearch
Knoldus Inc.
 
Content OCRing and Scoring
Content OCRing and ScoringContent OCRing and Scoring
Content OCRing and Scoring
Mauro Teixeira
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by Design
Omegapoint Academy
 
Domain Primitives In Action - Explore DDD 2017
Domain Primitives In Action - Explore DDD 2017Domain Primitives In Action - Explore DDD 2017
Domain Primitives In Action - Explore DDD 2017
Omegapoint Academy
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
Chema Alonso
 
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
hemanthbbc
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
Chema Alonso
 
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
hemanthbbc
 
Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...
IGEEKS TECHNOLOGIES
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
Evan J Johnson (Not a CISSP)
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
DevDays LT 2017 - Secure by Design
DevDays LT 2017 - Secure by DesignDevDays LT 2017 - Secure by Design
DevDays LT 2017 - Secure by Design
Daniel Sawano
 
7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions
sadiqkhanpathan
 
MongoDB Stich Overview
MongoDB Stich OverviewMongoDB Stich Overview
MongoDB Stich Overview
MongoDB
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
Kaustav Sengupta
 
MRT 2018: reflecting on the past and the present with temporal graph models
MRT 2018: reflecting on the past and the present with temporal graph modelsMRT 2018: reflecting on the past and the present with temporal graph models
MRT 2018: reflecting on the past and the present with temporal graph models
Antonio García-Domínguez
 
An efficient, secure deduplication data storing in cloud storage environment
An efficient, secure deduplication data storing in cloud storage environmentAn efficient, secure deduplication data storing in cloud storage environment
An efficient, secure deduplication data storing in cloud storage environment
eSAT Journals
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
Rafał Kuć
 
Managing your black friday logs - Code Europe
Managing your black friday logs - Code EuropeManaging your black friday logs - Code Europe
Managing your black friday logs - Code Europe
David Pilato
 
API Thinking - How to Design APIs Through Systems Design
API Thinking - How to Design APIs Through Systems DesignAPI Thinking - How to Design APIs Through Systems Design
API Thinking - How to Design APIs Through Systems Design
LaunchAny
 
Coaching Concepts
Coaching ConceptsCoaching Concepts
Coaching Concepts
Coaching Concepts
 
My open bite case fatema
My open bite case fatemaMy open bite case fatema
My open bite case fatema
Ishtiaq Hasan
 
Ad

More Related Content

What's hot (19)

Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by Design
Omegapoint Academy
 
Domain Primitives In Action - Explore DDD 2017
Domain Primitives In Action - Explore DDD 2017Domain Primitives In Action - Explore DDD 2017
Domain Primitives In Action - Explore DDD 2017
Omegapoint Academy
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
Chema Alonso
 
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
hemanthbbc
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
Chema Alonso
 
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
hemanthbbc
 
Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...
IGEEKS TECHNOLOGIES
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
Evan J Johnson (Not a CISSP)
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
DevDays LT 2017 - Secure by Design
DevDays LT 2017 - Secure by DesignDevDays LT 2017 - Secure by Design
DevDays LT 2017 - Secure by Design
Daniel Sawano
 
7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions
sadiqkhanpathan
 
MongoDB Stich Overview
MongoDB Stich OverviewMongoDB Stich Overview
MongoDB Stich Overview
MongoDB
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
Kaustav Sengupta
 
MRT 2018: reflecting on the past and the present with temporal graph models
MRT 2018: reflecting on the past and the present with temporal graph modelsMRT 2018: reflecting on the past and the present with temporal graph models
MRT 2018: reflecting on the past and the present with temporal graph models
Antonio García-Domínguez
 
An efficient, secure deduplication data storing in cloud storage environment
An efficient, secure deduplication data storing in cloud storage environmentAn efficient, secure deduplication data storing in cloud storage environment
An efficient, secure deduplication data storing in cloud storage environment
eSAT Journals
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
Rafał Kuć
 
Managing your black friday logs - Code Europe
Managing your black friday logs - Code EuropeManaging your black friday logs - Code Europe
Managing your black friday logs - Code Europe
David Pilato
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by Design
Omegapoint Academy
 
Domain Primitives In Action - Explore DDD 2017
Domain Primitives In Action - Explore DDD 2017Domain Primitives In Action - Explore DDD 2017
Domain Primitives In Action - Explore DDD 2017
Omegapoint Academy
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
Chema Alonso
 
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
hemanthbbc
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
Chema Alonso
 
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
hemanthbbc
 
Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...
IGEEKS TECHNOLOGIES
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
Evan J Johnson (Not a CISSP)
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
DevDays LT 2017 - Secure by Design
DevDays LT 2017 - Secure by DesignDevDays LT 2017 - Secure by Design
DevDays LT 2017 - Secure by Design
Daniel Sawano
 
7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions7 latest-dot-net-interview-questions
7 latest-dot-net-interview-questions
sadiqkhanpathan
 
MongoDB Stich Overview
MongoDB Stich OverviewMongoDB Stich Overview
MongoDB Stich Overview
MongoDB
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
Kaustav Sengupta
 
MRT 2018: reflecting on the past and the present with temporal graph models
MRT 2018: reflecting on the past and the present with temporal graph modelsMRT 2018: reflecting on the past and the present with temporal graph models
MRT 2018: reflecting on the past and the present with temporal graph models
Antonio García-Domínguez
 
An efficient, secure deduplication data storing in cloud storage environment
An efficient, secure deduplication data storing in cloud storage environmentAn efficient, secure deduplication data storing in cloud storage environment
An efficient, secure deduplication data storing in cloud storage environment
eSAT Journals
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
Rafał Kuć
 
Managing your black friday logs - Code Europe
Managing your black friday logs - Code EuropeManaging your black friday logs - Code Europe
Managing your black friday logs - Code Europe
David Pilato
 

Viewers also liked (20)

API Thinking - How to Design APIs Through Systems Design
API Thinking - How to Design APIs Through Systems DesignAPI Thinking - How to Design APIs Through Systems Design
API Thinking - How to Design APIs Through Systems Design
LaunchAny
 
Coaching Concepts
Coaching ConceptsCoaching Concepts
Coaching Concepts
Coaching Concepts
 
My open bite case fatema
My open bite case fatemaMy open bite case fatema
My open bite case fatema
Ishtiaq Hasan
 
TH Ecosystem 7-11
TH Ecosystem 7-11TH Ecosystem 7-11
TH Ecosystem 7-11
David Pickeral
 
Samuel suarez. exp. iva
Samuel suarez. exp. ivaSamuel suarez. exp. iva
Samuel suarez. exp. iva
sifca
 
002. 01 pecado vs santuario
002. 01 pecado vs santuario002. 01 pecado vs santuario
002. 01 pecado vs santuario
Emmanuel Vallejos
 
Cie10. cavidad oral
Cie10. cavidad oralCie10. cavidad oral
Cie10. cavidad oral
Stiv Dmeikel Palacios Wong
 
El sismo de 1970
El sismo de 1970El sismo de 1970
El sismo de 1970
David Angel MENDOZA GONZALES
 
Spattern matching using biometric techniques
Spattern matching using biometric techniquesSpattern matching using biometric techniques
Spattern matching using biometric techniques
Presentaionslive.blogspot.com
 
Designing with capabilities (DDD-EU 2017)
Designing with capabilities (DDD-EU 2017)Designing with capabilities (DDD-EU 2017)
Designing with capabilities (DDD-EU 2017)
Scott Wlaschin
 
Makalah ilmu kesehatan masyarakat
Makalah ilmu kesehatan masyarakatMakalah ilmu kesehatan masyarakat
Makalah ilmu kesehatan masyarakat
Zelitania
 
La Evolución del Amojonamiento
La Evolución del AmojonamientoLa Evolución del Amojonamiento
La Evolución del Amojonamiento
ortiz_pedroj
 
What is marketing channel
What is marketing channelWhat is marketing channel
What is marketing channel
Sameer Mathur
 
antecedentes de el calculo diferencial
antecedentes de el calculo diferencialantecedentes de el calculo diferencial
antecedentes de el calculo diferencial
josedej
 
How to build a consistent digital brand experience
How to build a consistent digital brand experienceHow to build a consistent digital brand experience
How to build a consistent digital brand experience
Activate Media
 
Programa Foro Turismo (Tcv) El Observatorio De Los Estrategas
Programa Foro Turismo (Tcv) El Observatorio De Los EstrategasPrograma Foro Turismo (Tcv) El Observatorio De Los Estrategas
Programa Foro Turismo (Tcv) El Observatorio De Los Estrategas
guestbe3f9e
 
Kelly Briceño hardware.ppt
Kelly Briceño hardware.pptKelly Briceño hardware.ppt
Kelly Briceño hardware.ppt
kathkbm
 
Variante de la hemoglobina con alteración de la
Variante de la hemoglobina con alteración de laVariante de la hemoglobina con alteración de la
Variante de la hemoglobina con alteración de la
Oriana Mundaray
 
9 b fit and healthy
9 b fit and healthy9 b fit and healthy
9 b fit and healthy
cpugh5345
 
Questões de segurança no correio eletrónico
Questões de segurança no correio eletrónicoQuestões de segurança no correio eletrónico
Questões de segurança no correio eletrónico
Maria Brandão
 
API Thinking - How to Design APIs Through Systems Design
API Thinking - How to Design APIs Through Systems DesignAPI Thinking - How to Design APIs Through Systems Design
API Thinking - How to Design APIs Through Systems Design
LaunchAny
 
Coaching Concepts
Coaching ConceptsCoaching Concepts
Coaching Concepts
Coaching Concepts
 
My open bite case fatema
My open bite case fatemaMy open bite case fatema
My open bite case fatema
Ishtiaq Hasan
 
TH Ecosystem 7-11
TH Ecosystem 7-11TH Ecosystem 7-11
TH Ecosystem 7-11
David Pickeral
 
Samuel suarez. exp. iva
Samuel suarez. exp. ivaSamuel suarez. exp. iva
Samuel suarez. exp. iva
sifca
 
002. 01 pecado vs santuario
002. 01 pecado vs santuario002. 01 pecado vs santuario
002. 01 pecado vs santuario
Emmanuel Vallejos
 
Cie10. cavidad oral
Cie10. cavidad oralCie10. cavidad oral
Cie10. cavidad oral
Stiv Dmeikel Palacios Wong
 
El sismo de 1970
El sismo de 1970El sismo de 1970
El sismo de 1970
David Angel MENDOZA GONZALES
 
Spattern matching using biometric techniques
Spattern matching using biometric techniquesSpattern matching using biometric techniques
Spattern matching using biometric techniques
Presentaionslive.blogspot.com
 
Designing with capabilities (DDD-EU 2017)
Designing with capabilities (DDD-EU 2017)Designing with capabilities (DDD-EU 2017)
Designing with capabilities (DDD-EU 2017)
Scott Wlaschin
 
Makalah ilmu kesehatan masyarakat
Makalah ilmu kesehatan masyarakatMakalah ilmu kesehatan masyarakat
Makalah ilmu kesehatan masyarakat
Zelitania
 
La Evolución del Amojonamiento
La Evolución del AmojonamientoLa Evolución del Amojonamiento
La Evolución del Amojonamiento
ortiz_pedroj
 
What is marketing channel
What is marketing channelWhat is marketing channel
What is marketing channel
Sameer Mathur
 
antecedentes de el calculo diferencial
antecedentes de el calculo diferencialantecedentes de el calculo diferencial
antecedentes de el calculo diferencial
josedej
 
How to build a consistent digital brand experience
How to build a consistent digital brand experienceHow to build a consistent digital brand experience
How to build a consistent digital brand experience
Activate Media
 
Programa Foro Turismo (Tcv) El Observatorio De Los Estrategas
Programa Foro Turismo (Tcv) El Observatorio De Los EstrategasPrograma Foro Turismo (Tcv) El Observatorio De Los Estrategas
Programa Foro Turismo (Tcv) El Observatorio De Los Estrategas
guestbe3f9e
 
Kelly Briceño hardware.ppt
Kelly Briceño hardware.pptKelly Briceño hardware.ppt
Kelly Briceño hardware.ppt
kathkbm
 
Variante de la hemoglobina con alteración de la
Variante de la hemoglobina con alteración de laVariante de la hemoglobina con alteración de la
Variante de la hemoglobina con alteración de la
Oriana Mundaray
 
9 b fit and healthy
9 b fit and healthy9 b fit and healthy
9 b fit and healthy
cpugh5345
 
Questões de segurança no correio eletrónico
Questões de segurança no correio eletrónicoQuestões de segurança no correio eletrónico
Questões de segurança no correio eletrónico
Maria Brandão
 
Ad

Similar to Arm yourself with Domain Driven Security. It's time to slay some security trolls (20)

NoSQL Endgame DevoxxUA Conference 2020
NoSQL Endgame DevoxxUA Conference 2020NoSQL Endgame DevoxxUA Conference 2020
NoSQL Endgame DevoxxUA Conference 2020
Thodoris Bais
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML Attacks
Toe Khaing
 
Simon Elliston Ball – When to NoSQL and When to Know SQL - NoSQL matters Barc...
Simon Elliston Ball – When to NoSQL and When to Know SQL - NoSQL matters Barc...Simon Elliston Ball – When to NoSQL and When to Know SQL - NoSQL matters Barc...
Simon Elliston Ball – When to NoSQL and When to Know SQL - NoSQL matters Barc...
NoSQLmatters
 
Introduction to RavenDB
Introduction to RavenDBIntroduction to RavenDB
Introduction to RavenDB
Sasha Goldshtein
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
Brandon Dove
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
Gavin Holt
 
Introducing U-SQL (SQLPASS 2016)
Introducing U-SQL (SQLPASS 2016)Introducing U-SQL (SQLPASS 2016)
Introducing U-SQL (SQLPASS 2016)
Michael Rys
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developers
webhostingguy
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hyde
webhostingguy
 
The Art Of Readable Code
The Art Of Readable CodeThe Art Of Readable Code
The Art Of Readable Code
Baidu, Inc.
 
CQRS / ES & DDD Demystified
CQRS / ES & DDD DemystifiedCQRS / ES & DDD Demystified
CQRS / ES & DDD Demystified
Vic Metcalfe
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
Rich Helton
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
Positive Hack Days
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline
 
Karen's Favourite Features of SQL Server 2016
Karen's Favourite Features of SQL Server 2016Karen's Favourite Features of SQL Server 2016
Karen's Favourite Features of SQL Server 2016
Karen Lopez
 
NoSQL Endgame LWJUG 2021
NoSQL Endgame LWJUG 2021NoSQL Endgame LWJUG 2021
NoSQL Endgame LWJUG 2021
Thodoris Bais
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
Tjylen Veselyj
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
Kaustav Sengupta
 
NoSQL Endgame DevoxxUA Conference 2020
NoSQL Endgame DevoxxUA Conference 2020NoSQL Endgame DevoxxUA Conference 2020
NoSQL Endgame DevoxxUA Conference 2020
Thodoris Bais
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML Attacks
Toe Khaing
 
Simon Elliston Ball – When to NoSQL and When to Know SQL - NoSQL matters Barc...
Simon Elliston Ball – When to NoSQL and When to Know SQL - NoSQL matters Barc...Simon Elliston Ball – When to NoSQL and When to Know SQL - NoSQL matters Barc...
Simon Elliston Ball – When to NoSQL and When to Know SQL - NoSQL matters Barc...
NoSQLmatters
 
Introduction to RavenDB
Introduction to RavenDBIntroduction to RavenDB
Introduction to RavenDB
Sasha Goldshtein
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
Brandon Dove
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
Gavin Holt
 
Introducing U-SQL (SQLPASS 2016)
Introducing U-SQL (SQLPASS 2016)Introducing U-SQL (SQLPASS 2016)
Introducing U-SQL (SQLPASS 2016)
Michael Rys
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developers
webhostingguy
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hyde
webhostingguy
 
The Art Of Readable Code
The Art Of Readable CodeThe Art Of Readable Code
The Art Of Readable Code
Baidu, Inc.
 
CQRS / ES & DDD Demystified
CQRS / ES & DDD DemystifiedCQRS / ES & DDD Demystified
CQRS / ES & DDD Demystified
Vic Metcalfe
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
Rich Helton
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
Positive Hack Days
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline
 
Karen's Favourite Features of SQL Server 2016
Karen's Favourite Features of SQL Server 2016Karen's Favourite Features of SQL Server 2016
Karen's Favourite Features of SQL Server 2016
Karen Lopez
 
NoSQL Endgame LWJUG 2021
NoSQL Endgame LWJUG 2021NoSQL Endgame LWJUG 2021
NoSQL Endgame LWJUG 2021
Thodoris Bais
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
Tjylen Veselyj
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
Kaustav Sengupta
 
Ad

More from Omegapoint Academy (8)

Domain Primitives in Action - DataTjej 2018
Domain Primitives in Action - DataTjej 2018Domain Primitives in Action - DataTjej 2018
Domain Primitives in Action - DataTjej 2018
Omegapoint Academy
 
Secure by Design - Jfokus 2018 tutorial
Secure by Design - Jfokus 2018 tutorialSecure by Design - Jfokus 2018 tutorial
Secure by Design - Jfokus 2018 tutorial
Omegapoint Academy
 
Designing Testable Software
Designing Testable SoftwareDesigning Testable Software
Designing Testable Software
Omegapoint Academy
 
Failing Continuous Delivery, Devoxx Poland, 2015
Failing Continuous Delivery, Devoxx Poland, 2015Failing Continuous Delivery, Devoxx Poland, 2015
Failing Continuous Delivery, Devoxx Poland, 2015
Omegapoint Academy
 
Studentkonferens 2015 - Alla pratar om risker, men vad är det?
Studentkonferens 2015 - Alla pratar om risker, men vad är det?Studentkonferens 2015 - Alla pratar om risker, men vad är det?
Studentkonferens 2015 - Alla pratar om risker, men vad är det?
Omegapoint Academy
 
Studentkonferens 2015 1 + 1 = 1 (The Omegapoint Way)
Studentkonferens 2015 1 + 1 = 1 (The Omegapoint Way)Studentkonferens 2015 1 + 1 = 1 (The Omegapoint Way)
Studentkonferens 2015 1 + 1 = 1 (The Omegapoint Way)
Omegapoint Academy
 
Studenkonferens 2015 - Craftsmanship
Studenkonferens 2015 - CraftsmanshipStudenkonferens 2015 - Craftsmanship
Studenkonferens 2015 - Craftsmanship
Omegapoint Academy
 
Agile Enterprise: frukostseminarium
Agile Enterprise: frukostseminariumAgile Enterprise: frukostseminarium
Agile Enterprise: frukostseminarium
Omegapoint Academy
 
Domain Primitives in Action - DataTjej 2018
Domain Primitives in Action - DataTjej 2018Domain Primitives in Action - DataTjej 2018
Domain Primitives in Action - DataTjej 2018
Omegapoint Academy
 
Secure by Design - Jfokus 2018 tutorial
Secure by Design - Jfokus 2018 tutorialSecure by Design - Jfokus 2018 tutorial
Secure by Design - Jfokus 2018 tutorial
Omegapoint Academy
 
Designing Testable Software
Designing Testable SoftwareDesigning Testable Software
Designing Testable Software
Omegapoint Academy
 
Failing Continuous Delivery, Devoxx Poland, 2015
Failing Continuous Delivery, Devoxx Poland, 2015Failing Continuous Delivery, Devoxx Poland, 2015
Failing Continuous Delivery, Devoxx Poland, 2015
Omegapoint Academy
 
Studentkonferens 2015 - Alla pratar om risker, men vad är det?
Studentkonferens 2015 - Alla pratar om risker, men vad är det?Studentkonferens 2015 - Alla pratar om risker, men vad är det?
Studentkonferens 2015 - Alla pratar om risker, men vad är det?
Omegapoint Academy
 
Studentkonferens 2015 1 + 1 = 1 (The Omegapoint Way)
Studentkonferens 2015 1 + 1 = 1 (The Omegapoint Way)Studentkonferens 2015 1 + 1 = 1 (The Omegapoint Way)
Studentkonferens 2015 1 + 1 = 1 (The Omegapoint Way)
Omegapoint Academy
 
Studenkonferens 2015 - Craftsmanship
Studenkonferens 2015 - CraftsmanshipStudenkonferens 2015 - Craftsmanship
Studenkonferens 2015 - Craftsmanship
Omegapoint Academy
 
Agile Enterprise: frukostseminarium
Agile Enterprise: frukostseminariumAgile Enterprise: frukostseminarium
Agile Enterprise: frukostseminarium
Omegapoint Academy
 

Recently uploaded (20)

Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
Salesforce Aged Complex Org Revitalization Process .pdf
Salesforce Aged Complex Org Revitalization Process .pdfSalesforce Aged Complex Org Revitalization Process .pdf
Salesforce Aged Complex Org Revitalization Process .pdf
SRINIVASARAO PUSULURI
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Agentic AI Use Cases using GenAI LLM models
Agentic AI Use Cases using GenAI LLM modelsAgentic AI Use Cases using GenAI LLM models
Agentic AI Use Cases using GenAI LLM models
Manish Chopra
 
Sales Deck SentinelOne Singularity Platform.pptx
Sales Deck SentinelOne Singularity Platform.pptxSales Deck SentinelOne Singularity Platform.pptx
Sales Deck SentinelOne Singularity Platform.pptx
EliandoLawnote
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Shift Left using Lean for Agile Software Development
Shift Left using Lean for Agile Software DevelopmentShift Left using Lean for Agile Software Development
Shift Left using Lean for Agile Software Development
SathyaShankar6
 
Minitab 22 Full Crack Plus Product Key Free Download [Latest] 2025
Minitab 22 Full Crack Plus Product Key Free Download [Latest] 2025Minitab 22 Full Crack Plus Product Key Free Download [Latest] 2025
Minitab 22 Full Crack Plus Product Key Free Download [Latest] 2025
wareshashahzadiii
 
Adobe Photoshop CC 2025 Crack Full Serial Key With Latest
Adobe Photoshop CC 2025 Crack Full Serial Key With LatestAdobe Photoshop CC 2025 Crack Full Serial Key With Latest
Adobe Photoshop CC 2025 Crack Full Serial Key With Latest
usmanhidray
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
Adobe Illustrator Crack | Free Download & Install Illustrator
Adobe Illustrator Crack | Free Download & Install IllustratorAdobe Illustrator Crack | Free Download & Install Illustrator
Adobe Illustrator Crack | Free Download & Install Illustrator
usmanhidray
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
Salesforce Aged Complex Org Revitalization Process .pdf
Salesforce Aged Complex Org Revitalization Process .pdfSalesforce Aged Complex Org Revitalization Process .pdf
Salesforce Aged Complex Org Revitalization Process .pdf
SRINIVASARAO PUSULURI
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Agentic AI Use Cases using GenAI LLM models
Agentic AI Use Cases using GenAI LLM modelsAgentic AI Use Cases using GenAI LLM models
Agentic AI Use Cases using GenAI LLM models
Manish Chopra
 
Sales Deck SentinelOne Singularity Platform.pptx
Sales Deck SentinelOne Singularity Platform.pptxSales Deck SentinelOne Singularity Platform.pptx
Sales Deck SentinelOne Singularity Platform.pptx
EliandoLawnote
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Shift Left using Lean for Agile Software Development
Shift Left using Lean for Agile Software DevelopmentShift Left using Lean for Agile Software Development
Shift Left using Lean for Agile Software Development
SathyaShankar6
 
Minitab 22 Full Crack Plus Product Key Free Download [Latest] 2025
Minitab 22 Full Crack Plus Product Key Free Download [Latest] 2025Minitab 22 Full Crack Plus Product Key Free Download [Latest] 2025
Minitab 22 Full Crack Plus Product Key Free Download [Latest] 2025
wareshashahzadiii
 
Adobe Photoshop CC 2025 Crack Full Serial Key With Latest
Adobe Photoshop CC 2025 Crack Full Serial Key With LatestAdobe Photoshop CC 2025 Crack Full Serial Key With Latest
Adobe Photoshop CC 2025 Crack Full Serial Key With Latest
usmanhidray
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
Adobe Illustrator Crack | Free Download & Install Illustrator
Adobe Illustrator Crack | Free Download & Install IllustratorAdobe Illustrator Crack | Free Download & Install Illustrator
Adobe Illustrator Crack | Free Download & Install Illustrator
usmanhidray
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 

Arm yourself with Domain Driven Security. It's time to slay some security trolls

  • 1. Arm yourself with Domain Driven Security. It’s time to slay some security trolls… @danbjson, @DanielDeogun Omegapoint DDD Europe Brussels January 2016
  • 2. About Us… Umeå Malmö Göteborg Falun New York Stockholm Daniel Deogun Security Paratrooper Dan Bergh Johnsson Secure Domain Philosopher Omegapoint
  • 3. Key Take Aways • DDSec helps one to design secure software without actively thinking about security • Treat injection flaws as a modelling problem rather than a validation problem • Context mapping is essential to avoid XSS and other 2nd order injection attacks • Micro-services will be scary as hell, unless the world gets a grip on context mapping
  • 4. Domain Driven Security @ DDD Europe • Presentation: Arm yourself with Domain Driven Security. It’s time to slay some security trolls… • Introduce field, get you curious • Hands-on: OWASP application security vulnerabilities and what Domain-Driven Security has to say about it • Bring a laptop, touch some code • OWASP, Injection Flaw, Cross-Site Scripting • Hands-on: Your business is under attack - a conceptual tour of Domain Driven Security state of the art • Presentation on subtle insights • In-depth discussions
  • 5. Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
  • 7. Technical Approach • OWASP “indata validation” • if(value < 0) -> don’t accept • Encourage separation of validation and data • Problem whack-a-mole ahead!
  • 8. Analysis á la DDD • Observation • Quantity is modelled as integer • Quantity is an implicit concept • Analysis • Modelling is incomplete or missing
  • 9. Analysis á la DDD -1 : Integer -1 : Quantity OrderLine {ISBN, Quantity}
  • 10. Quantity made explicit - a good start public final class Quantity { public final int value; public Quantity(final int value) { isTrue(value > 0, "Quantity must be greater than zero. Got: %s", value); this.value = value; } …
  • 11. Ubiqutous Domain Primitives • Library of domain primitives • Consolidates business rules • Raises the floor void buyBook(String, int) -> buyBook(ISBN, Quantity)
  • 12. Another concept made explicit public final class EmailAddress { public final String value; public EmailAddress(final String value) { isTrue( ?????????, “Not valid email. Got: %s", value); this.value = value; } …
  • 13. Email according to spec • RFC 5322 3.4 Address Specification (RFC 821, RFC 2821) • Some OK examples • [email protected] • !#$%&'*+-/=?^_`{|}[email protected] • ”Åsa Sjölander”@omegapoint.se • Regexp : (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:r n)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t]) +|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;: ".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)? [ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r ]|.|(?:(?:rn)?[ t]))*"(?:(?:rn) /… 6424 chars
  • 14. You define Your domain • Bounded Context - bounded by what you need • Is “[email protected]” sensible to you? • Strength not by “how wide” but by “how specific” • Start simple - limit to your core cases • E.g. “[email protected]” • Let the model grow
  • 15. What is DDSec? “Domain Driven Security is about taking ideas from DDD and using them as tools to address security concerns, even though the tools were not originally designed specifically for security issues.” - Dan Bergh Johnsson, Dr. John Wilander [2009] http://dearjunior.blogspot.be/2009/09/introducing-domain-driven-security.html
  • 16. Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
  • 17. Injection Flaw “Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.” - OWASP top 10
  • 18. The Classics - Dynamic SQL String SELECT … FROM Users WHERE username = ’<?username>’ AND password = ’<?password>’ danbj catsarecute SELECT … FROM Users WHERE username = ’danbj’ AND password = ’catsarecute’ Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.
  • 19. SQL Injection SELECT … FROM Users 
 WHERE username = ’<?username>’ AND password = ’<?password>’ evilhaxxOr ’OR 1=1 -- SELECT … FROM Users WHERE username = ’evilhaxxOr’ AND password = ’’OR 1=1 --’ SELECT … FROM Users 
 WHERE username = ’’OR 1=1 --’ 
 AND password = ’doesnotmatteranymore’ Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.
  • 21. What’s the problem? and solution? • ‘OR 1=1 -- is not a valid username • This is implicit in the code • Needs to be made explicit • Modelling required
  • 22. Prepared Statements AKA Parametrised Queries • SQL Injection is solved by prepared statements • But what if the query structure is dynamic? • Other Injection Flaws • LDAP, Command, XPath, HTTP header …
  • 23. HTTP Response with Cookie [https://www.owasp.org/index.php/HTTP_Response_Splitting] String author = … /* request, database, user setting … */ ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie); HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith … <html><head><title>The real content</title> ...
  • 24. HTTP Injection Hacked ‘author’ value into database/setting … author : "Wiley HackerrnHTTP/1.1 200 OKrn..." HTTP/1.1 200 OK ... Set-Cookie: author=Wiley Hacker HTTP/1.1 200 OK … <html><head><title>Hacked content</title> … ... <html><head><title>The real content</title> ... [https://www.owasp.org/index.php/HTTP_Response_Splitting]
  • 25. RFC 2616 HTTP/1.1 Ch 4 HTTP Message HTTP-message = Request | Response ; HTTP/1.1 messages generic-message = start-line *(message-header CRLF) CRLF [ message-body ] start-line = Request-Line | Status-Line message-header = field-name ":" [ field-value ] field-name = token field-value = *( field-content | LWS ) field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string> http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4
  • 26. DDSec to the Rescue on Injection Flaw • DDD helps one to separate data from code • Validating with respect to the model is crucial
  • 27. A Quick Note On Validation • Validation order • Origin • Length • (Lexeme, content text) • Parsing, content structure • Semantics - Dr. John Wilander
  • 28. Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
  • 29. Cross Site Scripting (XSS) “XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” - OWASP top 10
  • 33. Fix the Broken Mapping <script> <script> Text Code &lt;script&gt;
  • 37. Preventing Data Leakage
 read once object [Daniel Sawano] public final class SensitiveValue implements Externalizable { private final AtomicReference<String> value; public SensitiveValue(final String value) { this.value = new AtomicReference<>(validated(value)); } public String value() { return notNull(value.getAndSet(null), "Sensitive value has already been consumed"); } @Override public String toString() { return "SensitiveValue value = *****"; } @Override public void read / writeExternal(final ObjectOutput out) throws IOException { throw new UnsupportedOperationException("Not allowed on sensitive value"); }
  • 38. How did DDSec Help Us? • DDD gave deeper insight in nature of XSS • Context mapping allows one to “detect” possible broken maps • Modeling confidentiality protects against accidental disclosure of sensitive data
  • 39. Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
  • 40. Complex Domain Attack Order Finance Storage Shipping -1 -1 -1
  • 43. Making a change with surgical precision Payment Policy Payment Confirm Reject Giro Bounce Giro Confirm Purchase Bank Insurance
  • 44. What we would have done Payment Policy Cash Payment Confirm Reject Giro Bounce Giro Confirm Purchase Bank Insurance Giro Payment
  • 45. Micro-Service Hell • We’re moving towards more and more micro-services • Implemented by separate teams • How do we guarantee correct context mappings?
  • 46. Key Take Aways • DDSec helps one to design secure software without actively thinking about security • Treat injection flaws as a modelling problem rather than a validation problem • Context mapping is essential to avoid XSS and other 2nd order injection attacks • Micro-services will be scary as hell, unless the world gets a grip on context mapping
  • 47. Current State, Future Direction • Academic research on DDSec • Two master’s thesis projects in cooperation with Royal Institute of Technology (KTH) • Cooperation with Linnaeus University, computer science dept • Industry practice • Practice every day • more needed - especially regarding how to handle micro-services • investigating DDSec as applicable to DDOS-attacks • Writing • Early stage of book by Dan Bergh Johnsson, Daniel Deogun and Daniel Sawano.
  • 50. Image References • [Questions - https://flic.kr/p/9ksxQa] by Damián Navas under license https://creativecommons.org/licenses/by-nc-nd/2.0/ • [Encyclopedia - https://www.flickr.com/photos/stewart/461099066] by Stewart Butterfield under license https://creativecommons.org/licenses/by/2.0/