SlideShare a Scribd company logo

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

Download as PPTX, PDF
A
Andi Rustandi Djunaedi

The document discusses secure coding practices, focusing on web application vulnerabilities highlighted by the OWASP Top 10 list, including SQL injection and session fixation. It emphasizes the importance of addressing both security and performance issues, along with practical exercises to understand and mitigate these vulnerabilities. Additionally, the document includes resources for further exploration and suggests measures to prevent exploitation of these vulnerabilities.

Technology
1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
Secure Coding the bare minimum ā€“ understand the problem
Introduction ā€¢ Andi R Djunaedi ā€¢ Software Engineer at blibli.com since March 2014 ā€¢ https://www.linkedin.com/in/andird ā€¢ https://github.com/andirdju ā€¢ https://github.com/bliblidotcom
Overview ā€“ understand the problem ā€¢ Theory ā€¢ Code ā€¢ Web application -> weā€™ll talk about this ā€¢ Operating System ā€¢ Network ā€¢ Other? ā€¢ Importance ā€¢ Practice, get your laptop, pc or whatever ā€¢ How it works
Theory - Code ā€¢ Web Applications ā€¢ OWASP Top 10 List - new list every 3 years ā€¢ https://www.owasp.org/index.php/Top_10_2013-Top_10 ā€¢ https://www.owasp.org/index.php/Top_10_2010-Main ā€¢ Top 3 - Samples ā€¢ SQL Injection ā€¢ Arbitrary SQL query execution ā€¢ Session Fixation ā€¢ Assume otherā€™s Identity ā€¢ Cross Site Scripting ā€¢ Arbitrary client code (javascript, html) execution
Importance ā€“ Non Security ā€¢ Performance ā€¢ poor user experience ā€¢ redesign, refactor, make it faster ā€¢ Code coverage ā€¢ buggy, spent more time on fixing bug ā€¢ stop the leak ā€¢ When ā€¢ next iteration
Importance ā€“ Security ā€¢ How to fix security incidents ??? ā€¢ Personal/Financial data stolen ā€¢ Data deleted ā€¢ When ā€¢ NOW !!!
Practice ā€“ Understand the problem ā€¢ Run bad web app ā€¢ OWASP Top 3 Sample ā€¢ SQL Injection ā€¢ Session Fixation ā€¢ Cross Site Scripting ā€¢ Exercise
Run ā€“ web app ā€¢ Git, Jdk 8, Maven ā€¢ https://github.com/bliblidotcom/sample-basic-secure-coding ā€¢ In memory H2 database ā€¢ Embedded server ā€¢ mvn spring-boot:run ā€¢ http://localhost:8080
Get your laptop ā€“ SQL Injection ā€¢ Demo ā€“ Valid use case is only find one record by id ā€¢ Read all records ā€¢ Insert new records ā€¢ Delete all records
Get your laptop ā€“ Session Fixation ā€¢ Demo - session info only known to the user ā€¢ Bad person(A) create new session ā€¢ Persuade unsuspecting person(B) via phishing ā€¢ Bad person(A) get session information of other person(B)
Get your laptop ā€“ Cross Site Scripting ā€¢ Demo ā€“ valid use case only displays list of data ā€¢ Can be done via the same SQL injection ā€¢ Html ā€¢ Add html form ā€¢ Javascript ā€¢ Add pop up ā€¢ Add redirect
Whatā€™s Next ā€¢ Crack the other API ā€¢ it have similar problems ā€¢ Fix the exploit ā€¢ Donā€™t repeat yourself by creating custom solutions ā€¢ SQL named parameter ā€¢ Regenerate session id ā€¢ Content escaping

More Related Content

What's hot (20)

PDF
CrossWorlds: Unleash the Power of Domino for Connections Development
LetsConnect
Ā 
PPTX
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
Ā 
PDF
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
Ā 
PDF
Secure your environment by automation
Jaap Brasser
Ā 
PDF
Automating security with PowerShell
Jaap Brasser
Ā 
PDF
Paint it blue with PowerShell
Jaap Brasser
Ā 
PDF
TDD a REST API With Node.js and MongoDB
Valeri Karpov
Ā 
PDF
Apply chat automation today - work smarter tomorrow
Jaap Brasser
Ā 
PPTX
Building your own JEA Configuration
Jaap Brasser
Ā 
PDF
Manage your infrastructure with PowerShell
Jaap Brasser
Ā 
PDF
Reach the next level with PowerShell
Jaap Brasser
Ā 
PPTX
Saving Time By Testing With Jest
Ben McCormick
Ā 
PPTX
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
DIWUG
Ā 
PDF
Chat automation in a Modern IT environment
Jaap Brasser
Ā 
PPT
Next generation frontend tooling
pksjce
Ā 
PPTX
Code review and security audit in private cloud - Arief Karfianto
idsecconf
Ā 
PDF
Planidoo & Zotonic
David de Boer
Ā 
PPTX
Design for scale
Doug Lampe
Ā 
PPTX
Porting ASP.NET applications to Windows Azure
Gunnar Peipman
Ā 
PPTX
From zero to hero ā€“ learn how to automate from the gui
Jaap Brasser
Ā 
CrossWorlds: Unleash the Power of Domino for Connections Development
LetsConnect
Ā 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
Ā 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
Ā 
Secure your environment by automation
Jaap Brasser
Ā 
Automating security with PowerShell
Jaap Brasser
Ā 
Paint it blue with PowerShell
Jaap Brasser
Ā 
TDD a REST API With Node.js and MongoDB
Valeri Karpov
Ā 
Apply chat automation today - work smarter tomorrow
Jaap Brasser
Ā 
Building your own JEA Configuration
Jaap Brasser
Ā 
Manage your infrastructure with PowerShell
Jaap Brasser
Ā 
Reach the next level with PowerShell
Jaap Brasser
Ā 
Saving Time By Testing With Jest
Ben McCormick
Ā 
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
DIWUG
Ā 
Chat automation in a Modern IT environment
Jaap Brasser
Ā 
Next generation frontend tooling
pksjce
Ā 
Code review and security audit in private cloud - Arief Karfianto
idsecconf
Ā 
Planidoo & Zotonic
David de Boer
Ā 
Design for scale
Doug Lampe
Ā 
Porting ASP.NET applications to Windows Azure
Gunnar Peipman
Ā 
From zero to hero ā€“ learn how to automate from the gui
Jaap Brasser
Ā 

Similar to Tech IT Easy x DevTalk : "Secure Your Coding with OWASP" (20)

PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
Ā 
PDF
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
Ā 
PDF
Luis Grangeia IBWAS
Luis Grangeia
Ā 
PPTX
State of the information security nation
SensePost
Ā 
PDF
Crash Course In Brain Surgery
morisson
Ā 
PDF
2013 OWASP Top 10
bilcorry
Ā 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
Ā 
PPTX
Hacking 101 (Session 2)
Nitroxis Sprl
Ā 
PPTX
OWASP top 10-2013
tmd800
Ā 
PDF
Owasp top 10 2013
Edouard de Lansalut
Ā 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
Ā 
PDF
OWASP Top Ten in Practice
Security Innovation
Ā 
PDF
How to Destroy a Database
John Ashmead
Ā 
PDF
The top 10 security issues in web applications
Devnology
Ā 
PPT
DC612 Day - Web Application Security: OWASP Top 10
dc612
Ā 
PDF
Web Application Security with PHP
jikbal
Ā 
PDF
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
Ā 
PPTX
Application and Website Security -- Fundamental Edition
Daniel Owens
Ā 
PPT
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
Ā 
PDF
Security Awareness
Lucas Hendrich
Ā 
Secure coding presentation Oct 3 2020
Moataz Kamel
Ā 
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
Ā 
Luis Grangeia IBWAS
Luis Grangeia
Ā 
State of the information security nation
SensePost
Ā 
Crash Course In Brain Surgery
morisson
Ā 
2013 OWASP Top 10
bilcorry
Ā 
Top 10 Web Application vulnerabilities
Terrance Medina
Ā 
Hacking 101 (Session 2)
Nitroxis Sprl
Ā 
OWASP top 10-2013
tmd800
Ā 
Owasp top 10 2013
Edouard de Lansalut
Ā 
Web Application Security and Awareness
Abdul Rahman Sherzad
Ā 
OWASP Top Ten in Practice
Security Innovation
Ā 
How to Destroy a Database
John Ashmead
Ā 
The top 10 security issues in web applications
Devnology
Ā 
DC612 Day - Web Application Security: OWASP Top 10
dc612
Ā 
Web Application Security with PHP
jikbal
Ā 
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
Ā 
Application and Website Security -- Fundamental Edition
Daniel Owens
Ā 
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
Ā 
Security Awareness
Lucas Hendrich
Ā 
Ad

Recently uploaded (20)

PDF
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
Ā 
PPTX
2025 HackRedCon Cyber Career Paths.pptx Scott Stanton
Scott Stanton
Ā 
PPTX
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
Ā 
PDF
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
Ā 
PDF
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
Ā 
PPTX
MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Pitch ...
Michele Kryston
Ā 
PPTX
Smarter Governance with AI: What Every Board Needs to Know
OnBoard
Ā 
PPTX
Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
Hitachi, Ltd. OSS Solution Center.
Ā 
PDF
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
Ā 
PPTX
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
Ā 
PPTX
Enabling the Digital Artisan ā€“ keynote at ICOCI 2025
Alan Dix
Ā 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
Ā 
PDF
Draugnet: Anonymous Threat Reporting for a World on Fire
treyka
Ā 
PPTX
MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Poster...
Michele Kryston
Ā 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
Ā 
PDF
FME in Overdrive: Unleashing the Power of Parallel Processing
Safe Software
Ā 
PDF
Introducing and Operating FME Flow for Kubernetes in a Large Enterprise: Expe...
Safe Software
Ā 
PDF
šŸš€ Letā€™s Build Our First Slack Workflow! šŸ”§.pdf
SanjeetMishra29
Ā 
PPTX
Agentforce World Tour Toronto '25 - Supercharge MuleSoft Development with Mod...
Alexandra N. Martinez
Ā 
PDF
Kit-Works Team Study_20250627_ķ•œė‹¬ė§Œģ—ė§Œė“ ģ‚¬ė‚“ģ„œė¹„ģŠ¤ķ‚¤ė§(ģ–‘ė‹¤ģœ—).pdf
Wonjun Hwang
Ā 
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
Ā 
2025 HackRedCon Cyber Career Paths.pptx Scott Stanton
Scott Stanton
Ā 
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
Ā 
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
Ā 
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
Ā 
MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Pitch ...
Michele Kryston
Ā 
Smarter Governance with AI: What Every Board Needs to Know
OnBoard
Ā 
Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
Hitachi, Ltd. OSS Solution Center.
Ā 
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
Ā 
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
Ā 
Enabling the Digital Artisan ā€“ keynote at ICOCI 2025
Alan Dix
Ā 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
Ā 
Draugnet: Anonymous Threat Reporting for a World on Fire
treyka
Ā 
MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Poster...
Michele Kryston
Ā 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
Ā 
FME in Overdrive: Unleashing the Power of Parallel Processing
Safe Software
Ā 
Introducing and Operating FME Flow for Kubernetes in a Large Enterprise: Expe...
Safe Software
Ā 
šŸš€ Letā€™s Build Our First Slack Workflow! šŸ”§.pdf
SanjeetMishra29
Ā 
Agentforce World Tour Toronto '25 - Supercharge MuleSoft Development with Mod...
Alexandra N. Martinez
Ā 
Kit-Works Team Study_20250627_ķ•œė‹¬ė§Œģ—ė§Œė“ ģ‚¬ė‚“ģ„œė¹„ģŠ¤ķ‚¤ė§(ģ–‘ė‹¤ģœ—).pdf
Wonjun Hwang
Ā 
Ad

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

  • 1. Secure Coding the bare minimum ā€“ understand the problem
  • 2. Introduction ā€¢ Andi R Djunaedi ā€¢ Software Engineer at blibli.com since March 2014 ā€¢ https://www.linkedin.com/in/andird ā€¢ https://github.com/andirdju ā€¢ https://github.com/bliblidotcom
  • 3. Overview ā€“ understand the problem ā€¢ Theory ā€¢ Code ā€¢ Web application -> weā€™ll talk about this ā€¢ Operating System ā€¢ Network ā€¢ Other? ā€¢ Importance ā€¢ Practice, get your laptop, pc or whatever ā€¢ How it works
  • 4. Theory - Code ā€¢ Web Applications ā€¢ OWASP Top 10 List - new list every 3 years ā€¢ https://www.owasp.org/index.php/Top_10_2013-Top_10 ā€¢ https://www.owasp.org/index.php/Top_10_2010-Main ā€¢ Top 3 - Samples ā€¢ SQL Injection ā€¢ Arbitrary SQL query execution ā€¢ Session Fixation ā€¢ Assume otherā€™s Identity ā€¢ Cross Site Scripting ā€¢ Arbitrary client code (javascript, html) execution
  • 5. Importance ā€“ Non Security ā€¢ Performance ā€¢ poor user experience ā€¢ redesign, refactor, make it faster ā€¢ Code coverage ā€¢ buggy, spent more time on fixing bug ā€¢ stop the leak ā€¢ When ā€¢ next iteration
  • 6. Importance ā€“ Security ā€¢ How to fix security incidents ??? ā€¢ Personal/Financial data stolen ā€¢ Data deleted ā€¢ When ā€¢ NOW !!!
  • 7. Practice ā€“ Understand the problem ā€¢ Run bad web app ā€¢ OWASP Top 3 Sample ā€¢ SQL Injection ā€¢ Session Fixation ā€¢ Cross Site Scripting ā€¢ Exercise
  • 8. Run ā€“ web app ā€¢ Git, Jdk 8, Maven ā€¢ https://github.com/bliblidotcom/sample-basic-secure-coding ā€¢ In memory H2 database ā€¢ Embedded server ā€¢ mvn spring-boot:run ā€¢ http://localhost:8080
  • 9. Get your laptop ā€“ SQL Injection ā€¢ Demo ā€“ Valid use case is only find one record by id ā€¢ Read all records ā€¢ Insert new records ā€¢ Delete all records
  • 10. Get your laptop ā€“ Session Fixation ā€¢ Demo - session info only known to the user ā€¢ Bad person(A) create new session ā€¢ Persuade unsuspecting person(B) via phishing ā€¢ Bad person(A) get session information of other person(B)
  • 11. Get your laptop ā€“ Cross Site Scripting ā€¢ Demo ā€“ valid use case only displays list of data ā€¢ Can be done via the same SQL injection ā€¢ Html ā€¢ Add html form ā€¢ Javascript ā€¢ Add pop up ā€¢ Add redirect
  • 12. Whatā€™s Next ā€¢ Crack the other API ā€¢ it have similar problems ā€¢ Fix the exploit ā€¢ Donā€™t repeat yourself by creating custom solutions ā€¢ SQL named parameter ā€¢ Regenerate session id ā€¢ Content escaping