SlideShare a Scribd company logo

Webinar–OWASP Top 10 for JavaScript for Developers

Synopsys Software Integrity Group
Synopsys Software Integrity Group

During a recent webinar, Lewis Ardern, senior security consultant presented "OWASP Top 10 for JavaScript Developers." 19_10_EMEA_WB_Owasp Top 10 for Java Script Developers With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities. For more information, please visit our website at www.synopsys.com/standards

1 of 53
© 2019 Synopsys, Inc.1 OWASP Top 10 for JavaScript Developers Lewis Ardern Senior Security Consultant, Synopsys https://twitter.com/LewisArdern
© 2019 Synopsys, Inc.2 About me • Sr. Security Consultant @ Synopsys Software Integrity Group (SIG) o Formerly Cigital • AngularSF organizer o https://www.meetup.com/Angular-SF/ • B.Sc. in computer security and ethical hacking o Founder of http://leedshackingsociety.co.uk/ • JavaScript enthusiast!
© 2019 Synopsys, Inc.3 What is the OWASP Top 10? • 10 critical web application security risks • Common flaws and weaknesses • Present in nearly all applications Modern, evidence-based risks (data covers 2014–2017) • 114,000 apps • 9,000 bug bounties • 40 security consultancies and 1 bug bounty firm • 50+ CWEs accepted in raw data Community-chosen risks • 500 survey responses
© 2019 Synopsys, Inc.4 A1:2017 Injection The dangers of mixing data and code
© 2019 Synopsys, Inc.5 NoSQL injection • No SQL injection != No injection in NoSQL • Official documentation says “no SQL injection” • Vulnerable if: o User input includes a Mongo query selector: $ne, $lt, $gt, $eq, $regex, etc. o User input is directly included into a collection method as part of the query: find, findOne, findOneAndUpdate, etc. https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection https://docs.mongodb.com/manual/reference/operator/query/ https://docs.mongodb.com/manual/reference/method/
© 2019 Synopsys, Inc.6 Vulnerable MongoDB log-in example Injection: https://url.to/login?user=admin&pass[$ne]= Query output:
© 2019 Synopsys, Inc.7 Demo MongoDB injection
© 2019 Synopsys, Inc.8 MongoDB injection prevention • Ensure user input is a String inside a collection method https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String • Perform custom data validation https://github.com/hapijs/joi
© 2019 Synopsys, Inc.9
© 2019 Synopsys, Inc.11 Injection prevention • Parameterized mechanisms https://github.com/tediousjs/node-mssql#input-name-type-value https://github.com/mysqljs/mysql#escaping-query-identifiers • Secure APIs https://github.com/tediousjs/node-mssql#prepared-statements • Perform input validation & output encoding https://dev.to/azure/pushing-left-like-a-boss-part-5-1-input-validation-output-encoding-and-parameterized-queries- 2749
© 2019 Synopsys, Inc.12 A2:2017 Broken Authentication Broken authentication and session management
© 2019 Synopsys, Inc.19 Insecure object comparison What happens if you create your own authentication middleware?
© 2019 Synopsys, Inc.20 Comparison table Value Return SESSIONS[ 'invalidString' ] False SESSIONS[ '' ] False SESSIONS[ 'constructor' ] True SESSIONS[ 'hasOwnProperty' ] True
© 2019 Synopsys, Inc.21 What happens when you create an object in JavaScript?
© 2019 Synopsys, Inc.22 Exploit This issue is trivial to exploit. • Using cURL we can simply run the following command: curl https://localhost:9000 -H "Cookie: token=constructor" • Alternatively, you can just set the document.cookie value via the browser
© 2019 Synopsys, Inc.23 Demo Insecure object comparison
© 2019 Synopsys, Inc.24 How do we correctly check? Use crypto.timingSafeEqual (a, b) • https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b • It provides a safe comparison and prevents timing attacks Object.hasOwnProperty or Map.has do not check base properties • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwnProperty • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map/has
© 2019 Synopsys, Inc.25 A3:2017 Sensitive Data Exposure
© 2019 Synopsys, Inc.26 RESTful API data leakage
© 2019 Synopsys, Inc.27 Do not include verbose error messages in JSON • Verbose error messages lead to system information disclosure • Although the client-side application displays a generic error message, the JSON response might still contain full error messages • Malicious users may use a web proxy to read the stack trace output in JSON Caution: Detailed system information might not seem that significant at first sight. However, it can inform attackers on the internals of the system or infrastructure, and help them drive further attacks.
© 2019 Synopsys, Inc.28 Disclosing information via error messages in JSON This code shows an SQL error message passed in JSON and the JavaScript code used to mask it. JavaScript code to handle the error:
© 2019 Synopsys, Inc.29 A4:2017 XML External Entities (XXE)
© 2019 Synopsys, Inc.30 XML external entities (XXE) injection node-expat • 48,353 weekly downloads • Vulnerable by default • No way to configure parser to disable DTD https://help.semmle.com/wiki/display/JS/XML +internal+entity+expansion
© 2019 Synopsys, Inc.31 XML external entities (XXE) injection libxmljs • 47,876 weekly downloads • Vulnerable if noent is set to true https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
© 2019 Synopsys, Inc.32 XML external entities (XXE) vulnerable example Libxmljs can be vulnerable to XXE https://github.com/appsecco/dvna/blob/69f46843c05613d707fa5d036e350cca37deeb19/core/appHandler.js#L235
© 2019 Synopsys, Inc.33 XML injection prevention • Consider using a library that does not process DTDs. https://github.com/isaacs/sax-js • Use libraries with safe defaults, such as libxmljs (apart from its sax parser). https://github.com/libxmljs/libxmljs • If entities such as & or > need to be expanded, use lodash, underscore, or he. https://lodash.com/docs/4.17.11#unescape https://underscorejs.org/#unescape https://github.com/mathiasbynens/he • Alternatively, strict input validation/output encoding must be performed before parsing.
© 2019 Synopsys, Inc.34 A5:2017 Broken Access Control
© 2019 Synopsys, Inc.35 Do not rely on client-side controls • Client-side routing and authorization should only be implemented for user experience • Authentication and authorization controls implemented client-side can be bypassed • All authorization, authentication, and business logic controls must be enforced server-side: o npm packages: https://github.com/casbin/node-casbin o Frameworks: https://sailsjs.com/documentation/concepts/policies/access-control-and-permissions o Writing custom middleware:
© 2019 Synopsys, Inc.36 Angular example Angular route guards are for Boolean display aesthetics https://angular.io/guide/router#milestone-5-route- guards https://nvisium.com/blog/2019/01/17/angular-for- pentesters-part-2.html
© 2019 Synopsys, Inc.37 A6:2017 Security Misconfiguration
© 2019 Synopsys, Inc.38 Ensure Node is not running in development mode NodeJS applications run in development mode by default. • NodeJS and most frameworks that run on it return verbose errors if left in development mode: • When deploying to production, set the NODE_ENV variable to a value other than development to avoid verbose errors: https://expressjs.com/en/advanced/best-practice-performance.html
© 2019 Synopsys, Inc.39 Ensure Node is not running with sudo privileges A Node.js application running with sudo privileges has a greater chance of modifying the underlying server system through malicious code execution. • On Linux systems, sudo is required to bind to ports under 1000 (e.g., 80) • If sudo is required, after the port has been bound, change the privileges to a less privileged user and group: https://nodejs.org/api/process.html
© 2019 Synopsys, Inc.40 A7:2017 Cross-Site Scripting (XSS)
© 2019 Synopsys, Inc.41 XSS is easy to introduce Script execution: http://www.vulnerable.site#userName=<img src=x onerror='alert(document.domain)'>
© 2019 Synopsys, Inc.42 XSS prevention is HARD • DOM XSS is hard to prevent in today’s developer ecosystem https://hackerone.com/reports/158853 https://hackerone.com/reports/405191 https://hackerone.com/reports/164821 • Each browser parses and renders HTML differently https://www.youtube.com/watch?v=lG7U3fuNw3A http://shazzer.co.uk • Various execution contexts and character sets https://html5sec.org https://github.com/cure53/XSSChallengeWiki/wiki/Puzzle-1-on-kcal.pw http://polyglot.innerht.ml/ Script Gadgets https://github.com/google/security-research-pocs/tree/master/script-gadgets
© 2019 Synopsys, Inc.43 Frameworks reduce the attack surface until… • Combining templating engines, third-party libraries, and frameworks https://jsfiddle.net/015jxu8s/ • Disabling security controls https://docs.angularjs.org/api/ng/provider/$sceProvider • Using insecure APIs trustAs, v-html, bypassSecurityTrust, or dangerouslySetInnerHTML • Allowing JavaScript URIs in <a href=""></a> https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412 • Direct access to the DOM https://angular.io/api/core/ElementRef • Server-side rendering https://medium.com/node-security/the-most-common-xss-vulnerability-in-react-js-applications- 2bdffbcc1fa0 • Caching mechanisms such as $templateCache https://docs.angularjs.org/guide/security Note: This is not an exhaustive list.
© 2019 Synopsys, Inc.44 Signal creates a lot of noise
© 2019 Synopsys, Inc.45 What went wrong? Signal developers used dangerouslySetInnerHTML for phone and desktop, leading to RCE in the desktop and cross-site scripting (XSS) in iOS/Android.
© 2019 Synopsys, Inc.46 General prevention techniques • Libraries and frameworks for automatic output encoding and sanitization: Pug, Mustache, EJS – Angular, React ,Vue – secure-filters • Sanitization for HTML, MathML, and SVG with DOMPurify https://github.com/cure53/DOMPurify • Default to safe APIs • innerText • encodeURI
© 2019 Synopsys, Inc.47 Apply defence-in-depth strategies • Create a strong Content Security Policy (CSP) https://speakerdeck.com/lweichselbaum/csp-a-successful-mess-between-hardening-and-mitigation https://twitter.com/LewisArdern/status/1112926476498698240 https://csp.withgoogle.com • Experiment with Trusted Types https://developers.google.com/web/updates/2019/02/trusted-types
© 2019 Synopsys, Inc.48 A8:2017 Insecure Deserialization
© 2019 Synopsys, Inc.49 Insecure deserialization • JSON.stringify and JSON.parse is a form of deserialization • Prototype pollution https://snyk.io/blog/after-three-years-of-silence-a-new- jquery-prototype-pollution-vulnerability-emerges-once- again/ • JavaScript third-party libraries introduce insecure deserialization issues • node-serialize • serialize-to-js (fixed)
© 2019 Synopsys, Inc.50 Avoid unsafe deserialization Node.js applications are vulnerable to RCE (remote code execution) exploits if attacker-controlled data is deserialized via reflection. • Avoid passing untrusted data to deserialization functions • Apply security patches for software that contains known deserialization vulnerabilities • Encrypt or hash serialized objects • Prevents tampering, but not replay • Check the object type is as expected https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md
© 2019 Synopsys, Inc.51 Eval is evil new Function, setTimeout, and setInterval also dynamically evaluate JavaScript. • The core issue behind node-serialize is the use of eval: https://github.com/luin/serialize/blob/master/lib/serialize.js#L76
© 2019 Synopsys, Inc.52 A9:2017 Using Components With Known Vulnerabilities
© 2019 Synopsys, Inc.53 Security issues with third-party components • Perform a security audit against third-party code • If you find a security issue, notify the project maintainer • https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/#open-source-security • Use automated tools to audit dependencies in your CI/CD pipeline:
© 2019 Synopsys, Inc.54 Examples of components with known vulnerabilities Lodash, CVE-2018-3721 (prototype pollution): Impact in some cases was denial of service (DoS), remote code execution (RCE), and even bypass security controls Next.js, CVE-2018-6184 (directory traversal): Allowed for arbitrary read of the file system Next.js, CVE-2018-18282 (cross-site scripting, XSS): Allowed for XSS on the /_error page Auth0.js, CVE-2018-6873 (privilege escalation): Did not validate JWT audience, which allowed for privilege escalation Kibana, CVE-2018-17246 (arbitrary command injection): Allowed for arbitrary command execution in the console plugin
© 2019 Synopsys, Inc.55 Mitigation techniques Track use of outdated third-party components and update where necessary • Maintain a technology assets inventory to track components and dependencies https://medium.com/uber-security-privacy/code-provenance-application-security-77ebfa4b6bc5 https://yarnpkg.com/lang/en/docs/cli/why/ and https://yarnpkg.com/lang/en/docs/cli/list https://docs.npmjs.com/cli/ls.html https://bower.io/docs/api/#list • Review the inventory on a regular basis for known vulnerabilities • Track known risks and vulnerabilities in the environment • Develop a process to update, and regression test external components • Pin dependency versions where possible Reduce the risk of another event-stream affecting your organization https://docs.npmjs.com/files/shrinkwrap.json and https://yarnpkg.com/lang/en/docs/yarn-lock
© 2019 Synopsys, Inc.56 A10:2017 Insufficient Logging and Monitoring
© 2019 Synopsys, Inc.57 Insufficient logging and monitoring Insufficient logging and monitoring of computer systems, applications, and networks provide multiple gateways to probes and breaches that can be difficult or impossible to identify and resolve without a viable audit trail. Basic vulnerabilities include: • Unlogged events, such as failed log-in credentials • Locally stored logs without cloud backup • Misconfigurations in firewalls and routing systems • Alerts and subsequent responses that are not handled effectively • Malicious activity alerts not detected in real time Many reported breaches were only discovered years after the first intrusion happened. In the case of one famous university, a data breach from 2008 was not discovered until 2018!
© 2019 Synopsys, Inc.58 Secure logging and monitoring
© 2019 Synopsys, Inc.59 Use Winston to enable secure logging practices • Winston is a logging library that escapes data to prevent log injection: • Winston also provides various built-in security controls, such as content filters: • Resulting in the following output:
© 2019 Synopsys, Inc.60 Thank you! Email: lewis@ardern.io Website: https://ardern.io Twitter: https://twitter.com/LewisArdern GitHub: https://github.com/LewisArdern LinkedIn: https://www.linkedin.com/in/lewis-ardern-83373a40
Ad

Recommended

Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
Mail.ru Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
Adrian Sanabria
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
Prathan Phongthiproek
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product Testing
Kevin Fealey
 
Ecosystem
EcosystemEcosystem
Ecosystem
Moti Sagey מוטי שגיא
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
Tunde Ogunkoya
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Cisco DevNet
 
Ad

More Related Content

What's hot (18)

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
Mail.ru Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
Adrian Sanabria
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
Prathan Phongthiproek
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product Testing
Kevin Fealey
 
Ecosystem
EcosystemEcosystem
Ecosystem
Moti Sagey מוטי שגיא
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
Mail.ru Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
Adrian Sanabria
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
Prathan Phongthiproek
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product Testing
Kevin Fealey
 
Ecosystem
EcosystemEcosystem
Ecosystem
Moti Sagey מוטי שגיא
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 

Similar to Webinar–OWASP Top 10 for JavaScript for Developers (20)

Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
Tunde Ogunkoya
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Cisco DevNet
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Sohini Mukherjee
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
Mikhail Prudnikov
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
Jessica Deen
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Black Duck by Synopsys
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
Matthew Ong
 
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
ZNetLive
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
DevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash courseDevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash course
Cisco DevNet
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
Vagner Santana
 
Building .NET Microservices
Building .NET MicroservicesBuilding .NET Microservices
Building .NET Microservices
VMware Tanzu
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
Tunde Ogunkoya
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Cisco DevNet
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Sohini Mukherjee
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
Mikhail Prudnikov
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
Jessica Deen
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Black Duck by Synopsys
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
Matthew Ong
 
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
ZNetLive
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
DevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash courseDevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash course
Cisco DevNet
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
Vagner Santana
 
Building .NET Microservices
Building .NET MicroservicesBuilding .NET Microservices
Building .NET Microservices
VMware Tanzu
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Ad

More from Synopsys Software Integrity Group (13)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
Synopsys Software Integrity Group
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
Synopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
Synopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
Synopsys Software Integrity Group
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
Synopsys Software Integrity Group
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
Synopsys Software Integrity Group
 
Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
Synopsys Software Integrity Group
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
Synopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
Synopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
Synopsys Software Integrity Group
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
Synopsys Software Integrity Group
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
Synopsys Software Integrity Group
 
Ad

Recently uploaded (20)

WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 

Webinar–OWASP Top 10 for JavaScript for Developers

  • 1. © 2019 Synopsys, Inc.1 OWASP Top 10 for JavaScript Developers Lewis Ardern Senior Security Consultant, Synopsys https://twitter.com/LewisArdern
  • 2. © 2019 Synopsys, Inc.2 About me • Sr. Security Consultant @ Synopsys Software Integrity Group (SIG) o Formerly Cigital • AngularSF organizer o https://www.meetup.com/Angular-SF/ • B.Sc. in computer security and ethical hacking o Founder of http://leedshackingsociety.co.uk/ • JavaScript enthusiast!
  • 3. © 2019 Synopsys, Inc.3 What is the OWASP Top 10? • 10 critical web application security risks • Common flaws and weaknesses • Present in nearly all applications Modern, evidence-based risks (data covers 2014–2017) • 114,000 apps • 9,000 bug bounties • 40 security consultancies and 1 bug bounty firm • 50+ CWEs accepted in raw data Community-chosen risks • 500 survey responses
  • 4. © 2019 Synopsys, Inc.4 A1:2017 Injection The dangers of mixing data and code
  • 5. © 2019 Synopsys, Inc.5 NoSQL injection • No SQL injection != No injection in NoSQL • Official documentation says “no SQL injection” • Vulnerable if: o User input includes a Mongo query selector: $ne, $lt, $gt, $eq, $regex, etc. o User input is directly included into a collection method as part of the query: find, findOne, findOneAndUpdate, etc. https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection https://docs.mongodb.com/manual/reference/operator/query/ https://docs.mongodb.com/manual/reference/method/
  • 6. © 2019 Synopsys, Inc.6 Vulnerable MongoDB log-in example Injection: https://url.to/login?user=admin&pass[$ne]= Query output:
  • 7. © 2019 Synopsys, Inc.7 Demo MongoDB injection
  • 8. © 2019 Synopsys, Inc.8 MongoDB injection prevention • Ensure user input is a String inside a collection method https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String • Perform custom data validation https://github.com/hapijs/joi
  • 10. © 2019 Synopsys, Inc.11 Injection prevention • Parameterized mechanisms https://github.com/tediousjs/node-mssql#input-name-type-value https://github.com/mysqljs/mysql#escaping-query-identifiers • Secure APIs https://github.com/tediousjs/node-mssql#prepared-statements • Perform input validation & output encoding https://dev.to/azure/pushing-left-like-a-boss-part-5-1-input-validation-output-encoding-and-parameterized-queries- 2749
  • 11. © 2019 Synopsys, Inc.12 A2:2017 Broken Authentication Broken authentication and session management
  • 12. © 2019 Synopsys, Inc.19 Insecure object comparison What happens if you create your own authentication middleware?
  • 13. © 2019 Synopsys, Inc.20 Comparison table Value Return SESSIONS[ 'invalidString' ] False SESSIONS[ '' ] False SESSIONS[ 'constructor' ] True SESSIONS[ 'hasOwnProperty' ] True
  • 14. © 2019 Synopsys, Inc.21 What happens when you create an object in JavaScript?
  • 15. © 2019 Synopsys, Inc.22 Exploit This issue is trivial to exploit. • Using cURL we can simply run the following command: curl https://localhost:9000 -H "Cookie: token=constructor" • Alternatively, you can just set the document.cookie value via the browser
  • 16. © 2019 Synopsys, Inc.23 Demo Insecure object comparison
  • 17. © 2019 Synopsys, Inc.24 How do we correctly check? Use crypto.timingSafeEqual (a, b) • https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b • It provides a safe comparison and prevents timing attacks Object.hasOwnProperty or Map.has do not check base properties • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwnProperty • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map/has
  • 18. © 2019 Synopsys, Inc.25 A3:2017 Sensitive Data Exposure
  • 19. © 2019 Synopsys, Inc.26 RESTful API data leakage
  • 20. © 2019 Synopsys, Inc.27 Do not include verbose error messages in JSON • Verbose error messages lead to system information disclosure • Although the client-side application displays a generic error message, the JSON response might still contain full error messages • Malicious users may use a web proxy to read the stack trace output in JSON Caution: Detailed system information might not seem that significant at first sight. However, it can inform attackers on the internals of the system or infrastructure, and help them drive further attacks.
  • 21. © 2019 Synopsys, Inc.28 Disclosing information via error messages in JSON This code shows an SQL error message passed in JSON and the JavaScript code used to mask it. JavaScript code to handle the error:
  • 22. © 2019 Synopsys, Inc.29 A4:2017 XML External Entities (XXE)
  • 23. © 2019 Synopsys, Inc.30 XML external entities (XXE) injection node-expat • 48,353 weekly downloads • Vulnerable by default • No way to configure parser to disable DTD https://help.semmle.com/wiki/display/JS/XML +internal+entity+expansion
  • 24. © 2019 Synopsys, Inc.31 XML external entities (XXE) injection libxmljs • 47,876 weekly downloads • Vulnerable if noent is set to true https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
  • 25. © 2019 Synopsys, Inc.32 XML external entities (XXE) vulnerable example Libxmljs can be vulnerable to XXE https://github.com/appsecco/dvna/blob/69f46843c05613d707fa5d036e350cca37deeb19/core/appHandler.js#L235
  • 26. © 2019 Synopsys, Inc.33 XML injection prevention • Consider using a library that does not process DTDs. https://github.com/isaacs/sax-js • Use libraries with safe defaults, such as libxmljs (apart from its sax parser). https://github.com/libxmljs/libxmljs • If entities such as &amp; or &gt; need to be expanded, use lodash, underscore, or he. https://lodash.com/docs/4.17.11#unescape https://underscorejs.org/#unescape https://github.com/mathiasbynens/he • Alternatively, strict input validation/output encoding must be performed before parsing.
  • 27. © 2019 Synopsys, Inc.34 A5:2017 Broken Access Control
  • 28. © 2019 Synopsys, Inc.35 Do not rely on client-side controls • Client-side routing and authorization should only be implemented for user experience • Authentication and authorization controls implemented client-side can be bypassed • All authorization, authentication, and business logic controls must be enforced server-side: o npm packages: https://github.com/casbin/node-casbin o Frameworks: https://sailsjs.com/documentation/concepts/policies/access-control-and-permissions o Writing custom middleware:
  • 29. © 2019 Synopsys, Inc.36 Angular example Angular route guards are for Boolean display aesthetics https://angular.io/guide/router#milestone-5-route- guards https://nvisium.com/blog/2019/01/17/angular-for- pentesters-part-2.html
  • 30. © 2019 Synopsys, Inc.37 A6:2017 Security Misconfiguration
  • 31. © 2019 Synopsys, Inc.38 Ensure Node is not running in development mode NodeJS applications run in development mode by default. • NodeJS and most frameworks that run on it return verbose errors if left in development mode: • When deploying to production, set the NODE_ENV variable to a value other than development to avoid verbose errors: https://expressjs.com/en/advanced/best-practice-performance.html
  • 32. © 2019 Synopsys, Inc.39 Ensure Node is not running with sudo privileges A Node.js application running with sudo privileges has a greater chance of modifying the underlying server system through malicious code execution. • On Linux systems, sudo is required to bind to ports under 1000 (e.g., 80) • If sudo is required, after the port has been bound, change the privileges to a less privileged user and group: https://nodejs.org/api/process.html
  • 33. © 2019 Synopsys, Inc.40 A7:2017 Cross-Site Scripting (XSS)
  • 34. © 2019 Synopsys, Inc.41 XSS is easy to introduce Script execution: http://www.vulnerable.site#userName=<img src=x onerror='alert(document.domain)'>
  • 35. © 2019 Synopsys, Inc.42 XSS prevention is HARD • DOM XSS is hard to prevent in today’s developer ecosystem https://hackerone.com/reports/158853 https://hackerone.com/reports/405191 https://hackerone.com/reports/164821 • Each browser parses and renders HTML differently https://www.youtube.com/watch?v=lG7U3fuNw3A http://shazzer.co.uk • Various execution contexts and character sets https://html5sec.org https://github.com/cure53/XSSChallengeWiki/wiki/Puzzle-1-on-kcal.pw http://polyglot.innerht.ml/ Script Gadgets https://github.com/google/security-research-pocs/tree/master/script-gadgets
  • 36. © 2019 Synopsys, Inc.43 Frameworks reduce the attack surface until… • Combining templating engines, third-party libraries, and frameworks https://jsfiddle.net/015jxu8s/ • Disabling security controls https://docs.angularjs.org/api/ng/provider/$sceProvider • Using insecure APIs trustAs, v-html, bypassSecurityTrust, or dangerouslySetInnerHTML • Allowing JavaScript URIs in <a href=""></a> https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412 • Direct access to the DOM https://angular.io/api/core/ElementRef • Server-side rendering https://medium.com/node-security/the-most-common-xss-vulnerability-in-react-js-applications- 2bdffbcc1fa0 • Caching mechanisms such as $templateCache https://docs.angularjs.org/guide/security Note: This is not an exhaustive list.
  • 37. © 2019 Synopsys, Inc.44 Signal creates a lot of noise
  • 38. © 2019 Synopsys, Inc.45 What went wrong? Signal developers used dangerouslySetInnerHTML for phone and desktop, leading to RCE in the desktop and cross-site scripting (XSS) in iOS/Android.
  • 39. © 2019 Synopsys, Inc.46 General prevention techniques • Libraries and frameworks for automatic output encoding and sanitization: Pug, Mustache, EJS – Angular, React ,Vue – secure-filters • Sanitization for HTML, MathML, and SVG with DOMPurify https://github.com/cure53/DOMPurify • Default to safe APIs • innerText • encodeURI
  • 40. © 2019 Synopsys, Inc.47 Apply defence-in-depth strategies • Create a strong Content Security Policy (CSP) https://speakerdeck.com/lweichselbaum/csp-a-successful-mess-between-hardening-and-mitigation https://twitter.com/LewisArdern/status/1112926476498698240 https://csp.withgoogle.com • Experiment with Trusted Types https://developers.google.com/web/updates/2019/02/trusted-types
  • 41. © 2019 Synopsys, Inc.48 A8:2017 Insecure Deserialization
  • 42. © 2019 Synopsys, Inc.49 Insecure deserialization • JSON.stringify and JSON.parse is a form of deserialization • Prototype pollution https://snyk.io/blog/after-three-years-of-silence-a-new- jquery-prototype-pollution-vulnerability-emerges-once- again/ • JavaScript third-party libraries introduce insecure deserialization issues • node-serialize • serialize-to-js (fixed)
  • 43. © 2019 Synopsys, Inc.50 Avoid unsafe deserialization Node.js applications are vulnerable to RCE (remote code execution) exploits if attacker-controlled data is deserialized via reflection. • Avoid passing untrusted data to deserialization functions • Apply security patches for software that contains known deserialization vulnerabilities • Encrypt or hash serialized objects • Prevents tampering, but not replay • Check the object type is as expected https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md
  • 44. © 2019 Synopsys, Inc.51 Eval is evil new Function, setTimeout, and setInterval also dynamically evaluate JavaScript. • The core issue behind node-serialize is the use of eval: https://github.com/luin/serialize/blob/master/lib/serialize.js#L76
  • 45. © 2019 Synopsys, Inc.52 A9:2017 Using Components With Known Vulnerabilities
  • 46. © 2019 Synopsys, Inc.53 Security issues with third-party components • Perform a security audit against third-party code • If you find a security issue, notify the project maintainer • https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/#open-source-security • Use automated tools to audit dependencies in your CI/CD pipeline:
  • 47. © 2019 Synopsys, Inc.54 Examples of components with known vulnerabilities Lodash, CVE-2018-3721 (prototype pollution): Impact in some cases was denial of service (DoS), remote code execution (RCE), and even bypass security controls Next.js, CVE-2018-6184 (directory traversal): Allowed for arbitrary read of the file system Next.js, CVE-2018-18282 (cross-site scripting, XSS): Allowed for XSS on the /_error page Auth0.js, CVE-2018-6873 (privilege escalation): Did not validate JWT audience, which allowed for privilege escalation Kibana, CVE-2018-17246 (arbitrary command injection): Allowed for arbitrary command execution in the console plugin
  • 48. © 2019 Synopsys, Inc.55 Mitigation techniques Track use of outdated third-party components and update where necessary • Maintain a technology assets inventory to track components and dependencies https://medium.com/uber-security-privacy/code-provenance-application-security-77ebfa4b6bc5 https://yarnpkg.com/lang/en/docs/cli/why/ and https://yarnpkg.com/lang/en/docs/cli/list https://docs.npmjs.com/cli/ls.html https://bower.io/docs/api/#list • Review the inventory on a regular basis for known vulnerabilities • Track known risks and vulnerabilities in the environment • Develop a process to update, and regression test external components • Pin dependency versions where possible Reduce the risk of another event-stream affecting your organization https://docs.npmjs.com/files/shrinkwrap.json and https://yarnpkg.com/lang/en/docs/yarn-lock
  • 49. © 2019 Synopsys, Inc.56 A10:2017 Insufficient Logging and Monitoring
  • 50. © 2019 Synopsys, Inc.57 Insufficient logging and monitoring Insufficient logging and monitoring of computer systems, applications, and networks provide multiple gateways to probes and breaches that can be difficult or impossible to identify and resolve without a viable audit trail. Basic vulnerabilities include: • Unlogged events, such as failed log-in credentials • Locally stored logs without cloud backup • Misconfigurations in firewalls and routing systems • Alerts and subsequent responses that are not handled effectively • Malicious activity alerts not detected in real time Many reported breaches were only discovered years after the first intrusion happened. In the case of one famous university, a data breach from 2008 was not discovered until 2018!
  • 51. © 2019 Synopsys, Inc.58 Secure logging and monitoring
  • 52. © 2019 Synopsys, Inc.59 Use Winston to enable secure logging practices • Winston is a logging library that escapes data to prevent log injection: • Winston also provides various built-in security controls, such as content filters: • Resulting in the following output:
  • 53. © 2019 Synopsys, Inc.60 Thank you! Email: [email protected] Website: https://ardern.io Twitter: https://twitter.com/LewisArdern GitHub: https://github.com/LewisArdern LinkedIn: https://www.linkedin.com/in/lewis-ardern-83373a40