Writing secure code
Download as PPTX, PDF2 likes131 views
Reading Between The Lines- How to learn writing secure code the second time around, when the first time got your name on the security report!
![XPATH Injection
Remediation:
● Encode the following control characters:
○ Braces “(“ “ )”
○ Equals “=”
○ Single Quotes “'”
○ Square Brackets “[“ “]”
○ Colon “:”
○ Comma “,”
○ Asterix “*”
○ Forward slash “/”
○ WHITESPACE characters
● Parameterized XPATH Queries](https://image.slidesharecdn.com/writingsecurecode-180928110657/85/Writing-secure-code-21-320.jpg)
Ad
More Related Content
Similar to Writing secure code (20)
Recently uploaded (20)
![Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version](https://cdn.slidesharecdn.com/ss_thumbnails/fashionevolution2-250322112409-f76abaa7-250428124909-b51264ff-250504160528-fc2bb1c5-thumbnail.jpg?width=560&fit=bounds)
![Download Wondershare Filmora Crack [2025] With Latest](https://cdn.slidesharecdn.com/ss_thumbnails/neo4j-howkgsareshapingthefutureofgenerativeaiatawssummitlondonapril2024-240426125209-2d9db05d-250419-250428115407-a04afffa-thumbnail.jpg?width=560&fit=bounds)
Ad
Writing secure code
- 1. Writing Secure Code How to learn writing secure code the second time around, when the first time got your name on the security report! Madhura P M Senior Security Analyst
- 2. Agenda ● Vulnerabilities ○ SQL Injection ○ XML Injection and XXE Attack ○ XPATH Injection ○ Formula Injection ○ Command Injection ○ Cross-Site Scripting ○ Session Fixation ○ Unrestricted File Upload ● Languages Covered: ○ Java ○ ASP.NET ○ PHP ○ Cold Fusion
- 3. Overview ● Code Review- First step of a Security Audit ● Emphasis on- Implementing Security in Dev Phase of SDLC ● Approx 75% remediations happen at code level ● Manual review over using SAST tools
- 4. Secure Code Review ● Knowing the language and framework used ● Familiarity with available security features of the framework ● Knowing which secure public APIs and libraries to use ● Identifying the entry and exit points in the application
- 6. SQL Injection Cause: Ability of an attacker to change context in an SQL Query causing data to be interpreted as part of the query. Remediation: ● Parameterized queries ● Use whitelisting where parameterization is not possible
- 7. JAVA- Insecure Code Secure Code
- 8. ASP.NET- Insecure Code Secure Code
- 9. PHP- Insecure Code Secure Code
- 10. PHP- Using PDOs
- 11. COLDFUSION- Unsafe Code Safe Code
- 13. XML Injection and XXE Attack Remediation: ● Encode the following XML-specific control characters: ○ Ampersand (&) ○ Open Angle Bracket (<) ○ Close Angle Bracket (>) ○ Single-quote (') ○ Double-quote (") ○ Whitespace characters ● Disable DTD or Doctype Entities to prevent XXE. Billion laughs
- 14. Java- Insecure Code Secure Code
- 15. Java- Disabling General and Parameter entities Using XML Reader
- 16. ASP.NET- Secure Code- Using XMLDoc Secure Code- Using XMLReader
- 17. PHP- Secure Code Secure Code
- 18. JAVA- XML Injection Remediation
- 19. COLDFUSION- XML Injection Remediation
- 20. XPATH Injection
- 21. XPATH Injection Remediation: ● Encode the following control characters: ○ Braces “(“ “ )” ○ Equals “=” ○ Single Quotes “'” ○ Square Brackets “[“ “]” ○ Colon “:” ○ Comma “,” ○ Asterix “*” ○ Forward slash “/” ○ WHITESPACE characters ● Parameterized XPATH Queries
- 23. JAVA- Using Parameterized Queries
- 24. ASP.NET Using Parameterized Queries
- 26. COLDFUSION- Using Encoding COLDFUSION- Using Parameterized Queries
- 28. Formula Injection Remediation: ● Escape all untrusted input before inserting it into spreadsheet data fields. ● In Microsoft Excel, this is accomplished by placing a single- quote (‘) before the content. ● Ensure that no cells begin with any of the following characters. ○ Equals to ("=") ○ Plus ("+") ○ Minus ("-") ○ At ("@")
- 29. JAVA- Implementing Regex Checks
- 30. ASP.NET- Implementing Regex Checks
- 31. PHP- Using with Writer objects Using with Stream objects
- 33. Command Injection Remediation: ● Avoid inserting user-supplied data into commands executed by the operating system. ● Perform strict input validation via whitelist. ● In Unix, characters with special meaning on the command line include SPACE, TAB, NEWLINE, ;, (, ), <, >, |, and &. ● Java and .NET provide a very comprehensive set of standard libraries. It is always safer to use these libraries instead of making system calls.
- 34. JAVA- Using Regex for whitelisting
- 35. ASP.NET- Whitelisting Characters COLDFUSION- Whitelisting Characters
- 36. PHP- Using Sanitization Methods PHP- Whitelisting Characters
- 38. Cross-Site Scripting (XSS) Remediation: ● Values that are obtained from Requests/APIs/Databases etc should be validated using regex. ● Escaping malicious characters from user input. ● Output Encoding before displaying on webpages. ● HTTP Headers for added security: ○ X-XSS Protection ○ Content Security Policy
- 39. JAVA- Using OWASP ESAPI class
- 40. JAVA- Using Java Encoder Library
- 41. ASP.NET- Using AntiXSS Library
- 42. PHP- Using Contextual Encoding
- 43. COLDFUSION- Application.cfc Using Antisamy methods
- 44. Session Fixation
- 45. Remediation: ● Session identifiers must be regenerated and re-issued after every login. ● Validate Session IDs for every incoming request. ● Ensure that each Session ID generated is unique. ● Use Secure Random Number Generators to generate 128/256 bits long Session IDs. ● Invalidate the session after a user logs out. ● The Session Cookie should be set with “Secure” and “HttpOnly” attributes. Session Fixation
- 46. JAVA- Invalidate Session JAVA SPRING- Invalidate Session
- 51. Unrestricted File Upload Remediation: ● Validation should be done on file’s name and extension. ● Magic Number of the file (first few bytes of the file which specifies the file type) should be validated. ● An Upper limit on file size should be enforced. ● Frequency of file uploads should be validated. ● Uploaded file should be scanned for malwares/viruses before saving files on the production server.
- 52. JAVA- Insecure File Upload
- 53. JAVA- Check File Metadata
- 54. ASP.NET- Upload Valid PDF
- 55. PHP- Upload Valid Image
- 56. COLDFUSION- Upload Valid Image
- 58. Q & A
- 59. Come Join Us At ● AppSecUSA, San Jose - Oct 9 & 10 ● AppSec Australia, Melbourne - Oct 15 & 16 ● Djangocon, San Diego - Oct 17 ● SANS, Denver - Oct 22 ● LASCON, Austin - Oct 25 & 26 ● Code Blue, Tokyo - Oct 29 & 30 For more visit www.we45.com and subscribe to our newsletter.