SlideShare a Scribd company logo

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

Download as PPTX, PDF
A
Andi Rustandi Djunaedi

The document discusses secure coding practices, focusing on web application vulnerabilities highlighted by the OWASP Top 10 list, including SQL injection and session fixation. It emphasizes the importance of addressing both security and performance issues, along with practical exercises to understand and mitigate these vulnerabilities. Additionally, the document includes resources for further exploration and suggests measures to prevent exploitation of these vulnerabilities.

Technology
1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
Secure Coding the bare minimum – understand the problem
Introduction • Andi R Djunaedi • Software Engineer at blibli.com since March 2014 • https://www.linkedin.com/in/andird • https://github.com/andirdju • https://github.com/bliblidotcom
Overview – understand the problem • Theory • Code • Web application -> we’ll talk about this • Operating System • Network • Other? • Importance • Practice, get your laptop, pc or whatever • How it works
Theory - Code • Web Applications • OWASP Top 10 List - new list every 3 years • https://www.owasp.org/index.php/Top_10_2013-Top_10 • https://www.owasp.org/index.php/Top_10_2010-Main • Top 3 - Samples • SQL Injection • Arbitrary SQL query execution • Session Fixation • Assume other’s Identity • Cross Site Scripting • Arbitrary client code (javascript, html) execution
Importance – Non Security • Performance • poor user experience • redesign, refactor, make it faster • Code coverage • buggy, spent more time on fixing bug • stop the leak • When • next iteration
Importance – Security • How to fix security incidents ??? • Personal/Financial data stolen • Data deleted • When • NOW !!!
Practice – Understand the problem • Run bad web app • OWASP Top 3 Sample • SQL Injection • Session Fixation • Cross Site Scripting • Exercise
Run – web app • Git, Jdk 8, Maven • https://github.com/bliblidotcom/sample-basic-secure-coding • In memory H2 database • Embedded server • mvn spring-boot:run • http://localhost:8080
Get your laptop – SQL Injection • Demo – Valid use case is only find one record by id • Read all records • Insert new records • Delete all records
Get your laptop – Session Fixation • Demo - session info only known to the user • Bad person(A) create new session • Persuade unsuspecting person(B) via phishing • Bad person(A) get session information of other person(B)
Get your laptop – Cross Site Scripting • Demo – valid use case only displays list of data • Can be done via the same SQL injection • Html • Add html form • Javascript • Add pop up • Add redirect
What’s Next • Crack the other API • it have similar problems • Fix the exploit • Don’t repeat yourself by creating custom solutions • SQL named parameter • Regenerate session id • Content escaping

More Related Content

What's hot (20)

PDF
CrossWorlds: Unleash the Power of Domino for Connections Development
LetsConnect
 
PPTX
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
 
PDF
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
 
PDF
Secure your environment by automation
Jaap Brasser
 
PDF
Automating security with PowerShell
Jaap Brasser
 
PDF
Paint it blue with PowerShell
Jaap Brasser
 
PDF
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
PDF
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 
PPTX
Building your own JEA Configuration
Jaap Brasser
 
PDF
Manage your infrastructure with PowerShell
Jaap Brasser
 
PDF
Reach the next level with PowerShell
Jaap Brasser
 
PPTX
Saving Time By Testing With Jest
Ben McCormick
 
PPTX
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
DIWUG
 
PDF
Chat automation in a Modern IT environment
Jaap Brasser
 
PPT
Next generation frontend tooling
pksjce
 
PPTX
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
PDF
Planidoo & Zotonic
David de Boer
 
PPTX
Design for scale
Doug Lampe
 
PPTX
Porting ASP.NET applications to Windows Azure
Gunnar Peipman
 
PPTX
From zero to hero – learn how to automate from the gui
Jaap Brasser
 
CrossWorlds: Unleash the Power of Domino for Connections Development
LetsConnect
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
 
Secure your environment by automation
Jaap Brasser
 
Automating security with PowerShell
Jaap Brasser
 
Paint it blue with PowerShell
Jaap Brasser
 
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 
Building your own JEA Configuration
Jaap Brasser
 
Manage your infrastructure with PowerShell
Jaap Brasser
 
Reach the next level with PowerShell
Jaap Brasser
 
Saving Time By Testing With Jest
Ben McCormick
 
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
DIWUG
 
Chat automation in a Modern IT environment
Jaap Brasser
 
Next generation frontend tooling
pksjce
 
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
Planidoo & Zotonic
David de Boer
 
Design for scale
Doug Lampe
 
Porting ASP.NET applications to Windows Azure
Gunnar Peipman
 
From zero to hero – learn how to automate from the gui
Jaap Brasser
 

Similar to Tech IT Easy x DevTalk : "Secure Your Coding with OWASP" (20)

KEY
Android lessons you won't learn in school
Michael Galpin
 
PPTX
Debugging the Web with Fiddler
Ido Flatow
 
PDF
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum
 
PPTX
Introduction to cypress in Angular (Chinese)
Hong Tat Yew
 
PPTX
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
PDF
The Python in the Apple
zeroSteiner
 
PDF
Practical solutions for connections administrators lite
Sharon James
 
PDF
Do you lose sleep at night?
Nathan Van Gheem
 
PPT
OpenShift Origin: Build a PaaS Just Like Red Hats
Mark Atwood
 
PDF
Building RESTful APIs
Silota Inc.
 
PPT
Node and Azure
Jason Gerard
 
PPTX
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
PPTX
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
PPTX
Creating a Documentation Portal
Steve Anderson
 
PDF
How to Contribute to Apache Usergrid
David M. Johnson
 
PDF
MEAN Stack WeNode Barcelona Workshop
Valeri Karpov
 
PPTX
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
ForgeRock
 
PDF
Extending WordPress as a pro
Marko Heijnen
 
PPTX
Highlights from microsoft ignite 2015
Kim Frehe
 
PDF
Node.js to the rescue
Marko Heijnen
 
Android lessons you won't learn in school
Michael Galpin
 
Debugging the Web with Fiddler
Ido Flatow
 
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum
 
Introduction to cypress in Angular (Chinese)
Hong Tat Yew
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
The Python in the Apple
zeroSteiner
 
Practical solutions for connections administrators lite
Sharon James
 
Do you lose sleep at night?
Nathan Van Gheem
 
OpenShift Origin: Build a PaaS Just Like Red Hats
Mark Atwood
 
Building RESTful APIs
Silota Inc.
 
Node and Azure
Jason Gerard
 
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
Creating a Documentation Portal
Steve Anderson
 
How to Contribute to Apache Usergrid
David M. Johnson
 
MEAN Stack WeNode Barcelona Workshop
Valeri Karpov
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
ForgeRock
 
Extending WordPress as a pro
Marko Heijnen
 
Highlights from microsoft ignite 2015
Kim Frehe
 
Node.js to the rescue
Marko Heijnen
 
Ad

Recently uploaded (20)

PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
PDF
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PDF
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
Ad

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

  • 1. Secure Coding the bare minimum – understand the problem
  • 2. Introduction • Andi R Djunaedi • Software Engineer at blibli.com since March 2014 • https://www.linkedin.com/in/andird • https://github.com/andirdju • https://github.com/bliblidotcom
  • 3. Overview – understand the problem • Theory • Code • Web application -> we’ll talk about this • Operating System • Network • Other? • Importance • Practice, get your laptop, pc or whatever • How it works
  • 4. Theory - Code • Web Applications • OWASP Top 10 List - new list every 3 years • https://www.owasp.org/index.php/Top_10_2013-Top_10 • https://www.owasp.org/index.php/Top_10_2010-Main • Top 3 - Samples • SQL Injection • Arbitrary SQL query execution • Session Fixation • Assume other’s Identity • Cross Site Scripting • Arbitrary client code (javascript, html) execution
  • 5. Importance – Non Security • Performance • poor user experience • redesign, refactor, make it faster • Code coverage • buggy, spent more time on fixing bug • stop the leak • When • next iteration
  • 6. Importance – Security • How to fix security incidents ??? • Personal/Financial data stolen • Data deleted • When • NOW !!!
  • 7. Practice – Understand the problem • Run bad web app • OWASP Top 3 Sample • SQL Injection • Session Fixation • Cross Site Scripting • Exercise
  • 8. Run – web app • Git, Jdk 8, Maven • https://github.com/bliblidotcom/sample-basic-secure-coding • In memory H2 database • Embedded server • mvn spring-boot:run • http://localhost:8080
  • 9. Get your laptop – SQL Injection • Demo – Valid use case is only find one record by id • Read all records • Insert new records • Delete all records
  • 10. Get your laptop – Session Fixation • Demo - session info only known to the user • Bad person(A) create new session • Persuade unsuspecting person(B) via phishing • Bad person(A) get session information of other person(B)
  • 11. Get your laptop – Cross Site Scripting • Demo – valid use case only displays list of data • Can be done via the same SQL injection • Html • Add html form • Javascript • Add pop up • Add redirect
  • 12. What’s Next • Crack the other API • it have similar problems • Fix the exploit • Don’t repeat yourself by creating custom solutions • SQL named parameter • Regenerate session id • Content escaping