Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Download as PPTX, PDF6 likes1,662 views
The document provides an overview of 10 steps for software security according to OWASP-Turkey. It introduces the author Bünyamin Demir and his background and experience in application security. It then discusses key aspects of OWASP and provides code examples for implementing input validation, sanitization, secure cookies, session management, CAPTCHA, path canonicalization, HTTPS, CSRF tokens, and prepared statements.
![1 - Girdi Denetimi
7
public boolean validateUsername(String username) {
String usernamePattern = "^[a-zA-Z0-9]{6,12}$";
if (username == null) {
return false;
}
Pattern p = Pattern.compile(usernamePattern);
Matcher m = p.matcher(username);
if (!m.matches()) {
return false;
}
return true;
}
if (!validateUsername(username)) {
//uygun olmayan kullanıcı adı
}](https://image.slidesharecdn.com/securesolutiontop10-150421135835-conversion-gate02/85/Bunyamin-Demir-10-Adimda-Yazilim-Guvenligi-7-320.jpg)
![ESAPI ile Girdi Denetimi
8
Validator.Username=^[a-zA-Z0-9]{6,12}$
String username = request.getParameter("username");
boolean booluser = ESAPI.validator().isValidInput("User name", username, "Username",
12, false);
if (!booluser) {
// uygun olmayan kullanıcı adı
}](https://image.slidesharecdn.com/securesolutiontop10-150421135835-conversion-gate02/85/Bunyamin-Demir-10-Adimda-Yazilim-Guvenligi-8-320.jpg)
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
- 2. Bünyamin Demir ( @bunyamindemir ) – Lisans Kocaeli Üni. Matematik Bölümü – Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı Güvenliği – Uygulama Geliştirici – OWASP Türkiye Bölüm Lideri – Sızma Testleri Uzmanı • Web, Mobil, Network, SCADA, Wireless, Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi • Kaynak kod analizi – Eğitmen • Web/Mobil Uygulama Güvenlik Denetimi • Güvenli Kod Geliştirme • Veritabanı Güvenliği 2
- 3. 3 OWASP
- 4. 4 Why is OWASP Special?
- 5. • OWASP Top 10 • OWASP Zed Attack Proxy (ZAP) • OpenSAMM • Cheat Sheets • ESAPI • ASVS • Testing Guide • Development Guide 5 OWASP Projects
- 6. 6 Application Security Verification Standart
- 7. 1 - Girdi Denetimi 7 public boolean validateUsername(String username) { String usernamePattern = "^[a-zA-Z0-9]{6,12}$"; if (username == null) { return false; } Pattern p = Pattern.compile(usernamePattern); Matcher m = p.matcher(username); if (!m.matches()) { return false; } return true; } if (!validateUsername(username)) { //uygun olmayan kullanıcı adı }
- 8. ESAPI ile Girdi Denetimi 8 Validator.Username=^[a-zA-Z0-9]{6,12}$ String username = request.getParameter("username"); boolean booluser = ESAPI.validator().isValidInput("User name", username, "Username", 12, false); if (!booluser) { // uygun olmayan kullanıcı adı }
- 9. 2-Sanitization 9 String safeMarkup = ESAPI.validator().getValidSafeHTML( "Rich Text", richTextInput, 2500, true ); <% String address = "Sumbul mah.,<script>alert(1);</script> kartal sk., manolya sitesi, bahar apart., D/Blok, No:5"; String safeAddressText = ESAPI.validator().getValidSafeHTML("Address Text", address, 200, true); %> <div><%= safeAddressText %></div> <div>Sumbul mah., kartal sk., manolya sitesi, bahar apart., D/Blok, No:5</div>
- 10. 3 – HttpOnly Cookie 10 Set-cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y72VTv2y4Jyr5zTbV1h1Mc7Lmf4fMg1ly; Domain=www.site.com; Path=/; Secure; HttpOnly
- 11. 4 – Secure Cookie 11 Set-Cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y7Mg1ly; Domain=www.site.com; Path=/; Secure; HttpOnly
- 12. 5 – Oturum Anahtarı 12 ESAPI.httpUtilities().changeSessionIdentifier(); Users user = new LoginDAO().login(username, password); if (user.isAuthenticated()) { currentSession = request.getSession(true); currentSession.invalidate(); HttpSession newSession = request.getSession(true); } else { request.setAttribute("loginerr", "username or password is invalid"); request.getRequestDispatcher("login.jsp").forward(request, response); }
- 13. 6 – Güvenli Chaptcha 13
- 14. 7 – getCanonicalPath() 14 getCanonicalPath() http://www.site.com/getFile.jsp=file=/../../../../etc/passwd getCanonicalPath(/www/data/site_com/files/../../../../etc/passwd) /etc/passwd != /www/data/site_com/files/
- 15. 8 – HTTPS 15 Kimlik doğrulama işlevi barındıran uygulamaların güvenli kanallar ile iletişim sağlıyor olması gerekir.
- 16. 9 – Form Token 16 <form name="comment" action="product_comment.jsp?pid=53" method="POST"> Comment: <input type="text" name="comment"/> <input type="submit" value="Submit"/> <input type="hidden" name="CSRFToken” value="30Dfd45645Ddssdf4567fdfdgAA..."> </form>
- 17. 10 – Prepared Statement 17 ... String className = request.getParameter("class"); String query = "SELECT * FROM students WHERE class = '" + className + "'"; ResultSet rs = stmt.execute(query); ... ... String className = request.getParameter("class"); PreparedStatement psmt = conn.prepareStatement("SELECT * FROM students WHERE class=?"); psmt.setString(1, className); ResultSet rs = psmt.executeQuery(); ...
- 18. 18
Editor's Notes
- #5: Why is OWASP Special? Over 43,000 community members worldwide, in over 100 countries Rapid growth over the 12+ years since OWASP’s inception. Demonstrative of our growth as an organization is our revenue which is comes primarily from global conferences such as this as well as memberships. In the last year our revenue grew from just under a million dollars in 2012 to an estimated 1.8 million for the current year. Different from other organizations and conferences because The community Incubator for Ideas and OWASP Projects – Open Source Documentation, Tools, Code Libraries