1
play

1 I like to think that tequila inspired this talk. Tokyo 1999 a - PDF document

Aug 22, 2022 •489 likes •815 views

1 I like to think that tequila inspired this talk. Tokyo 1999 a night to forget. 16 hours of waiting for the hangover . I get the trampoline effect now. How does this relate to Validation? My body self-validates against tequila! [ GIVE

  1. 1

  2. I like to think that tequila inspired this talk. Tokyo 1999… a night to forget. 16 hours of waiting for the hangover . I get the trampoline effect now. How does this relate to Validation? My body self-validates against tequila! [ GIVE AGENDA] 2

  3. Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Data will be exposed on: multi-tenant environment storage Spanned multiple layers in the cloud stack Platforms secured by multiple technologies and services 3

  4. Authentication/authorization and val alid idat atio ion n technologies are becoming increasingly important. Data will be exposed on: different trust levels, including anonymous, users, privileged cloud users various geographies where it is located 4

  5. Secure Socket Layers (SSL) or Virtual Private Networks (VPN) solutions cannot address the reality that data travels everywhere and anywhere in a cloud. In 2009, this may have been maintainable… 5

  6. In 2014, not so much. How is SSL/TLS going to solve the rapid growth of connected sites? Call it the Multitenancy Effect. 6

  7. Malware attacks will make their way to internal networks via techniques such as SQL injection. Once they’re on the network, they inherit the permissions of a trusted user and find their way over to more important assets 7

  8. SQL injection was leveraged in 27 of the 34 (80%) attacks against web applications in the retail industry. Why is this still happening? 8

  9. 9

  10. OWASP General Data Validation - https://www.owasp.org/index.php/Data_Validation_%28Code_Review%29 OWASP Entity Encoding - https://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Jav a OWASP Application Security Verification Standard is a step in the right direction, but still based on trusted zones - http://code.google.com/p/owasp- asvs/wiki/Verification_V5 Microsoft Guidance Share is based on centralized validation control- http://www.guidanceshare.com/wiki/Web_Application_Security_Design_Guidelines_ -_Input_/_Data_Validation http://msdn.microsoft.com/en-us/library/ee658105.aspx#Validation Design Steps for Validating Input and Data 10

  11. Microsoft Validation Application Block; heavyweight and complex to use http://msdn.microsoft.com/en-us/library/dn440720(v=pandp.60).aspx OWASP CSRF Guard - http://www.owasp.org/index.php/CSRF_Guard Stinger (inactive) was the start of a centralized input validation component; replaced by ESAPI? – https://www.owasp.org/index.php/Category:OWASP_Stinger_Project ESAPI main purpose is to retrofit security into existing applications – https://www.owasp.org/index.php/Esapi 11

  12. Microsoft Validation Application Block; heavyweight and complex to use http://msdn.microsoft.com/en-us/library/dn440720(v=pandp.60).aspx OWASP CSRF Guard - http://www.owasp.org/index.php/CSRF_Guard Stinger (inactive) was the start of a centralized input validation component; replaced by ESAPI? – https://www.owasp.org/index.php/Category:OWASP_Stinger_Project ESAPI main purpose is to retrofit security into existing applications – https://www.owasp.org/index.php/Esapi 12

  13. Microsoft Validation Application Block; heavyweight and complex to use http://msdn.microsoft.com/en-us/library/dn440720(v=pandp.60).aspx OWASP CSRF Guard - http://www.owasp.org/index.php/CSRF_Guard Stinger (inactive) was the start of a centralized input validation component; replaced by ESAPI? – https://www.owasp.org/index.php/Category:OWASP_Stinger_Project ESAPI main purpose is to retrofit security into existing applications – https://www.owasp.org/index.php/Esapi 13

  14. Word mapping Hey this is easy enough ^[a-zA-Z]+$ But what if I wanted to block certain patterns… [v,V,(\\/)](\W|)[i,I,1,l,L](\W|)[a,A,@,(\/\\)](\W|)[g,G](\W|)[r,R](\W|)[a,A,@,(\/\\))] ( viagra anyone?) 14

  15. Word mapping Hey this is easy enough ^[a-zA-Z]+$ But what if I wanted to block certain patterns… [v,V,(\\/)](\W|)[i,I,1,l,L](\W|)[a,A,@,(\/\\)](\W|)[g,G](\W|)[r,R](\W|)[a,A,@,(\/\\))] ( viagra anyone?) 15

  16. Email address mapping Ugh, what is this mess? (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~- ]+)*|”(?:[ \x01- \x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e- \ x7f])*”)@(?:(?:[a -r-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0- 9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53- \x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]) 17

  17. Malicious Data breaches are increasing The old model of validation gates doesn’t work in a multi -tenancy world C urrent frameworks are complex and siloed 18

  18. 19

  19. 20

  20. 21

  21. 22

  22. Concept of Zero-trust architecture In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. The core concepts of Zero Trust are: • There is no longer a trusted and an untrusted interface on our security devices. • There is no longer a trusted and an untrusted network. • There are no longer trusted and untrusted users The Zero Trust model provides a data-centric approach to security that protects against sophisticated and targeted attacks 24

  23. Concept of Zero-trust architecture In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. The core concepts of Zero Trust are: • There is no longer a trusted and an untrusted interface on our security devices. • There is no longer a trusted and an untrusted network. • There are no longer trusted and untrusted users The Zero Trust model provides a data-centric approach to security that protects against sophisticated and targeted attacks 25

  24. Concept of Zero-trust architecture In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. The core concepts of Zero Trust are: • There is no longer a trusted and an untrusted interface on our security devices. • There is no longer a trusted and an untrusted network. • There are no longer trusted and untrusted users The Zero Trust model provides a data-centric approach to security that protects against sophisticated and targeted attacks 26

  25. Concept of Zero-trust architecture In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. The core concepts of Zero Trust are: • There is no longer a trusted and an untrusted interface on our security devices. • There is no longer a trusted and an untrusted network. • There are no longer trusted and untrusted users The Zero Trust model provides a data-centric approach to security that protects against sophisticated and targeted attacks 27

  26. Concept of Zero-trust architecture In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. The core concepts of Zero Trust are: • There is no longer a trusted and an untrusted interface on our security devices. • There is no longer a trusted and an untrusted network. • There are no longer trusted and untrusted users The Zero Trust model provides a data-centric approach to security that protects against sophisticated and targeted attacks 28

  27. Concept of Zero-trust architecture In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. The core concepts of Zero Trust are: • There is no longer a trusted and an untrusted interface on our security devices. • There is no longer a trusted and an untrusted network. • There are no longer trusted and untrusted users The Zero Trust model provides a data-centric approach to security that protects against sophisticated and targeted attacks 29

  28. What is a “type - safe” string? It acts like a string, but has the desired validation architecture built into the class ! The type-safe string will take the validation with it where it gets used. Developers will no longer have to remember to also do validation because the type-safe string will take care of this. Cons nstrain ain and and reject when setting value • T ype • • Format Simple regex • Length • Range • only applies to numbers • • Sanit itiz ize when passing data Inert payload component • 30

  29. A note about sanitization during data validation. Sanitization is loosely based on the concept of tokenization. Tokenization provides a method by which to replace sensitive data with a disassociated and randomly generated alias.The process to tokenize and detokenize is strictly controlled with a special API. Data is persistently tokenized from the point of capture to the point of consumption or rest. Sanitization doesn’t rely upon a randomly generated or disassociated representation in this case as it is used to mitigate against injection attacks. It makes the data inert. 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Agile with a lowercase a: The Art of Collaborative PM Hosted by Kylie Forcinito and Nick

Agile with a lowercase a: The Art of Collaborative PM Hosted by Kylie Forcinito and Nick

Agile with a lowercase a: The Art of Collaborative PM Hosted by Kylie Forcinito and Nick Switzer Join Us for Contribution Sprints Friday, April 28, 2017 First-Time Sprinter Mentored Core General Sprints Workshop Sprint 9:00am - 6:00pm

687 views • 49 slides
Thinking Strategically: (i) Repeated Play & (ii) Strategic Communication David P Myatt

Thinking Strategically: (i) Repeated Play & (ii) Strategic Communication David P Myatt

Thinking Strategically: (i) Repeated Play & (ii) Strategic Communication David P Myatt London Business School Dubai: January, 2020 What are we doing here? 1 Simultaneous-move games. 2 Sequential-move games. 3 Competition and strategic

2.31k views • 191 slides
Good Economics for Hard Times #LSEStamp Professor Esther Duflo Abdul Latif Jameel Professor of

Good Economics for Hard Times #LSEStamp Professor Esther Duflo Abdul Latif Jameel Professor of

Good Economics for Hard Times #LSEStamp Professor Esther Duflo Abdul Latif Jameel Professor of Poverty Alleviation. Development Economics in the Department of Economics at the Massachusetts Institute of Technology. Co-founder and co-director of

870 views • 30 slides
Negotiating vocationalism Music Education and Industry Engagement - critiquing curriculum 30th

Negotiating vocationalism Music Education and Industry Engagement - critiquing curriculum 30th

Negotiating vocationalism Music Education and Industry Engagement - critiquing curriculum 30th January 2019 Dr Sen McLaughlin Email: sean.mclaughlin.perth@uhi.ac.uk

473 views • 16 slides
Audio and Speech August 13, 2001 Audio 2 Digital sound anti-aliasing amplifier codec filter

Audio and Speech August 13, 2001 Audio 2 Digital sound anti-aliasing amplifier codec filter

Audio 1 Audio and Speech August 13, 2001 Audio 2 Digital sound anti-aliasing amplifier codec filter A packet- G.7xx ization D 1mV A G.7xx D August 13, 2001 Audio 3 Digital audio sample each audio channel and quantize

478 views • 21 slides
The Aerospace & Defense Forum Los Angeles & San Fernando Valley Chapters May 14, 2020

The Aerospace & Defense Forum Los Angeles & San Fernando Valley Chapters May 14, 2020

The Aerospace & Defense Forum Los Angeles & San Fernando Valley Chapters May 14, 2020 Welcome to our Joint LA & SFV Chapters Meeting May 14, 2020 LA Chapter Host and Sponsors SFV Chapter Host and Sponsors 1 Who We Are A

284 views • 13 slides
Letter From America Michael Whiteman International Restaurant Consultant Baum + Whiteman Ugly

Letter From America Michael Whiteman International Restaurant Consultant Baum + Whiteman Ugly

Letter From America Michael Whiteman International Restaurant Consultant Baum + Whiteman Ugly Root Vegetables Moving from Sweet to Savoury Large Format Meals Beer in Cocktails Bitter is Better Grandmothers Drinks Repurposed Bar Collides

1.08k views • 51 slides
Small-investor Horticultural Farmers in Lume district of Ethiopia: Opportunities and Challenges

Small-investor Horticultural Farmers in Lume district of Ethiopia: Opportunities and Challenges

Small-investor Horticultural Farmers in Lume district of Ethiopia: Opportunities and Challenges to transform the growth process on and beyond their farm. Samuel Gebreselassie, EEA and FAC sgebreselassie@gmail.com 1 Background Over the

731 views • 28 slides
Anders Lindgren Senior Researcher RISE SICS Working on: ICN, IoT, low latency

Anders Lindgren Senior Researcher RISE SICS Working on: ICN, IoT, low latency

I NTERNET OF P EOPLE D AGSTUHL SEMINAR 17412 9 O CTOBER 2017 Participants One-pagers Anders Lindgren Senior Researcher RISE SICS Working on: ICN, IoT, low latency communication, challenged networks (Past: Internet of Reindeer

367 views • 22 slides
Tractable Constraint Languages Zion Schell Based on Chapter 11 of Rina Dechter's Constraint

Tractable Constraint Languages Zion Schell Based on Chapter 11 of Rina Dechter's Constraint

Tractable Constraint Languages Zion Schell Based on Chapter 11 of Rina Dechter's Constraint Processing by David Cohen and Peter Jeavons Zion Schell Tractable Constraint Languages - 1 4-15-13 Disclaimer This chapter is a bit weird It

1.03k views • 74 slides
Lessons learned while playing CoreWars8086 Shapira Elad (Zest) | Security Researcher |

Lessons learned while playing CoreWars8086 Shapira Elad (Zest) | Security Researcher |

Lessons learned while playing CoreWars8086 Shapira Elad (Zest) | Security Researcher | 29-6-2014 #Whois Elad Shapira (Zest) Reverser from the Holy Land. Mobile Security Researcher @AVG. Highly passionate for RE, Assembly and

649 views • 61 slides
ON-GOING PROJECT (2008-) Ar#s#c techniques for archiving life Jacek Smolicki

ON-GOING PROJECT (2008-) Ar#s#c techniques for archiving life Jacek Smolicki

ON-GOING PROJECT (2008-) Ar#s#c techniques for archiving life Jacek Smolicki ar-st/researcher/curator Malm University Sweden SOUNDTRACKING From technologies to techniques and prac0ces SELF-TRACKING SELF-TRACKING MISQUOTING MISQUOTING

581 views • 29 slides
IHI Virtual Expedition Improving Transitions to Post Acute Care Settings, Including Home

IHI Virtual Expedition Improving Transitions to Post Acute Care Settings, Including Home

8/18/2017 April 27, 2017 These presenters have nothing to disclose IHI Virtual Expedition Improving Transitions to Post Acute Care Settings, Including Home Session 1: Building the Will, Ideas and Execution for Successful Transitions Peg

591 views • 40 slides
P C R Randomized comparison of a sirolimus-eluting stent with a biolimus-eluting stent in

P C R Randomized comparison of a sirolimus-eluting stent with a biolimus-eluting stent in

euro P C R Randomized comparison of a sirolimus-eluting stent with a biolimus-eluting stent in patients treated with PCI: the SORT OUT VII trial Lisette Okkels Jensen, Per Thayssen, Michael Maeng, Jan Ravkilde, Lars Krusell, Hans-Henrik

829 views • 14 slides
Investments in Worker Health and Labor Productivity: Evidence from Vietnam Massimo Filippini 1

Investments in Worker Health and Labor Productivity: Evidence from Vietnam Massimo Filippini 1

Investments in Worker Health and Labor Productivity: Evidence from Vietnam Massimo Filippini 1 & Suchita Srinivasan 2 1 Centre for Energy Policy and Economics, ETH Z urich, Z urich, Switzerland and Universita della Svizzera Italiana

327 views • 18 slides
The The In Infla flatio ionary ry Cos Costs of of Ex Extr trem eme We Weather in in Dev

The The In Infla flatio ionary ry Cos Costs of of Ex Extr trem eme We Weather in in Dev

Discussion of The The In Infla flatio ionary ry Cos Costs of of Ex Extr trem eme We Weather in in Dev Developing ping Coun Countri tries by A. Heinen, J. Khadan, E. Strobl CEP, Bank of England Conference November 2016 Ted Loch

556 views • 8 slides
Black holes, class numbers, and special cycles 1.3 1.2 1.1 1 0.9 -0.4 -0.2 0.2 0.4

Black holes, class numbers, and special cycles 1.3 1.2 1.1 1 0.9 -0.4 -0.2 0.2 0.4

Black holes, class numbers, and special cycles 1.3 1.2 1.1 1 0.9 -0.4 -0.2 0.2 0.4 Shamit Kachru (Stanford) based on work with: A. Tripathy (arXiv:1705.06295, 1706.02706) N. Benjamin, K. Ono, L. Rolen (arXiv:1807.00797) I.

369 views • 24 slides
2. Review of OO Paradigm and UML UML-1 Venkat Subramaniam Benefits Of OO Development

2. Review of OO Paradigm and UML UML-1 Venkat Subramaniam Benefits Of OO Development

2. Review of OO Paradigm and UML UML-1 Venkat Subramaniam Benefits Of OO Development Models System using Objects Small Semantic gap between reality & model Understanding the system is easier Modifications are localized

363 views • 25 slides
ASACUSA 2009 - 2010 Atomic Spectroscopy And Collisions Using Slow Antiprotons Jan 19, 2010 Ryugo

ASACUSA 2009 - 2010 Atomic Spectroscopy And Collisions Using Slow Antiprotons Jan 19, 2010 Ryugo

ASACUSA 2009 - 2010 Atomic Spectroscopy And Collisions Using Slow Antiprotons Jan 19, 2010 Ryugo S. Hayano, University of Tokyo Spokesperson, ASACUSA ASACUSA 7-Oct-97 CERN/SPSC 97-19 CERN/SPSC P-307 p He & H spectroscopy CPT,

1.23k views • 66 slides
| O

| O

i c i | O h w w Q 2 : o f O k

619 views • 20 slides
A Variational Model for Interactive Shape Prior Segmentation and Real-Time Tracking Manuel

A Variational Model for Interactive Shape Prior Segmentation and Real-Time Tracking Manuel

A Variational Model for Interactive Shape Prior Segmentation and Real-Time Tracking Manuel Werlberger, Thomas Pock, Markus Unger, and Horst Bischof 05/26/2009 Institute for Computer Graphics and Vision Graz University of Technology Motivation

484 views • 33 slides
Unit2:Univariate Statistics(Resistant) Unit2PostHole:

Unit2:Univariate Statistics(Resistant) Unit2PostHole:

Unit2:Univariate Statistics(Resistant) Unit2PostHole:

886 views • 66 slides
Proving Differential Privacy via Probabilistic Couplings Gilles Barthe, Marco Gaboardi, Benjamin

Proving Differential Privacy via Probabilistic Couplings Gilles Barthe, Marco Gaboardi, Benjamin

Proving Differential Privacy via Probabilistic Couplings Gilles Barthe, Marco Gaboardi, Benjamin Grgoire, Justin Hsu*, Pierre-Yves Strub IMDEA Software, University at Buffalo, Inria, University of Pennsylvania* July 8, 2016 1 A new approach

518 views • 6 slides
Kimberlite Terminology and Classification B. H. Scott Smith, T. E. Nowicki, J. K. Russell, K. J.

Kimberlite Terminology and Classification B. H. Scott Smith, T. E. Nowicki, J. K. Russell, K. J.

Kimberlite Terminology and Classification B. H. Scott Smith, T. E. Nowicki, J. K. Russell, K. J. Webb, R. H. Mitchell, C. M. Hetman, M. Harder, E. M. W. Skinner, and Jv. A. Robey Abstract Description, classification and interpretation of

470 views • 17 slides

More recommend