Explore security vulnerabilities decomposition in this 41-minute OWASP Foundation conference talk. Delve into SQL injection classification, security controls, intrusion detection points, and secure data handling workflows. Learn about cryptographic storage, data encryption, and fundamental security principles. Examine design patterns for implementing payment gateways and single sign-on systems. Gain insights on configuration hardening and essential security controls for secure software development. Discover a fresh perspective on analyzing and addressing vulnerabilities in web applications.
Security Vulnerabilities Decomposition - Another Way to Look at Vulnerabilities
Overview
Syllabus
Intro
After Report
SQL Injection: Classification
Decompose the Injection Data interpreted as Code
Extract Security Controls
Security Controls: Security Logging
Best Types of Detection Points
Examples of Intrusion Detection Points
Secure Data Handling: Basic Workflow
Storage by Data Types
Data at Rest: Design Vulnerability Example
Security Controls: Data at Rest Encryption Cryptographic Storage
Security Controls: Data in Transit
Root Cause The type of software with vulnerable components
Fundamental Security Principle
Components Examples
Implement a Logging Library
Simple Wrapper
Implement a Payment Gateway Scenario • Vendor APS-line payment gateways . Can have more than one payment gateway in an application • Required to be interchangeable
Adapter Design Pattern
Implement a Single Sign-On
Façade Design Pattern
Secure Software Starts from Design!
Configuration Hardening
Final Takeaways
Security Controls for Secure Development
Global AppSee Amsterdam
Taught by
OWASP Foundation
