|
|
|
AppSec California 2016 - Preventing Security Bugs through Software Design - Christoph Kern |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
AppSec California 2016 - Preventing Security Bugs through Software Design - Christoph Kern Par SecurityTube.NetLe [2016-03-28] à 14:39:47
Présentation : Many common application-level security defects, such as SQL Injection and Cross-Site-Scripting XSS , have proven difficult to eradicate in large-scale software development projects. In our view, the root cause for the prevalence of these classes of vulnerabilities is that underlying APIs and frameworks such as, SQL query APIs, HTML templating systems, and Web Platform APIs a-priori permit vulnerable application code to be written, thus placing the onus for avoiding vulnerabilities primarily on the developer. Since developers are human, and the APIs in question are often widely used in large applications, the presence of some number of mistakes and hence vulnerabilities is almost guaranteed. At the same time, it is unlikely that existing bugs in a large system can be exhaustively identified through testing, code review or static analysis. In this talk, we propose to instead place the burden on API designers Our goal is to design alternative APIs that are similarly expressive, but are also sufficiently constrained to make it essentially impossible to write vulnerable application code using the API. We describe designs for injection-proof SQL query APIs and XSS-proof HTML rendering APIs, combined with machine-checked coding guidelines ensuring their correct usage. These APIs have been successfully adopted in several flag-ship application development projects at Google, and have resulted in a drastic reduction in the number of bugs observed. Christoph Kern,Software Engineer, Google Christoph Kern is a software engineer in Google's Information Security Engineering team. He leads a team focused on the prevention and mitigation of security vulnerabilities in Google's applications and services through framework, API, and platform design. For More Information Please Visit - https 2016.appseccalifornia.org
Les mots clés de la revue de presse pour cet article : california security
Les videos sur SecuObs pour les mots clés : security christoph
Les mots clés pour les articles publiés sur SecuObs : security
Les éléments de la revue Twitter pour les mots clé : security
Les derniers articles du site "SecurityTube.Net" :
- TROOPERSCON - Crypto code the 9 circles of testing
- TROOPERSCON - Towards a LangSec Aware SDLC
- TROOPERSCON - Deep dive into SAP archive file formats
- TROOPERSCON - Thanks SAP for the vulnerabilities. Exploiting the unexploitable
- TROOPERSCON - An easy way into your multi-million dollar SAP systems An unknown default SAP account
- TROOPERSCON - One Tool To Rule Them All
- TROOPERSCON - Mind The Gap - Exploit Free Whitelisting Evasion Tactics
- TROOPERSCON - The Chimaera Processor
- TROOPERSCON - Lets Play Hide and Seek in the Cloud
- TROOPERSCON - Planes, Trains and Automobiles The Internet of Deadly Things
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
