+ All Categories
Page 1: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

1 of 105 2/23/15, 1:54 PM

Page 2: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Web SecurityBrian Sletten ( @bsletten)



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

2 of 105 2/23/15, 1:54 PM

Page 3: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

2015 Greater Wisconsin Software SymposiumMarch 13-14 (Two day event)

Early bird discount ends 2/23

JUG Discount: $50 off use the promo code: nfjsusergroup50



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

3 of 105 2/23/15, 1:54 PM

Page 4: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Speaker QualificationsSpecialize in next-generation technologiesAuthor of 'Resource-Oriented Architecture Patterns for Webs of Data'Speaks internationally about REST, Semantic Web, Data Science, Security,Visualization, ArchitectureWorked in Defense, Finance, Retail, Hospitality, Video Game, Health Care,Telecommunications and Publishing IndustriesInternational Pop Recording Artist





Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

4 of 105 2/23/15, 1:54 PM

Page 5: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

AgendaIntroductionSecurity EngineeringSoftware SecurityWeb SecurityBooks



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

5 of 105 2/23/15, 1:54 PM

Page 6: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

6 of 105 2/23/15, 1:54 PM

Page 7: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

7 of 105 2/23/15, 1:54 PM

Page 8: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

The Ones You've Heard Of...TJ MaxxTargetMichaelsKMartHome DepotJP Morgan



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

8 of 105 2/23/15, 1:54 PM

Page 9: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50









Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

9 of 105 2/23/15, 1:54 PM

Page 10: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

10 of 105 2/23/15, 1:54 PM

Page 11: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Credit: http://xkcd.com/936


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

11 of 105 2/23/15, 1:54 PM

Page 12: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Credit: http://xkcd.com/936


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

12 of 105 2/23/15, 1:54 PM

Page 13: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Credit: http://xkcd.com/936


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

13 of 105 2/23/15, 1:54 PM

Page 14: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Through 20 years of effort, we've successfullytrained everyone to use passwords that arehard for humans to remember, but easy forcomputers to guess.


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

14 of 105 2/23/15, 1:54 PM

Page 15: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Choose a password you can't remember, anddon't write it down.


Ross J. Anderson

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

15 of 105 2/23/15, 1:54 PM

Page 16: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Credit: http://xkcd.com/936


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

16 of 105 2/23/15, 1:54 PM

Page 17: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

17 of 105 2/23/15, 1:54 PM

Page 18: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

18 of 105 2/23/15, 1:54 PM

Page 19: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

A name......is a name...is a name...is a name...is an attack vector



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

19 of 105 2/23/15, 1:54 PM

Page 20: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Where Does This Go?http://example.com&gibberish=1234@167772161


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

20 of 105 2/23/15, 1:54 PM

Page 21: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Do the Math!http://example.com&gibberish=1234@167772161

String: 00001010 . 00000000 . 00000000 . 00000001Integer: 167772161

(10 * 16777216) + (0 * 65536) + (0 * 256) + (1 * 1) = 167772161


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

21 of 105 2/23/15, 1:54 PM

Page 22: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

How About?http://example.com\@coredump.cx

In Firefox, http://coredump.cx


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

22 of 105 2/23/15, 1:54 PM

Page 23: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Or Maybe...http://example.com;.coredump.cx

In IE, http://coredump.cx

Safari, it's an error.

Others, http://example.com/;.coredump.cx


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

23 of 105 2/23/15, 1:54 PM

Page 24: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

The web is an information space. When youexplore it, you don't end up buying stuff,agreeing to anything, or - in this case, losingyour domain name...

Tim Berners-Lee

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

24 of 105 2/23/15, 1:54 PM

Page 25: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

From: <[email protected]>Date: Fri Apr 11, 2003 19:31:28 US/EasternTo: [email protected]: Confirm Domain Transfer

A Transfer Request was submitted for the following domains.Click on the following link to confirm the domain transfer request for these domains.


Your Transfer Request Code IS: ces[...]cbIhttps://secure.registerapi.com/order/trx/confirm.php


If you did not request the transfer of these domains then DO NOT click on the above links. By not clicking you are preventing a domain registrar transfer from taking place.

Thank you, The Automated Domain Transfer System


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

25 of 105 2/23/15, 1:54 PM

Page 26: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Cross Site Request Forgery (CSRF)http://bank.example.com/withdraw?acct=Bob&amt=1000000&for=Fred

<img src="http://bank.example.com/withdraw?acct=Bob&amt=1000000 &for=Fred"/>


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

26 of 105 2/23/15, 1:54 PM

Page 27: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Role-Based Access Control<security-constraint> <web-resource-collection> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint></security-constraint>


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

27 of 105 2/23/15, 1:54 PM

Page 28: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Security Engineering

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

28 of 105 2/23/15, 1:54 PM

Page 29: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

If you spend more on coffee than on ITsecurity, then you will be hacked. What'smore, you deserve to be hacked.

Richard Clarke, former U.S. Cybersecurity Czar

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

29 of 105 2/23/15, 1:54 PM

Page 30: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

The main objective of secure system design is to make breaking the system

more costly than the value of the protected assets , where the 'cost' should be

measured in monetary value but also in more abstract terms such as effort or

reputation .

Christof Paar and Jan PelzlUnderstanding Cryptography: A Textbook for Students and Practitioners

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

30 of 105 2/23/15, 1:54 PM

Page 31: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Security Engineering...is about buildingsystems to remain dependable in the face ofmalice, error, or mischance.

Ross J. Anderson

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

31 of 105 2/23/15, 1:54 PM

Page 32: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Whoever thinks his problem can be solvedusing cryptography, doesn't understand hisproblem and doesn't understandcryptography.

Roger Needham/Butler Lampson

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

32 of 105 2/23/15, 1:54 PM

Page 33: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Vulnerability + Threat = Potential Security Breach


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

33 of 105 2/23/15, 1:54 PM

Page 34: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Indeed protocol vulnerabilities usually giverise to more, and simpler, attacks thancryptographic weaknesses do.

Ross J. Anderson

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

34 of 105 2/23/15, 1:54 PM

Page 35: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Systems Fail...People protect the wrong thingsProtect the right things the wrong way



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

35 of 105 2/23/15, 1:54 PM

Page 36: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

There is all too often a cultural and physicalseparation between the softwaredevelopment staff and the informationsecurity staff in large enterprises.

van Wyk, Graff, Peters and BurleyEnterprise Software Security: A Confluence of Disciplines

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

36 of 105 2/23/15, 1:54 PM

Page 37: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Incentive MismatchPolicy makers don't have to live with the resultsPolicy makers don't suffer when things failHave political or CYA incentives



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

37 of 105 2/23/15, 1:54 PM

Page 38: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

TSA14.7 billion (USD) on aggressive passenger screening100 million (USD) reinforcing cockpit doorsWe seem to be reverting w/ TSA Pre



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

38 of 105 2/23/15, 1:54 PM

Page 39: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Strictly speaking, strengthening anything butthe weakest link is useless.


Bruce Schneier

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

39 of 105 2/23/15, 1:54 PM

Page 40: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

40 of 105 2/23/15, 1:54 PM

Page 41: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

41 of 105 2/23/15, 1:54 PM

Page 42: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Defense in DepthStrengthen potentially weakest linksStrengthen multiple potential weakest linksFailure of one may be blocked by success of another



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

42 of 105 2/23/15, 1:54 PM

Page 43: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Time Favors the AttackerWe design systems today that must survive in the futureThey need to find a single flaw, we must protect against all of them



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

43 of 105 2/23/15, 1:54 PM

Page 44: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Word StewSecrecyPrivacyConfidentialityIntegrityAuthenticity



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

44 of 105 2/23/15, 1:54 PM

Page 45: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

45 of 105 2/23/15, 1:54 PM

Page 46: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Only amateurs attack machines; professionalstarget people.


Bruce Schneier

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

46 of 105 2/23/15, 1:54 PM

Page 47: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Software Security

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

47 of 105 2/23/15, 1:54 PM

Page 48: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Software security... is not security software.“ ”

Gary McGraw

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

48 of 105 2/23/15, 1:54 PM

Page 49: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Software security... the idea of engineeringsoftware so that it continues to functioncorrectly under malicious attack.

Gary McGraw

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

49 of 105 2/23/15, 1:54 PM

Page 50: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Problem is Getting WorseConnectivityExtensibilityComplexity



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

50 of 105 2/23/15, 1:54 PM

Page 51: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Bugs vs FlawsBugs : Implementation issueFlaws : Design problemRoughly 50/50Need to address both



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

51 of 105 2/23/15, 1:54 PM

Page 52: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Security is an emergent property of yoursystem.


Gary McGraw

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

52 of 105 2/23/15, 1:54 PM

Page 53: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

ApproachRisk ManagementTouchpointsKnowledge



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

53 of 105 2/23/15, 1:54 PM

Page 54: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Requirements and Use Cases

Architecture and Design Test Plans Code Tests and

Test Results


Deployed Systems

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

54 of 105 2/23/15, 1:54 PM

Page 55: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Requirements and Use Cases

Architecture and Design Test Plans Code Tests and

Test Results


Deployed Systems


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

55 of 105 2/23/15, 1:54 PM

Page 56: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Requirements and Use Cases

Architecture and Design Test Plans Code Tests and

Test Results


Deployed Systems

CodeReview Risk










Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

56 of 105 2/23/15, 1:54 PM

Page 57: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Requirements and Use Cases

Architecture and Design Test Plans Code Tests and

Test Results


Deployed Systems

CodeReview Risk
















Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

57 of 105 2/23/15, 1:54 PM

Page 58: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Credit: http://bsimm.com


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

58 of 105 2/23/15, 1:54 PM

Page 59: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

[threat modeling] is the use of abstractions toaid in thinking about risks.


Adam Shostack

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

59 of 105 2/23/15, 1:54 PM

Page 60: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Reasons to Threat ModelFind Security Bugs EarlyUnderstand Your Security RequirementsImproved QualityAddress Issues Other Techniques Won't



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

60 of 105 2/23/15, 1:54 PM

Page 61: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

STRIDESpoofingTamperingRepudiationInformation DisclosureDenial of ServiceElevation of Privilege



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

61 of 105 2/23/15, 1:54 PM

Page 62: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Web Security

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

62 of 105 2/23/15, 1:54 PM

Page 63: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

63 of 105 2/23/15, 1:54 PM

Page 64: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Web SecurityIdentityAuthenticationAuthorizationProtected ChannelsNon-Repudiation



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

64 of 105 2/23/15, 1:54 PM

Page 65: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

65 of 105 2/23/15, 1:54 PM

Page 66: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Same Origin PolicySchemeHostPort



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

66 of 105 2/23/15, 1:54 PM

Page 67: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

JSONP<script type="application/javascript" src="http://server2.bosatsu.net/order/id/16234?jsonp=updateOrder"></script>

updateOrder({"Order" : "16234", "Status" : "Shipped"});


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

67 of 105 2/23/15, 1:54 PM

Page 68: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

CORS// 1. Origin Header from browser to http://server2.bosatsu.netOrigin: http://server1.bosatsu.net

// 2. Response from http://server2.bosatsu.netAccess-Control-Allow-Origin: http://server1.bosatsu.net


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

68 of 105 2/23/15, 1:54 PM

Page 69: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

JSONP vs CORSPrefer CORS, but JSONP works w/ older browsersJSONP is GET onlyCORS involves the browser



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

69 of 105 2/23/15, 1:54 PM

Page 70: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

TLS/SSLEncryptionParty IdentificationCipherSuite selectionCertificate managementHMACProtection against downgrade



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

70 of 105 2/23/15, 1:54 PM

Page 71: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

HTTP Basic AuthGET /dir/index.html HTTP/1.1Host: localhost

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Basic realm="report"


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

71 of 105 2/23/15, 1:54 PM

Page 72: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

HTTP Basic AuthGET /dir/index.html HTTP/1.1Host: localhostAuthorization : c2NvdHQ6dGlnZXI=

HTTP/1.1 200 OKDate: Sun, 10 Apr 2005 20:27:03 GMTContent-Type: text/htmlContent-Length: 7984


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

72 of 105 2/23/15, 1:54 PM

Page 73: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Base64 != EncryptionBase64Decode(c2NvdHQ6dGlnZXI=) ====> scott:tiger


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

73 of 105 2/23/15, 1:54 PM

Page 74: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

HTTP Digest#qop = auth or not-specifiedHA1 = MD5(username:realm:password)HA2 = MD5(method:digestURI)response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2) orresponse=MD5(HA1:nonce:HA2)

#qop = auth-intHA1 = MD5(username:realm:password)HA2 = MD5(method:digestURI:MD5(entityBody))response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2)


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

74 of 105 2/23/15, 1:54 PM

Page 75: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

HTTP DigestGET /dir/index.html HTTP/1.1Host: localhost

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm="[email protected]", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

75 of 105 2/23/15, 1:54 PM

Page 76: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

HTTP DigestGET /dir/index.html HTTP/1.1Host: localhostAuthorization: Digest username="Mufasa", realm="[email protected]", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"

HTTP/1.1 200 OKDate: Sun, 10 Apr 2005 20:27:03 GMTContent-Type: text/htmlContent-Length: 7984


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

76 of 105 2/23/15, 1:54 PM

Page 77: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

OpenIDIdentity as a ServiceStagnant adoption, concerns about UX issuesTechnology in search of a problem



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

77 of 105 2/23/15, 1:54 PM

Page 78: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

OAuth 1.0AResource management and two-legged approachComplicated by the signing of requestsNo requirement for TLSFairly widely supported



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

78 of 105 2/23/15, 1:54 PM

Page 79: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

OAuth 2.0Simplified ApproachDifferent use casesDifferent profiles



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

79 of 105 2/23/15, 1:54 PM

Page 80: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Bearer TokensOAuth Web Resource Authorization Profiles (WRAP)Requires TLSCertificate chain validationSupport for MAC Access Authentication



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

80 of 105 2/23/15, 1:54 PM

Page 81: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

81 of 105 2/23/15, 1:54 PM

Page 82: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

RegistrationRequests tied to appAllows revocation w/o changing credentialsClient receives client_id and client_secretClient specifies redirect_uri



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

82 of 105 2/23/15, 1:54 PM

Page 83: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

OAuth 2.0 Roles

Credit: http://tutorials.jenkov.com/images/oauth2


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

83 of 105 2/23/15, 1:54 PM

Page 84: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

GET /dir/index.html HTTP/1.1Host: localhostAuthorization: Bearer fa3c.FAFDLKERE

GET /dir/index.html?access_token=fa3c.FAFDLKERE HTTP/1.1Host: localhost


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

84 of 105 2/23/15, 1:54 PM

Page 85: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Client ProfilesServer-side Web AppClient-side Browser AppNative Application



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

85 of 105 2/23/15, 1:54 PM

Page 86: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Server-Side Web App

Credit: http://tutorials.jenkov.com/images/oauth2


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

86 of 105 2/23/15, 1:54 PM

Page 87: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Authorization Code Authorization FlowResource owner grants access and is returned to the redirect_uri w/authorization code as a parameterServer exchanges code for access token w/ client_id and client_secretAllows long-lived access via refresh tokensResource owner isn't given access to the tokens




Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

87 of 105 2/23/15, 1:54 PM

Page 88: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Client-Side Web App

Credit: http://tutorials.jenkov.com/images/oauth2


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

88 of 105 2/23/15, 1:54 PM

Page 89: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Implicit Grant Authorization FlowResource owner grants accessAccess token is returned via a fragment identifierClient parses the URLs and strips off the token to make requestsNo long-lived access via refresh tokensUser agent has access to the application and API requests



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

89 of 105 2/23/15, 1:54 PM

Page 90: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Native App

Credit: http://tutorials.jenkov.com/images/oauth2


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

90 of 105 2/23/15, 1:54 PM

Page 91: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Resource Owner Password Grant AuthorizationFlow

Resource owner grants access by exchanging credentials for access tokenPassword only need to establish access tokenToken is revokable and scoped to specific resourcesRequires trusted client



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

91 of 105 2/23/15, 1:54 PM

Page 92: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

Client Credential Grant Authorization FlowClient credentials are pre-arranged and shared'Two-legged' Flow



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

92 of 105 2/23/15, 1:54 PM

Page 93: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

93 of 105 2/23/15, 1:54 PM

Page 94: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

94 of 105 2/23/15, 1:54 PM

Page 95: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

The FutureOpenID Connect (http://openid.net/connect/)W3C Web Cryptography WG (http://www.w3.org/2012/webcrypto/)W3C Web Credentials CG (http://opencreds.org)Secure Messaging (https://web-payments.org/specs/source/secure-messaging/)



Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

95 of 105 2/23/15, 1:54 PM

Page 96: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

96 of 105 2/23/15, 1:54 PM

Page 97: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

97 of 105 2/23/15, 1:54 PM

Page 98: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

98 of 105 2/23/15, 1:54 PM

Page 99: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

99 of 105 2/23/15, 1:54 PM

Page 100: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

100 of 105 2/23/15, 1:54 PM

Page 101: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

101 of 105 2/23/15, 1:54 PM

Page 102: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

102 of 105 2/23/15, 1:54 PM

Page 103: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

103 of 105 2/23/15, 1:54 PM

Page 104: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

104 of 105 2/23/15, 1:54 PM

Page 105: Web Security  ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50


[email protected]








Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

105 of 105 2/23/15, 1:54 PM

Top Related