Merken

Metasecurity: Beyond Patching Vulnerabilities

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
this time around the end of the the are a lot everybody 1st of all have I'm going to talk about security and we had a bit of a scheduling snafu as there's a flip in the schedule so I hope you stay even if you were here for security and recall topic but I wanted to thank and everyone at rails constant and the speakers who who helped us a swap things around so that we wouldn't have to be right up against and Justin Collins and his own security break and talk so the next rows count for them facilitating in on today like the kind of talk a bit about security how to defend against security attacks and we propose a series of ideas that are built around the concept of let's try and attack them or defend against attacks at a higher level abstraction soda how meta-programming is programming at a higher level abstraction I want i want to investigate a possibility of finding against attacks at a higher level than we currently do today so the start by talking about the
anatomy of a security attack there's 2 sides to security tap 1 is that you have a vulnerability so when broadcasting that they're going the other town for 2 weeks the other side is you got some kind of
attacker who's gonna look at that and figure out I can I can do something with this and reliable it out like this is the way we generally handle secure today is that we defend against vulnerabilities or we defend against attackers so how do we defend against
vulnerabilities as well the generally we
do it today is with a lot of processes and policies in place we ordered all of our code we look at all of our framework's libraries gems that we use we keep track of them we watch lists of security vulnerabilities CDs and we make sure that were up to date on the latest software but is anyone who has done like a rails 3 derails for migration it's not an easy process to stay up to date so you end up in this sort of cycle where you find out new information it the there's and evolvability patchy test you deploy you tested in production and this tends to take a decent amount of time on top of that it's a it's
fund Aragón and PHP at rails that Europe's P as example it's 24 abilities on average in their existence for the core platforms every year unfortunately rails 19 a Ruby Bridges rails i has a similar story for over the existence of rails this ban on average 7 vulnerabilities CDs attributed to it every year that's actually had an uptick in recent years into the double digits and the reason this is problematic is not just because there are vulnerabilities but because every time there's a vulnerability it takes a lot of time to go through your cycle to patch it to update all the source code it in the PHP case if you think of say WordPress . com with tens of thousands of blogs they got a real challenge on our hands if once every couple weeks they have to deploy out a new security patch and update all of these blocks to become the
question of how fast can you spin this wheel for fast you turn over your your patches but even if you can turn over your patches quickly that still is only addressing the vulnerabilities that we know about today there's a study that showed
vulnerabilities there bought on the private market made the black market you might say sold to attackers or maybe in government security organizations on everything that remain private for almost half a year before anyone is detected them and reported them publicly and on top of that the frameworks libraries jams wherever the vulnerability as has to be updated released then that has to filter out of people using it got to notice it update patch test deploy test and so on so it's a serious problem for the vulnerabilities that we don't know about that attackers no bound but on top of this all kinds
of vulnerabilities they're sitting in source code that no 1 knows about yet but this is working there for someone to find a lot of Honourable as you look at any trace back when was this introduced and it was to 3 years in the past just and sitting there to the story about how we defend against or abilities has had a fraught with perils and because of that people turn towards defining as attackers as well side defending as detectors 1 of the main ways we defend against
attackers is using something called the web application firewall and unfortunately don't get uh many Harrison Ford in a box that the fend off the attackers I would you do get is I usually comes at a black box piece of hardware you plug in your data center spin it up and it looks for patterns of things but today to really know really make it work optimally have to configure it for your application so you end up in screens like
this I think this is like a lamp stack and you having to go through all the different routs that your application has lock down the who should be able to access those routs when they should be allowed access them it takes a lot of knowledge to be able to operate in these types of firewalls i in a a that in an optimal manner so on top of having bought expensive equipment you now have to have consultants or higher on security gurus yourself to make sure that you using web application firewalls correctly on top of that they only work at the networking layer they're not actually inside of your application so they look for patterns of things patterns of things that look like sequel injection that look like prostate scripting but they don't actually know what's happening in the application so at best they're making very intelligent guesses because of all of this how difficult it is to configure and how they have to make a lot of intelligent guesses as you lend to eat and had a problem was web-application follows the demonstrate what that isn't
where go a field trip and to Castle that is the castle in Normandy France and year 1203 is actually under the control of the English king the French king was very happy about that so normally sees to it so is a very complicated a multi-step process but 1 of them involve how do we get past these rock walls that you see here and when they did that was they found there's something color guard and got a rope is a fancy term for a medieval toilet you sit on the top of the wall you do your business which falls outside of the wall and so what the French army did was in the finest so our date scaled the gotta rolled and entered the fortress and to the castle through the toilet seat that was unguarded his why why would you bother and once they were inside a surprise everyone else it took over the castle open up the drawbridge let all the attackers and and the entire defenses of this fortress were toppled over through a toilet seat the reason I mention this is because we're talking about defending its attackers looking at patterns and varying web application firewalls it's very hard to configure every points where an attacker can get in attack he's extremely sophisticated scripts and tools that spider through web sites just like Google what does it look through every link that try to find every page as possible to access and then they look at every pages and Google but trying to index the content on the page they look for buttons informs places where they can interact with the website they try to inject anything they can think of a sequel injection cross-site scripting anything that they can just try and see what happens so this very sophisticated tools on the attacker side if you have a tiny hole that may be all it takes for them and the tools to find in a short period of time insert themselves in your program and Teradyne defenses if someone inserts themselves in your program a pastor defenses that you have a skull like a false negative In the security of there's a opposite side of the sites problems called a false
positive false positives where you have some kind of fence is alerting you so frequently for things that are actually threats or attacks that you become numb to them or in the worst case you're actually blocking legitimate traffic to legitimate users trying to use your site this article alert fatigue and that's where if you have too many alerts popping up at you from whether it is no security products or a Dev Ops machine where you're watching performance if this too many alerts it can be hard to take actionable steps from them when there's a security pact you generally are attacking efforts defended jelly would do something about it it could be that a user has their credentials compromises being accessed from all over the world you probably want reset the password or if there's some kind of Bob breach in Europe your template rendering you may wanna look at how they're getting past and injecting code into your site using cross site scripting had to patch that up they get too many false positives too hard to figure out where the where the problem is and to addresses so trying to there are tools for our defending against attackers also have problems just like are tools for depending on its former abilities so what can we do well I
I spoke earlier about the anatomy of a security takin how it's comprise of evolvability and an attack but in reality in this case the uh the is not get into your house and sit on the couch and watch TV very few hours and we did do something I probably gonna steal all your
jewelry all year expensive property this this exploitation that is damaging to it is chemically B of attackers get into your house but the taking of property here that messing up of of your house is what's really damaging to you in the long term and so when it comes to security attacks can we think of ways that we can try and defend against the exploitation rather than just the attacker the vulnerability so that that
lens the gives rise to the this idea that I have of meta security security against the exploitation that attackers trying to carry out so an example to think of the famous Indiana Jones scene is a temple he sees a gold statue now could be that this statue is sitting there for the purpose that anyone can come along and maybe prey to the statue I admire its artistic qualities whatever it is so tied to filter out attackers in Indiana Jones looks like an archive archaeologist not that he would steal the statutes and the statutes is inherently vulnerable sitting out there in midair on a pedestal so instead of trying to defend against attackers or the vulnerability of the statue just being there for the taking is a booby trap weighted to the weight of of the statue so when Indiana Jones goes to swap it for a weighted bag it doesn't work and you transpired so the example of trying to defend against the actual exploitation rather than the attackers of all abilities exactly How could take this concept and applied to web security so they to talk
about 2 class of exploitations the 1st 1 is sequel injections and the 2nd was cross-site scripting the let's look at how
sequel injection works today the now this is 1 way could write a quarrying application it's a pretty terrible way to write it where interpolating user input into a query string but it does the job in this illustration so is it got this
statement and someone comes along and they the user ID from the browser comes back as 5 this is now it's meant to work were finally uses ideas 5 but let's say if you that hackers trying to do interesting things you might say well my ideas a string 5 or 1 equals 1 and when you put that into your Corey that returns true for every records now you're returning every record of every user in your database maybe rendering that out to the browser worse is if it's the
string phi semicolon drop table users in which case now you delete all the user records for your site not is a got a trivial example you're doing some string interpolation but there's other examples in the real world
that you might think should be fine rails Active Record should be escaping things for me here work on the delete all method were passing in a string that will be turned into a where clause it's still a little trivial still creating a string from user parameters so you the price should do that here is an example of again being able to delete every user in the table but then we talk about things like
the the calculate method we can some or all of the values in table and by using a carefully crafted Corey instead of asking for the sum of all prices in all orders you may be asking for the sum of all ages of all users named Bob here's an
example you can combine how rack turns the corre parameter into an array and is passed into exists in such a fashion that this will actually because the exist method always return true no matter what
and in this case we are passing a parameter that depending on how the structure of the table set up were able to turn all of our users into administrators the common thread at least among these last 3 that were passing up through a value of a variable directly into Active Record is very easy to think like will Active Record should be handling things for me to be escaping things this is not the case so that's how a Siegel injection can happen and like to to talk about cross-site scripting
how that works cross-site scripting is when you as an attacker managed to get your code to run in someone else's browser on someone else's website with a crazy idea it's kind of would how works on given an example I would say that you are a
signing up for a social networking site so
you you go 3 populate this uh sign in 4 sign up for once you log in somewhere on the page maybe in the upper right for us I the page it'll display back to your user name your 1st and last name yeah now let's say that there is a
vulnerability in the last name field so try to put a script tag in there there's gonna call the alert method pop up a dialog box so is this gonna do well when we login after it signed up to try and render offer similar last if we've got across a scripting more ability in here the last name might be injected directly into the page as raw HTML code if that
happens now when we go to render the first last name your 1st names to text but then we get a dialog box to my cities of OK big deal I just heard myself every time I log in it's a dialog box is not a cycle but insist just on me the but then let's say that this a social networking site
someone goes in posts a message I go and I start to add comments to this message we now associate with those comments it is my 1st and last name they get rendered alongside so someone else calls up this post in their own browser where renders it is the render my 1st and last names go do it twice a left to common so now I'm pestering them with 2 dialog
boxes OK that I kind of socks creating dialog boxes all over the internet but is still not that big a deal the problem is if I can run a dialog box i can also try and get a session token from your site now a lot of times they're these days in in major site session tokens are locked down with this a lot of sites out there that do not do a proper job of locking down session took tokens so I get a session token in my code I can then send it using AJAX to my own server now that a session token for a logged in user on a social networking site and I can start to create content as a light that user without having to know the password and other login details a session token is all I need and as such for a position a working side but if the banks site I could start transferring funds I it some really fun stuff so how does this work I read to the point where this has happened will explain that lead to talk about something
called string . html 6 the is the poorly named function that makes it sound like we're take a string that could contain some unsafe HTML code and we're going to pass a tational state is going to make it safe for us and that section noted does where does it takes some text because it's e-mail safe on it he returns with the same text but wrapped in something called a state of as a buffer says I vouch that anything inside of the safe buffer is safe so if we take that safe
buffer we some other text to it is gonna make sure that it escapes other text 1st so now it's going to append some script tag that is in a in a regular old string is the state that 1st and created new safe offer on the
contrary if I take 1 safe buffer and take a 2nd safe buffer attend to it is that depending on cleanly without any escape include up to say things are about 2 things are about to be safe for by someone the I houses actually used for any any purpose
well 1 word doing rails rendering it uses safe offers to append things together so we don't have cross-site scripting attacks 2 starts with an empty safe buffer we got through we take parts of the literal HTML code that's in the template we call collocational safe on its wrap it in a safe buffer were vouching that it's safe we appended to our rendering buffer there we go to expression this title method is something minor and it returns a string happens to have some input that the user put in so I'm an attacker I try to put in some cross-site scripting code of bottom to raise a dialog box but thwarted because the title method returns a string when that string is appended to the rendering buffer it gets escaped so where are dead we appended the end title tag just as before now we come down to here different helper method that's called inside an expression it's the jobs would include tag helper in this case we're not actually have additional tag script tag we wanted to get through so just that include tag itself is special that returns a safe path is vouching for what it returns as being safe so I guess appended to the render buffer it goes through and goes through on escaped finally we add the end of our head tag this is how it simply gets rendered together this is how this safety mechanisms work to prevent cross-site scripting so you might ask yourself how did cross a scripting in the real world we've got all this in Austin complex rail security doing things for us I so this is a lot
coincided or you're not expected actually read this what this represents is code that's in agenda out the real world is a gem that'll help to put a bootstrap UI into your application so it generates a flash message a little bit a message that you might put on the top of 1 of your web pages the so you got an
application and error condition occurs you are put up a flash message Suzanne create this message user ID and then there's this user-provided input does not exist so as they provide the idea of 5 it's OK we critters been message looks right let's say that I'm
a hacker and I try to put in some process scripting again another word box while what happens is similar to how I should the rails rendering before the message is a string it gets passed through appended in the safe buffers and gets escape everything's great here was a problem well someone came along they different and
they wanted to provide a link inside of the banner so they added a link to the helper and when they ran it they're like 0 wait what's going on it's it's not actually running the link is human it's escaped it and now I can have a link so so I see what the problem is I got a general this bootstrap gel yeah it's got this these lines of
code . 17 and 19 words creating a or a content tag a due to hold that that message mn and is passing in this message into his content tag helper the messages going straight in as a string of being escaped as it's being appended to the safe buffer for the day this and I I think something's wrong here under change it so that
it now represent a now passes in a safe authorized version of the message so go through the so proud of themselves to get the the link to pop up inside of the randomization is great mission and the got ships and end up in the bootstrap gap that is a problem the
1st guy comes along he update is apt to use this latest gem and now he finds that someone an attacker comes along tries to put some malicious scripts In as the ID parameter and now it's no longer being escaped because the gem was wrapping everything a safe buffer so all of a sudden didn't change any code is updated jam and across a scripting vulnerability was added what should have happened is the person who had
the link should have themselves vouch for the contents of the message and said you know what I'm creating a link in part of this text it's safe I need about 4 add itional safe here not at the gym where but this is so hard to get right it's very hard for people to have the knowledge in in all the of the understanding in every case you may have like in to our new work and code base the 1st real programming job how are they going to be expecting expect them to understand the nuances of where HTML state should be so they're not introducing cross-site scripting vulnerabilities to the Internet at large and how can we fix this
well with the with the cross-site
scripting we go through a process is were ask ourselves here is this is how we actually will looks like it is it is a pretty important well it's our our homepage eyes it accessible by the internet and he and he I would figure do something so
now we go through a cycle of of patching are code testing it deploying it has seen a production not very much fun taking us to time away from building the OS new features that our customers what how can we prevent Siegel injection
well it's very simple you you to memorize a long list of rules and when you can't calculate methods yet to make sure that the arguments they are passing in are valid table names and always use hashes arrays when calling delete all destroy all where always use hashes amusing find I never use hashes or erasing using up exists so there you need to turn into a string 1st never passed user input into group joins order reorder plots like having I don't ever tried you find yourself on measures security guru because it's got like 10 different ways it can be called voice different options each of which has its own rules and so how can you learn all of that you want all your source code on your boss comes around says well it's great OK what you don't auditing
our stuff can you it or dependencies to our genomes rails itself rails had so the US equal injection vulnerabilities I think they had a 3 last year how he'd done that now can you teach everyone
else around here about security because we do have a new intern starting next week when on him to add anything that could create a vulnerability and on top of that we decide we had a
security Dory other review every code change but we've got to engineers now so you know if there's if one's on vacation there will be a bottleneck you know got 40 people encode but I'm sure that these 2 guys to keep up with in reviewing at all a summary good solutions so let's go back and think about how can we apply these ideas of meta security
heavily heavily defend against the exploitation rather than the vulnerabilities themselves the thing
about cross-site scripting where can we actually have a cross-site scripting was the without template here will place we can have it aware those expressions that's where a user a hacker can tried of right input to your site that includes some scripts somehow they could somehow get back to another user to be run the question we ask ourselves is should there be any script tags here in any of these expression tags as a good question and how how do you know I mean we as humans we can look at and say well the JavaScript include tag helper this transcript tag but like I don't even know in the in the bottom 1 and when we're yielding out what is a yielding to I don't know maybe leadership script well let's
say that we start to wrap the additional safe method we it seems like everything that is going wrong is somehow going through HTML safe it's being misused OK so we've wrapped in what can we do with this knowledge well now every time Schimmel state is called we can look at it we can ask Where's is being called from this thing called from a known good location like a rails helper a Java script include 10 we can probably be pretty sure that the right thing is happening it's that you would not actually injecting a script tag directly in your asking rails to provide you a script tag with some content if you're going that far you're probably the developer writing the app doing that yeah if were not being called from a known good location like rails then it's very likely there should never be a script tag there again if you have to hard code in a script tag not using the rails asset pipeline that's cool you can do that but you really ought to be using a script tag helper the java scripts tag or the content Tag helper so we look for script tags and we can make sure that we speak them 1st and then should help cut down on the possibility that a German while be updated with a cross-site scripting vulnerability because someone through variational safe usage in there at the wrong spot a sock about sequel injection
so this is the same examples that we had have before where you got a query that you're interpolating at user input into the worst way to do things but even in this case we know that when we execute this query there is a specific structure to the corre that we expect so we execute it with a number it should have a structure that looks something like this where there's a letter that signifies every token in the quarry and it ends with the number 1 thing like you were looking for I d equals some number will later on we see a structure that is different then there is a high chance a high probability that something funny is going on again in the drop tables case you get a different structure in the and you know semicolon so clearly there's 2 quarries are being executed here it but it OK we can find out what the structure is the the how we know
what it is expected we have to be in the know like what the app should be doing before we can filter out what should be happening we can think of
it this way every Quarry that gets executed in your code is executed from some stack trace at the top of which is you know deep inside Active Record actually calling out my SQL the post grasses sequel lighter whatever it's doing but as part a stack stack-trace include your application code as well so here I got a line in my own test out were anchoring the car records looking for cars of a certain make and model so whenever that line of code is executed I am not at a stack trace once it finally ends up being executed all the way called down to the database that's actress will always be the same always run through the same lines of code the so we can start to
learn that we can say OK I see a corre coming in from a specific stack-trace I can learn the 1st time that the corre should look like this and should have this expected structure so now in future queries come in we know what the expected structures if I knew Corey has the same structure is OK we went through many things could but it comes to with a different structure the block it was is obviously bad we're sponsor for 3 so this is how we can Walk against the exploits of his of a sequel injection even if the he did the worst thing possible of interpolating Corey strings and executing them directly so going back to
summarize it's good to defend against attackers and to defend against vulnerabilities we should always be staying up to date as much as possible a realistically vulnerabilities are always going exist attackers are always going to be out there looking for those vulnerabilities to do something bad so we need that 3rd level where were defending against the exploitation itself that's what's really going to allow us to process requests handle things even before we get a chance to patch something for a zero-day vulnerability that we see in the wild the reason I'm
up here talking to you today is because I'm with an awesome team and new what we're trying to do is apply these matters security concepts to a whole host a whole series of exploitation classes Siegel injection cross-site scripting are just 2 of them were actually running inside of your application were watching your queries were watching a templates being rendered we're looking at the headers of the request coming in were watching for people forcing your login requests a mitigation strategies were we block sequel injection attempts where we slowed down logins from specific IP addresses where we see blue brute force is coming from or we throw up captures were taking this model and applying it as everywhere that we can get a hoax into a Rails application so I think rails con forgiving me this opportunity to talk to you I I want to thank you for coming especially given that the time change and everything I and I'll be happy to answer questions here and were that we actually just announced this week at rails can't deserving unveiling I were taking data sign-ups we'd love to hear from you I get a sense of what is this products doing a good job of it of exposing new alerting you to the the threats that are coming in against your servers as we encourage you to come find me I even after the talk of being out in the hallway outcome finest down at the boost in the exhibit hall and here were still here till the end of the day and you chat with us would love to have you try out our stuff and that defend Europe so thank you yes right so he asked that what is is but the persistence and the learning behind this sequel injection we have to learn a a stack structure to a sequel statement structure but the way that we address this is the 1st time the core is executed from a given line of code we learn the structure but after that it gets locked down the we make sure that all the future structures much must match so to a certain extent not a learning period is just the 1st time that that line of code is executed but beyond that once we learned in we communicated back in service which helps disseminate that to all the other application process you have this most people run i whether it's unicorn Puma effective multiple servers processes and all of those need to get the information about what are expected structures for sequel queries so we have a a back service were throughout Fred information is sent the part of the data we send is just what expected sequel structures for given lines codes sitting in the be disseminated to all of your application processes that is a really question as so the question was what if there's a possibility build up acquiring we could have different structures and then there's a different line of code that actually execute that Corey it we do see that at times time whether it's because people are building up manually using string interpolation or because they may be generating a query using the out the arrow layer I A R E L of which is this library that Active Record users under the covers to generate a query i she can do that so what we're doing to address that I is a it's it's a minority of cases as many people walk it that be when you log into our UI you can see these types of false positives where we say OK the 2nd time it came through in a different a different structure but when you're looking through it we can then have out we have a button that says that if this was a false positive when you click that we learn that structure as well so if there's a 5 different forms in which a quarry could have a structure for a given line of code you learn that a few times and we take care of it a wrap up at all be in the hallway if you have any other further questions so thank you uh who lived in a in a in in in in in in
Konstante
Scheduling
Datensatz
Bit
Computersicherheit
Abstraktionsebene
Computersicherheit
Reihe
Kontrollstruktur
Zählen
Übergang
Softwareschwachstelle
Computersicherheit
Computersicherheit
Softwareschwachstelle
Figurierte Zahl
Computeranimation
Softwaretest
Prozess <Physik>
Mailing-Liste
Biprodukt
Code
Framework <Informatik>
Quick-Sort
Computeranimation
Weg <Topologie>
Software
Softwareschwachstelle
Migration <Informatik>
Dreiecksfreier Graph
Programmbibliothek
Information
Beobachtungsstudie
Zehn
Web log
Computersicherheit
p-Block
Quellcode
Systemplattform
Computeranimation
Patch <Software>
Softwareschwachstelle
Mittelwert
Existenzsatz
Digitalisierer
Dreiecksfreier Graph
COM
Speicherabzug
Softwaretest
Home location register
Patch <Software>
Softwareschwachstelle
Selbst organisierendes System
Computersicherheit
Programmbibliothek
Quellcode
Framework <Informatik>
Hardware
Datennetz
Quader
Firewall
Computersicherheit
Blackbox
Web-Applikation
EDV-Beratung
Keller <Informatik>
Fortsetzung <Mathematik>
Kartesische Koordinaten
Routing
Computeranimation
Rechenzentrum
Mustersprache
Injektivität
Datentyp
Firewall
Vorlesung/Konferenz
Web Site
Einfügungsdämpfung
Prozess <Physik>
Punkt
Ortsoperator
Firewall
Web-Applikation
Adressraum
Fortsetzung <Mathematik>
Term
Code
Homepage
Virtuelle Maschine
Cross-site scripting
Informationsüberlastung
Mustersprache
Skript <Programm>
Passwort
Inhalt <Mathematik>
Optimierung
Nichtlinearer Operator
Template
Computersicherheit
Biprodukt
Binder <Informatik>
Frequenz
Datenfeld
Einheit <Mathematik>
Automatische Indexierung
Injektivität
Gamecontroller
Kantenfärbung
Kategorie <Mathematik>
Computersicherheit
Computersicherheit
Softwareschwachstelle
Vorlesung/Konferenz
Exploit
Term
Computersicherheit
Klasse <Mathematik>
Web Site
Stolperdraht
Fortsetzung <Mathematik>
Exploit
Gesetz <Mathematik>
Packprogramm
Meta-Tag
Demoszene <Programmierung>
Benutzerbeteiligung
Softwareschwachstelle
Injektivität
Systemtechnik
Retrievalsprache
Befehl <Informatik>
Browser
Datenhaltung
Abfrage
Kartesische Koordinaten
Fortsetzung <Mathematik>
Ein-Ausgabe
Computeranimation
Datensatz
Prozess <Informatik>
Injektivität
Hacker
Zeichenkette
Tabelle <Informatik>
Tropfen
Retrievalsprache
Parametersystem
Web Site
Datensatz
Injektivität
Interpolation
Tropfen
Faserbündel
Zeichenkette
Tabelle <Informatik>
Zeichenkette
Retrievalsprache
Parametersystem
Korrelation
Gewichtete Summe
Injektivität
Finite-Elemente-Methode
Ordnung <Mathematik>
Ordnung <Mathematik>
Computeranimation
Inverser Limes
Tabelle <Informatik>
Parametersystem
Datensatz
Cross-site scripting
Injektivität
Injektivität
Systemverwaltung
Web Site
Thread
Datenstruktur
Code
Normalvektor
Tabelle <Informatik>
Web Site
Quader
Datensichtgerät
Systemaufruf
Vorzeichen <Mathematik>
Code
Computeranimation
Homepage
Netzwerktopologie
Datenfeld
Rohdaten
Vorzeichen <Mathematik>
Rechter Winkel
Softwareschwachstelle
Skript <Programm>
Netzwerktopologie
Web Site
Quader
Browser
Dreiecksfreier Graph
Browser
Volumenvisualisierung
Vorzeichen <Mathematik>
Message-Passing
Computeranimation
Lineares Funktional
Web Site
Punkt
Ortsoperator
Quader
Browser
Token-Ring
Login
Code
Computeranimation
Internetworking
Zeichenkette
Puffer <Netzplantechnik>
Prozess <Informatik>
Server
Skript <Programm>
Garbentheorie
Passwort
Inhalt <Mathematik>
Aggregatzustand
Zeichenkette
Zeichenkette
Puffer <Netzplantechnik>
Maskierung <Informatik>
Content <Internet>
Skript <Programm>
Skript <Programm>
Maskierung <Informatik>
Computeranimation
Aggregatzustand
Zeichenkette
Subtraktion
Bit
Quader
Bootstrap-Aggregation
Kartesische Koordinaten
Web-Seite
Komplex <Algebra>
Isolation <Informatik>
Template
Code
Computeranimation
Flash-Speicher
Puffer <Netzplantechnik>
Pufferspeicher
Arithmetischer Ausdruck
Cross-site scripting
Reelle Zahl
Prozess <Informatik>
Minimum
Volumenvisualisierung
Skript <Programm>
Skript <Programm>
Inklusion <Mathematik>
Hilfesystem
Kartesische Koordinaten
Schreib-Lese-Kopf
Kraftfahrzeugmechatroniker
Addition
Fehlermeldung
Template
Computersicherheit
Ein-Ausgabe
Rendering
Mereologie
Wort <Informatik>
Message-Passing
Zeichenkette
Prozess <Physik>
Quader
Kartesische Koordinaten
Ein-Ausgabe
Computeranimation
Flash-Speicher
Puffer <Netzplantechnik>
Gamecontroller
Konditionszahl
Maskierung <Informatik>
MIDI <Musikelektronik>
Wort <Informatik>
Hacker
Message-Passing
Kartesische Koordinaten
Fehlermeldung
Zeichenkette
Fehlermeldung
Hyperlink
Existenzaussage
Bootstrap-Aggregation
Mathematisierung
Mathematisierung
Binder <Informatik>
Code
Computeranimation
Fluss <Mathematik>
Puffer <Netzplantechnik>
Zahlenbereich
Wort <Informatik>
Inhalt <Mathematik>
Passwort
Message-Passing
Zeichenkette
Parametersystem
Puffer <Netzplantechnik>
Einheit <Mathematik>
Softwareschwachstelle
Flash-Speicher
Mathematisierung
Bootstrap-Aggregation
Versionsverwaltung
Randomisierung
Binder <Informatik>
Code
Message-Passing
Computeranimation
Mathematisierung
Binder <Informatik>
Code
Computeranimation
Cross-site scripting
Softwareschwachstelle
Reelle Zahl
Prozess <Informatik>
Mereologie
Passwort
Inhalt <Mathematik>
Optimierung
Message-Passing
Aggregatzustand
Softwaretest
Prozess <Physik>
Gewichtete Summe
Patch <Software>
Biprodukt
Code
Computeranimation
Internetworking
Homepage
Patch <Software>
Dreiecksfreier Graph
Injektivität
Softwareschwachstelle
Subtraktion
Gruppenkeim
Computeranimation
Hash-Algorithmus
Computersicherheit
Einflussgröße
Array <Informatik>
Parametersystem
Computersicherheit
Validität
Plot <Graphische Darstellung>
Schlussregel
Mailing-Liste
Quellcode
Ein-Ausgabe
Konfiguration <Informatik>
Zeichenkette
Existenzsatz
Array <Informatik>
Differenzkern
Benutzerschnittstellenverwaltungssystem
Softwareschwachstelle
Injektivität
Ein-Ausgabe
Ordnung <Mathematik>
Tabelle <Informatik>
Zeichenkette
Softwareschwachstelle
Computersicherheit
Mathematisierung
Güte der Anpassung
Computersicherheit
Code
Computeranimation
Eins
Meta-Tag
Arithmetischer Ausdruck
Web Site
Cross-site scripting
Softwareschwachstelle
Template
Minimum
Skript <Programm>
Skript <Programm>
Ein-Ausgabe
Hacker
Exploit
Computeranimation
Retrievalsprache
TVD-Verfahren
App <Programm>
Korrelation
Güte der Anpassung
Applet
Abfrage
Zahlenbereich
Fortsetzung <Mathematik>
Ein-Ausgabe
Code
Computeranimation
Zeichenkette
Cross-site scripting
Datenstruktur
Softwareschwachstelle
Injektivität
Skript <Programm>
Skript <Programm>
URL
Inhalt <Mathematik>
Tropfen
Datenstruktur
Softwareentwickler
HMS <Fertigung>
Tabelle <Informatik>
Aggregatzustand
Softwaretest
Retrievalsprache
App <Programm>
Datenhaltung
Fortsetzung <Mathematik>
Kartesische Koordinaten
Code
Computeranimation
Keller <Informatik>
Datensatz
Informationsmodellierung
Datenstruktur
Mereologie
Gerade
Korrelation
Prozess <Physik>
Programmverifikation
Abfrage
Fortsetzung <Mathematik>
p-Block
Exploit
Computeranimation
Keller <Informatik>
Übergang
Patch <Software>
Datenstruktur
Softwareschwachstelle
Injektivität
Softwareschwachstelle
p-Block
Datenstruktur
Zeichenkette
Offene Menge
Prozess <Physik>
Kartesische Koordinaten
Fortsetzung <Mathematik>
Sommerzeit
Login
Cross-site scripting
Prozess <Informatik>
E-Mail
Gerade
Umwandlungsenthalpie
Befehl <Informatik>
Template
Computersicherheit
Reihe
Abfrage
p-Block
Biprodukt
Exploit
Frequenz
Hoax
Motion Capturing
Dienst <Informatik>
Injektivität
Interpolation
Forcing
Server
Strategisches Spiel
Information
Zeichenkette
Subtraktion
Ortsoperator
Klasse <Mathematik>
E-Mail
Code
Netzadresse
Überlagerung <Mathematik>
Datensatz
Bildschirmmaske
Multiplikation
Informationsmodellierung
Authentifikation
Datentyp
Leitungscodierung
Programmbibliothek
Zeitrichtung
Datenstruktur
Maßerweiterung
Soundverarbeitung
Injektivität
Mereologie
Speicherabzug

Metadaten

Formale Metadaten

Titel Metasecurity: Beyond Patching Vulnerabilities
Serientitel RailsConf 2015
Teil 83
Anzahl der Teile 94
Autor Douglas, Chase
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/30682
Herausgeber Confreaks, LLC
Erscheinungsjahr 2015
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Rails comes with many powerful security protections out of the box, but no code is perfect. This talk will highlight a new approach to web app security, one focusing on a higher level of abstraction than current techniques. We will take a look at current security processes and tools and some common vulnerabilities still found in many Rails apps. Then we will investigate novel ways to protect against these vulnerabilities.

Ähnliche Filme

Loading...