Bestand wählen
Merken

Counter-spells and the Art of Keeping Your Application Safe

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
as few and thank and I get the news for a 2nd with some new and there was a new and welcome to this so magic words we're going to talk about something very serious in a very variances way b and sold my using
when I work as an engineer for intercom any divine using radio on out and various others in the internet its support for the cause they're not very good at doing in recycling and
have talking about a lot of different things like coffee and culture intact and music in your eyes so here in just about any of that company after the documents and the together about that and I currently live and work in Dublin Ireland and Romanian which means I get to do will make a lot of jokes about being a vampire in the human eye the an actual give me dressed like a vampire doing is applying over at Dublin for the grandfather of possible so I mean remain on
in which a nearly not wish that I don't know I I because I was very afraid of heights at the time but
that they were not a topic that they wouldn't have about something equally as fun which is security of
probably to pretty better to sleep after
lunch or scatter should you in your in your faith in humanity consumer 1 comes
and so he actually talk I do solemnly swear they'll be up to the way in which the illegal the
both similar story time just to kick off this on security with but about my favorite the people
still happening 2008 there was a really good year for text and web and google really strongly liberal was very excited about that competitor for 5 parts of the line of Firefox and he HTML state Each enough I was introduced in the 1st ever an entry device was released was also very interesting year for the security community because some people discover a way to embed a jar file and executable Java island to a given that caused by the was there because no 1 expected that an image able to cause ability and job was by the powerful and language they can only imagine the extent of this In 2002 all people
didn't completely abandoned the idea of using crazy things like images to act users and so the 1 I had a and are discovered a way to embed actually the book not just archives into images in the created something called an image GS images attack an example there pretty much embedding the PHP script and into an image and taking advantage of the fact that the browser knows that your wireless in image just by looking at the head and there's a bunch of there's a bunch of like blob of just like nothing is junk that the process noise and then there's the actual content that makes the image so in that novel jumped into much put anything there there this is a script that says hey i it's only days it so
let's see what is that will see haven't out that allows users to create also and all those sorts of content for example images and there's nothing stopping attacker from and uploading this image into a very nice results just given getting back to bed and the link you well the seeing you around except at the end of it in the chief every that you think that each peak so assuming that the site is actually running each speed when I click on the link all this will happen was good right it is
still being able to download the skewed and killing it didn't get her image and you just say a friend from high the i it's a lovely Monday afternoon is that this is actually in my hotel yesterday so that's why it's money and that's the actual IP of the hotel and so you can't play this words that would just some get help with with all of that what's particularly bad is if you know the URL attached to the running of a a script that it shouldn't on on their website that will uh it should do something else right and that's not because something called the same-origin policy which is the whether is a strongly recommend you do some reading on it but it's some of the most important web application security policies and ideas basically allows he tells the browser so that if a script runs on the same order as the what today on that it should have access to all sorts of crazy information like while this to see your user data which is pretty serious and allows it's what allows people to impersonate you right yeah so yes cats going to kill you
were at least in your identity in money very soon to search that is the gas but they can my point of like you
never know what people are going to come up with and they're quite inventive in ways that an attack the wraps universal in blistering nicely to the 1st rule of what security which is never ever after just uses via ever is no guarantees it doesn't matter if it's an image work you which sound really thing just never ever touch a the Hungarian part of the story and it tell you a little bit more about intercom so into we have a 4 year old ember out
if we get the stats from just them understand the magnitude of this and you will get some stats from last week we have 37 authors that submitted to look 190 commits master 220 across all branches which resulted in a total of 819 to file changes but with more than 5 thousand 800 additions on almost 16 key it's free out and and on top of that think is at the heart of the heart beat of intercom so we're shipping production more than 100 times today at the back of our out rails so everything that we didn't talk about the name on the I like talking to prospective over very which were out the
a little bit about me in 2006 as working with member and and in about 2 months later I had to fix the issue around uploading real like uploading in real-time preview of an image without introducing annexes vulnerable in the public know my background is like in prior and back inside and went like this all this means especially because our ap in the central point to it and I as well here we are today and so the start of the year to even read that a list of things that I wish I had and then that's surrendered volunteers and and regular expressions in a way in which I think engineers can help out with the security of applications within the context of like a very mature and repetitions so the 1st thing they
do when you don't know what to do is to prepare for battle and and it's not a little bit more about your enemy and all what this means so something that I think it's really important but before you start before you dive into something that's like very cheer radical because security density away it's not a little bit about user what understand what's what you expect from users and then in the world that thing which policy because everything that executes on the web follow that we all know that about the content security policy on white awful tool really again to that a bit later you know some of you know your browser so 2 walls so the security features on your answers and what this the channel as input even knew number and how this and do that so that's what we're going to try and focus on the nature of and what so yeah think that ball and so let's look a little bit into whether vulnerability like were injection actually looks like so see we have the CPI and that allows me to search for coffee and then it returns a list of results that that are displayed in your roster in the top of that list is just something like results for coughing rotavirus is that it was like in that coffee matches search term that the user but that like ice minutes so I wonder what would happen if I actually on use a script
the search for it no modern browsers if you just scribble their browser smart enough to say hey use properties doing that it still block however in older versions of the grasses by only as you go on the Internet Explorer was still struggling with this so if instead of passing this just the script with the alert you pass something that's likely will form which is this image tablet like holds that doesn't make any sense the busses and all are made I don't know what to do with that so all I'm saying right so yeah yeah that's stereo and so it actually runs and you know when you have alerted the really caring about user experience but it's minor the real problem is they can do something like document that could be aware that the return the sexual content of you use a document and that becomes a problem if it's in the wrong hands so this is something that's called the reflected XSS is and how it looks like and you can pretty much to spend on your own server and traders here on also know that we know all we have to deal with
let's prepare ourselves can look a bit to how we can just so that's the 1st thing that we're going to look at December out we are how modern web applications so we know we wanna use a modern framework right in this case we're using Amber so it's very important to know how and does each stimulus thing and how it deals with user content and then we're going to look at a little bit into the security policy and white support for the so when and where does that 1 as a way to protect you against injection vulnerabilities is actually a by default escape all the Haitian of sodium or rendering it whatever you basically return a piece of HTML from your help because why not you can and it's as though on and you want to do what you think you want to do something stupid for you just in you 6 and those 3 much like that
so if I have a helper that returns a cat image and the edges on returning to the Image tab at the source as a as members then go that so instead of seeing it can adjustments to the strain and when you and fluency in actual fact image the optical and
work explicitly that bat heat shield is safe to display you can do now whatever string Hisham unsafe which is also very bad thing that you should be doing and we're going to get into that later but if you want to get out so when you're doing that embraces all you actually wanted image is the history the image of a category denote strategy which provides for would during random and hence and again there's edges longer Hobbes if 1 play with this outwards so the cool synonymy a
little bit about Amber what the hell is a and security policy will 2004 people kind went on we tired of the sexes as a tag is a way to wipe was SIFT 1 1 is not so the bed of Firefox he's Firefox where the 1st 1 trained to implement like a somewhat version of the EM version 1 kind and security policies and another it became very popular in other browsers became interested so in 2 thousand and while walls and the actually went on and released the 1st version of it and it's a very powerful and very good way to say this practice if the run and everything else is not seeking a white list what your app considers to be sick of
dependence trading policy gets richer a hitch as it headed United Shapira quest and that tells the browser hey here's a list of strips that I think are safe and addresses the read that and say all so on everything from self and starting my side that conversation and I see sometimes trying to like him that this pure evil I'm going to go ahead and block that is it's wrong in some part of your security policy very powerful thing about it is that it will it will so stop you from that it was a subtle scripts which is at the last example when someone's trying to run script as 50 as in so until late
delivery because this is a kind of a problem so others members shall i add on from Robert Jackson like if you don't have usually dependence tree policy something they take Europe at the server side but if you just running a number out in that set go readout it's very powerful it's pretty tool and keep in mind always use dependence tree policy version version trade was allows a little bit about interesting conversation where people can decide by line structure and you so it's a little bit of mayhem and the safety that but version 2 was like I don't fix it so the just cashing in ways to validate that aligned script as well as In this really good documentation about it so the pattern string policy in like consortium and the very good job of putting together the predictions you can go ahead and do the reading that all so in
arterial mind let's see how we write better code right that's kind of the point of view of all of this sort and eventually eradicating hits you know the if in red and other helpers so you should avoid additional fell past while well because you can never read vouch for the content that users can submit you have to make a lot of assumptions and that's pretty scary and the the risk of missing something increases with the number of assumptions that you're going to make so a better way like not it's not worry about it but try to avoid Haitian unsafe and figure out the ways through right your code never use directly on user and the inherent solution that would stand out error should have still under control doesn't want and it is a power out there's contextual components OK so let's say I
wanna destroy the very simple core component that has a title and the content and that works for a very long time and then someone comes along and says hey I actually won a learning and what I want say hi to that person in the title can you do that in the answer as well you can go
on for a very long time this was the way this was address will you have just card component that it's at a title and then about the content part of that and then your controller and say OK I only need to be displayed with both so it's the return of features of safe high name in bold and that's it and that's it that is pretty bad because it potentially it could potentially introduce a vulnerable to you have no control over what in so that our
winter out right this is using contextual bullets and again this can probably at copper and words for elements on some then it gives you the basic and then if 1 of real look about a little bit more and there's the giver now has a really good tutorial on that but something right
my component of using this by the properties so that I can access the CART title in the car body directly in the reason why I want to do that is because the title and the body have 2 different 2 separate functions right into separate roles and I want people to be a little bit more opinionated about that and if I won the title to be just a simple string then I can do that if I want the title to do something crazy like say hello to a person that I can do that as well and some just using the card properties it'll in the body to tell them what to do with then look something like height lining in bold and that's the text well done Harry this looks significantly better if we look at our SuperCard components in how that is
implemented and it uses this hash work to actually yield a to components of 1 component for the title there will take care of this plane her mind you were in become for whatever we want in there and then a body that would just killed whatever kind everyone as well in if this component gets in the a title well then it's just called a pile component with that title and that the component to care of that it so it becomes a much simpler in our body we don't do anything fancy we just 1 yield or whatever kind and the house and then on the title components and the child file component on if it has a block so if I just wanna and display of something very simple like hello 1 very excited to be here too strong and then I understand your that content if I need anything work if I have their own something more complicated like HTML then I can do that as well I
hope so that the exterior of on using the name and the title if I like I said before if I just want something very simple which is overcome and just past the title to this SuperCard component and how it take care of how the display it anywhere to display it's like you have to tell them where what things are safe to display the words being more and it's and it's good to that itself and I'm just calling the US apart the body and passing the whatever kind and that I want displayed in the body because there'd have a title since it's just a much nicer much more deliberate way of displaying content in it involves this happened to be able to accommodate future use usages and so if I want changes and displaying an image or whatever the hell I want do after that theories do it with this so I don't have to worry about it anymore so conventional bones are quite powerful I and feel very bad and people to cover more of this like you going to do some reading on them there but there are some allowed us to lower the number the number of features of states not um indirect all
something that's also very important is writing the whole if rely very cute cat image uh that utterance HTML ideally should refer updating the Dom over on having the chairman helpers and say let's say you wanna write something that did so I
went to return a user you you work by helper to allow you to lakes sending e-mail and hold wouldn't previously do this is that you have to ablaze user but to make sure that there's nothing crazy going on there and then you have to use additional state state Delambre that the this is actually reached and male i . for destination patches and that's kind of scary it because you cannot make it can introduce unexpected behavior again and again it runs on the phone you making assumptions about your current that so much better way to do is to do this is the is the bound directly to create a text note and then set aside at its if you have to of his you can enter a simple and then appended to have an anchor in this case so that the younger a child element return nodes then that's it so let's look at but we did let's somehow how what all this means in public right and see how this a good mail to help at it takes a parameter in only a minute classifier on a style that on e-mail and then I'm going on in creating their own elements own encratite elements and setting the target blank in setting the reference to the user you now I'm saying the class name if the if that was provided as a parameter and then the all the magic and is when I'm creating detects on creating the element as a text note and of letting the browser take care of all the escaping in all this plane and just say hey of browser always street justice text rather than on me having to like the dealer deliberate OfficeVision hours attacks or whatever so to story about that's a worry about it and then I'm pending and the child the texture of the paint industry turning it into much nicer way to again just warriors wearing this on also now we know how to write really knew we know how to read the components and we know how to write their helpers but we have templates as well and turns out you can escape HTML in your templates and I will also talk a little bit about target blank and what that means in white and it's a very bad idea to use its yeah so is keeping that we've already kind of establish as keeping the HTML is very dangerous and i watchable currencies is basically channel safer templates and should never used directly on the user input and in fact he should be always deliberate and mindful about what about 4 but the reality of it is that you should never ever have to find yourself in a situation where you have 2 properties if you do it in should probably consider in cold weather potential components and good helpers in mind and the helpless
+ contextual components would actually allow you to not have to have triple Curley's and you're putting more if you do please going to affect the target
bank is probably 1 of the most underestimated the village in the in the security and the security community and I use that to leading regional about this is that you should always use of target that would open and refer them as adjectives and the
reason for that is when you specify target blank that tells the browser that he the next stage should have an axis to a bunch of object to a bunch of window objects especially when the object and all of the windows I went over there and when the opener location so it allows the the linking to on to have access to the location and change it if you want to to put much whatever it wants it can be efficient website can be something completely safe can be something the and unsafe some of the provisions will automatically be negated by the unseen words and policy so it will if it's a different words to that it would have access to your cookies ranking crazy like that but when all cases game it's a very good way for people to like redirected to whatever website 1 and the problem with this is that prices tend to have different opinions when it comes to open offer and by that I mean that firefighters decided to but not implement there until will version 54 and the new release at the end of this month and so if you only have 1 of them in your coding you're actually letting users that preferred roster the other alone uh unprotected inlets even funny is that Instagram suffered from this vulnerability until last year when someone with the very raging blog post that became superfamilies overnight when histogram could you can actually fix your stuff I
so this is how it so to make sure that your if your support if you support firefights where a large range of raptors and you should always use around open-reel referring here in your templates in a very good
way to detect that is using the ambit England by Robert Jackson and for those of you that are familiar with this but the the lender is used to validate for an there were offer and there's the patch submitted this week to actually validate both so you have to do is make sure that you're in the latest version and then switch from troop strength and and make sure they also like a picture called if that's the case in other ways of you can see a bunch of errors but can allow you to on that make sure that both users are protected and it also and provides a caption for triple is so it's quite powerful and and I certainly recommend you go in and added to your project both now that our code is a little bit better how we keep and and some men talk little bit about set analyzes which led to rethink rant about these days and 4 and talk about his land from and talk about where regular expressions are evil and keep them with passion in Hawaii sitting watermarks are like land lines in the sand for like where you water for mystery point of view is a very good and very same thing so so 1st the story at the Fourier slender was correct so that we had this idea of checking for and you princes officials say political using wrapped because you it on and we don't a tiny underlined that uses opposed uh build hope to get real-time feedback and there were about what evidence they wanna check so it's a combination of point was correct plus regular expressions plus the B C minus also word count lines and compared count against the static limit that and preset so see how much they love safe 5 and now when it runs efficiency that sex and you have a problem in field the bill that the numbers don't match on and this is both with getting hangin years real-time feedback and them and giving them an opportunity to address those changes especially if it involves refactoring Adorno kind of about it when you're running in CI you've read on especially if you have to fix something and it's a effects and that worked fine but he a regular expressions are low but like that magic in indeed due kind enough to sell your soul a little bit to understand them I know there's people doing crazy things with regular expressions in purloining going to that I would personally in the reality of it is wearing however a regular expression it makes that much harder to maintain your code so it doesn't work as fast that's not ideal so that into a
way to do this a little bit better using yes land and Henry thought hey maybe use lenders for real-time feedback and figure out a way to like like Italy and on and have the same line in the sand but instead of using represent mentors to make a little bit more maintainable the problem with this is that lenders are notoriously or can be notoriously slow especially when you run them thousands of files and so we definitely didn't have an Our main concern for as was with the land to be fast enough to be able to run real-time in depth so the main idea was to write a custom rule that checks for blacklisted methods so it would get an argument of a list of blacklisted methods they wanted for the kitchen unsafe and then it use the isn't running engine together account for that and so he is looking for those of you that are
not familiar with that relies on something called an asymmetry in the past courses that tree and transport but whatever it is that you're interested in so in our case it's a function which of the call expression land on its sloping shoulders and that was the methods they have got as an argument and if it finds 1 of which 1 they're saying hey this method is actually been blacklisted condition users and also now have the rule that
runs at how do you how does it actually husband run right in the code so we're gonna use see it we use the idea since allied API less about the pastoral that we just built to get the counts for different was methods and then I allowing use to actually cash so in endemic to actually catch all the runs to make it faster and it turns out it's actually like the performance difference of like using cash like using cash between tend to do something crazy like 60 seconds on a lecturer she's caching is something that's very very important for 4 years land which means yes to look for the build again is have some issues by and if you're not running for the 1st time I used should get quite good performance results with caching and until the build your account is bigger than that so that in this thing what it
looks like when you're running down no so the 1st and there's a problem arises find and then I'm updating this new that G as in using Hitchin safe because I don't know any better and then and I see a big red error on the screen going may actually on just use a new agency vulnerability you probably and do that so it allows the engineer to go all actually fair enough Angola factor called make the change and then rebuild if you're looking at the rebuilt time were at 1 point to the 2nd and so it is pretty fast but to be used and it can also and this is just taking advantage of the pose built what but there's nothing stopping you from running in the eyes of and so if you don't really want to deal
with configuring all this and we are working all lined up hadn't lattice methods so I'm against falling into the were into common gineering and there's the more news about this in the following days so on where we get to that now you
could is by the you have a lot of information that but going you know what a what to do and it's generally a really good idea intellectual 9 the community to what happens in basically consult with other wizards a really good resource is the always the top then what they do is check here every year what can create a cocktail of the most common vulnerabilities and shocking it assesses the length of the list and then broken identification session management it was used to be I think of not on this list from the very bottom of this list about 2 years ago and now it's at the very top so that should and probably make a lot of people start worrying something as a we've done is 1 about that but that isn't a comes up until February 2016 we had a private but by the end announcer the public 1 and it's a very good way to invite security experts to test your code and get a better understanding of where you are so thank you very much be if what happened in the last
half of the hit
Videokonferenz
Code
Wort <Informatik>
Varianz
Subtraktion
Physikalischer Effekt
Gruppe <Mathematik>
Internetworking
Streuung
Annulator
Vorlesung/Konferenz
Computeranimation
Physikalischer Effekt
Computersicherheit
Güte der Anpassung
Formale Sprache
Applet
Ähnlichkeitsgeometrie
Elektronische Publikation
Computeranimation
Benutzerbeteiligung
Prozess <Informatik>
Mereologie
Maßerweiterung
Benutzerführung
Bildgebendes Verfahren
Gerade
Aggregatzustand
Resultante
Web Site
Prozess <Physik>
Konvexe Hülle
Browser
Geräusch
Binder <Informatik>
Quick-Sort
Ornamentgruppe
Rechter Winkel
Code
Skript <Programm>
Inhalt <Mathematik>
Bildgebendes Verfahren
Schreib-Lese-Kopf
Web Site
Computersicherheit
Web-Applikation
Identitätsverwaltung
Quick-Sort
Nichtunterscheidbarkeit
Skript <Programm>
Skript <Programm>
Wort <Informatik>
URL
Information
Computerunterstützte Übersetzung
Ordnung <Mathematik>
Bildgebendes Verfahren
Lesen <Datenverarbeitung>
Autorisierung
Addition
Bit
Total <Mathematik>
Freeware
Computersicherheit
Verzweigendes Programm
Schlussregel
Statistische Analyse
Biprodukt
Schwebung
Mereologie
Computersicherheit
Größenordnung
Schlüsselverwaltung
Bildgebendes Verfahren
Resultante
Bit
Punkt
Browser
Computersicherheit
Digital Rights Management
Browser
Zahlenbereich
Kartesische Koordinaten
Mailing-Liste
Ein-Ausgabe
Term
Computeranimation
Dichte <Physik>
Regulärer Ausdruck
Spezialrechner
Benutzerbeteiligung
Softwareschwachstelle
Ein-Ausgabe
Injektivität
Radikal <Mathematik>
Softwareschwachstelle
Skript <Programm>
Bildgebendes Verfahren
Bit
Kategorie <Mathematik>
Computersicherheit
Browser
Default
Web-Applikation
Versionsverwaltung
Framework <Informatik>
Chipkarte
Internetworking
Softwareschwachstelle
Rechter Winkel
Maskierung <Informatik>
Injektivität
Tablet PC
Server
Skript <Programm>
GRASS <Programm>
Inhalt <Mathematik>
Default
Hilfesystem
Bildgebendes Verfahren
Kategorie <Mathematik>
Strategisches Spiel
Quellcode
Computerunterstützte Übersetzung
Bildgebendes Verfahren
Computeranimation
Zeichenkette
Hydrostatik
App <Programm>
Bit
Umsetzung <Informatik>
Browser
Computersicherheit
Versionsverwaltung
Browser
Content <Internet>
Mailing-Liste
Computeranimation
Mereologie
Computersicherheit
Skript <Programm>
Vorlesung/Konferenz
Skript <Programm>
Lesen <Datenverarbeitung>
Umsetzung <Informatik>
Bit
Hash-Algorithmus
Punkt
Versionsverwaltung
Content <Internet>
Zahlenbereich
Code
Computeranimation
Netzwerktopologie
Komponente <Software>
Open Source
Prognoseverfahren
Prozess <Informatik>
Gamecontroller
Mustersprache
Computersicherheit
Skript <Programm>
Skript <Programm>
Zusammenhängender Graph
Inhalt <Mathematik>
Datenstruktur
Figurierte Zahl
Gerade
Leistung <Physik>
Sichtenkonzept
Quick-Sort
Ein-Ausgabe
Server
Gamecontroller
Lesen <Datenverarbeitung>
Zeichenkette
Fehlermeldung
Mereologie
Adressraum
Gamecontroller
Vorlesung/Konferenz
Punkt
Speicherabzug
Zusammenhängender Graph
Inhalt <Mathematik>
Chipkarte
Lineares Funktional
Chipkarte
Bit
Kategorie <Mathematik>
Entscheidungsmodell
Element <Mathematik>
Computeranimation
Chipkarte
Komponente <Software>
Rechter Winkel
Wort <Informatik>
Zusammenhängender Graph
Hill-Differentialgleichung
Gerade
Zeichenkette
Ebene
Chipkarte
Hash-Algorithmus
Datensichtgerät
Fächer <Mathematik>
Mathematisierung
sinc-Funktion
Zahlenbereich
p-Block
Elektronische Publikation
Physikalische Theorie
Computeranimation
Hash-Algorithmus
Zusammenhängender Graph
Wort <Informatik>
Inhalt <Mathematik>
Bildgebendes Verfahren
Lesen <Datenverarbeitung>
Aggregatzustand
Ebene
Vektorpotenzial
Bit
Browser
Klasse <Mathematik>
Element <Mathematik>
E-Mail
Template
Datensichtgerät
Textur-Mapping
Softwareschwachstelle
Zusammenhängender Graph
E-Mail
Bildgebendes Verfahren
Addition
Parametersystem
Kategorie <Mathematik>
Template
Güte der Anpassung
Ein-Ausgabe
Patch <Software>
ATM
Attributierte Grammatik
Computerunterstützte Übersetzung
Aggregatzustand
Komponente <Software>
Computersicherheit
Zusammenhängender Graph
Web Site
Web log
Template
Browser
Güte der Anpassung
Versionsverwaltung
Spieltheorie
Mathematisierung
Phishing
Kartesische Koordinaten
Computeranimation
Homepage
Objekt <Kategorie>
Spannweite <Stochastik>
Histogramm
Offene Menge
Spieltheorie
Softwareschwachstelle
Bildschirmfenster
Ruhmasse
Cookie <Internet>
Wort <Informatik>
URL
Rückkopplung
Bit
Punkt
Wasserdampftafel
Mathematisierung
Schaltnetz
Versionsverwaltung
Zahlenbereich
Zählen
Code
Inverser Limes
Biegeknickung
Figurierte Zahl
Gerade
Parametersystem
Sichtenkonzept
Schlussregel
Mailing-Liste
Elektronische Publikation
Inverser Limes
Schlussregel
Fourier-Entwicklung
Regulärer Ausdruck
Patch <Software>
SLAM-Verfahren
Echtzeitsystem
Datenfeld
Rückkopplung
Zahlenbereich
Projektive Ebene
Wort <Informatik>
Elektronisches Wasserzeichen
Fehlermeldung
Caching
Resultante
Lineares Funktional
Subtraktion
Zwei
Güte der Anpassung
Systemaufruf
Schlussregel
Code
Netzwerktopologie
Arithmetischer Ausdruck
Konditionszahl
Caching
Zählen
Asymmetrie
Server
Punkt
Verbandstheorie
Softwareschwachstelle
ATM
Total <Mathematik>
Mathematisierung
Teilbarkeit
Fehlermeldung
Touchscreen
Expertensystem
Dicke
Datenmanagement
COM
Computersicherheit
Systemidentifikation
Mailing-Liste
Anwendungsdienstanbieter
Information

Metadaten

Formale Metadaten

Titel Counter-spells and the Art of Keeping Your Application Safe
Serientitel Ember Conf 2017
Autor Epure, Ingrid
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/33634
Herausgeber Confreaks, LLC
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Ember plays an important role in ensuring that your application is secure from an attack, however engineers share part of the responsibility. Awareness of how you can harness all the power of Ember's security capabilities and and the additional steps you need to take to prevent security exploits is very important and will make life easier in assessing the current state of your application and planning for the future. In this talk we will explore some important security concerns, pitfalls and mitigations that we have learnt over the past four years of building Intercom.

Ähnliche Filme

Loading...
Feedback