6. Security Principles
• Minimise Attack Surface Area
• Establish Secure Defaults
• Principle of Least Privilege
• Principle of Defence in Depth
• Fail Securely
• Separation of Duties
• Avoid Security by Obscurity
• Keep Security Simple
• Fix Security Issues Correctly
7. Minimise Attack Surface
• Every feature or technology is a risk.
• Secure development is all about reducing
the risk by minimising the attack surface.
9. Establish Secure
Defaults
• By default a system should be secure out-
of-the-box.
• It should be up to the user to reduce their
security if allowed.
23. Fix Security Issues
Correctly
• Understand the root cause of the problem.
• Identify the the pattern of the problem.
• Some issues are wide-spread across the
code base.
• Develop a Fix
• Develop Tests
24. Fix Security Issues Correctly
PHP Hash Collision DOS(CVE-2011-4885)
• Problem: PHP was found vulnerable to a
denial of service by submitting a large
amount of specially crafted variables
• Solution: max_input_vars was introduced
to limit the number of variables that can be
used in a request
26. Fix Security Issues Correctly
PHP Remote Code Execution(CVE-2012-0830)
• Vulnerability occurs when max_input_vars is
exceeded and the variable is an array.
• Code execution occurs when Z_ARRVAL_PP is
called to obtain reference of an updated
hashtable.
• If number of variables is greater than
max_input_vars, gpc_element will point to the
previous variable value, which is not initialised
memory.
34. C
• In C the type system is completely
arbitrary. You can do whatever you like
with pointers.
35. Ruby
• The Ruby language supports the use of
system commands.
• Kernel.system provides means of injecting
malicious input into the application to
bypass security measures.
36. Struts
• Struts allows you to do dynamic method invocation
• http://host/struts2_security_vulnerability/
changepassword!changePassword.action?
newPassword=my_new_password&username=bruce
• <init-param>
<param-
name>struts.enable.DynamicMethodInvocation</
param-name><param-value>false</param-
value></init-param>