Last night I attended the Dallas chapter of OWASP monthly meeting for September.
Stephen Pasco presented on validating inputs. Apparently, 93% of AppSec vulnerabilities can be neutralized simply by validating inputs. The biggest concern with invalidated input is code injection. It is possible to give a program malicious input that will cause it to execute unknown code thereby breaking the system.
One method of validation discussed was making sure that the format of the input matched what the function is expecting. For example, if the function is expecting an email address, there should be an '@' and a '.' somewhere in the input. There are a set limit to top level domains (ex. .com, .edu, .co.uk, ... etc.), so this is an additional way to validate email addresses.
Another method of validating input discussed was analyzing frequency and patterns of input. One example used was if the update function detects that it's being over used. If a shipping address is updated every day, something probably isn't right. functions that can evaluated their own usage can be an additional form of input validation.
While it was not discussed, I suspect input patterns can help fight against social engineering. It's not uncommon for an attacker to change something in an online profile then use that fake information to validate ownership of an account when speaking with customer service. Customer data interfaces could be written to only use data older than one week to verify identity.
One product that was discussed to help is an OWASP project called AppSensor. Based on how it was presented, AppSensor is an open source application that, when configured, will validate inputs for existing applications. Now, instead of rewriting all your applications to validate it's own inputs, AppSensor will validate them for you.
Friday, September 18, 2015
Thursday, September 10, 2015
Time-Lapse Photography: First attempt.
I decided to let my phone run, taking a picture every 5sec while I did my homework this afternoon.
While this is not an ideal photo shoot scenario, I really like the results I got.
These are my first attempts at time-lapse photography.
While this is not an ideal photo shoot scenario, I really like the results I got.
These are my first attempts at time-lapse photography.
Tuesday, July 28, 2015
My Every Day Carry
Scout Moto: Be Prepared. When some one asked Lord Baden Powell what they should be prepared for, he answered "any old thing". I don't know any Eagle Scouts who don't always have at least one knife on their person at all times. One of my favorite features about this multi-tool is that, unlink most other Leatherman or Gerber multi-tools, you don't have to open the whole thing to get to the knife. Also included are Leatherman's traditional pliers, various screw drivers, and a can opener. It's also got a nifty little tool designed specifically for safely opening plastic packaging. That comes in handy very often when opening new hardware at my old SysAdmin job.
The Marines say "Twon is one and one is none". It's always best to have a backup.
Used for Two Factor Authentication for many online services I use. I often use the public computers at school. Knowing that someone with a key-logger still isn't able to get into my accounts helps me sleep at night.
Currently this device keeps a copy of all my work from my laptop. In the off chance that I don't have access to my computer or its cloud backups, I still have access to all my data. I picked it because it's advertised as mil-spec and is supposed to be able to take a beating. I like to be able to depend on my equipment.
For my coffee. This is a great thermos. It keeps my coffee and tea hot enough to last the whole day. Even when I make my coffee the night before, it stays hot all day long.
This water bottle is big enough to last me the two hours some classes take, but not so big that it gets to heavy to haul across campus while full. That and it's indestructible. I watched a scout throw one off a cliff at Philmont. When we hiked down to retrieve it, there was barely a scratch on it.
Because who doesn't love LEGOs and Star Wars?
Saturday, July 25, 2015
About Me: Jacen R Kohler
My name is Jacen R Kohler and am a student at UNT graduating in May of 2017 majoring in Computer Engineering specializing in Communications and Networks with a security certificate.. I have a passion for all things security. I like to break things, and then fix them so they are harder to break next time. It is my dream to pursue a career in Information Security. My hope is to combine InfoSec, Physical Security, and Social Engineering to be come a well rounded security professional.
Subscribe to:
Posts (Atom)