Last night I attended the Dallas chapter of OWASP monthly meeting for September.
Stephen Pasco presented on validating inputs. Apparently, 93% of AppSec vulnerabilities can be neutralized simply by validating inputs. The biggest concern with invalidated input is code injection. It is possible to give a program malicious input that will cause it to execute unknown code thereby breaking the system.
One method of validation discussed was making sure that the format of the input matched what the function is expecting. For example, if the function is expecting an email address, there should be an '@' and a '.' somewhere in the input. There are a set limit to top level domains (ex. .com, .edu, .co.uk, ... etc.), so this is an additional way to validate email addresses.
Another method of validating input discussed was analyzing frequency and patterns of input. One example used was if the update function detects that it's being over used. If a shipping address is updated every day, something probably isn't right. functions that can evaluated their own usage can be an additional form of input validation.
While it was not discussed, I suspect input patterns can help fight against social engineering. It's not uncommon for an attacker to change something in an online profile then use that fake information to validate ownership of an account when speaking with customer service. Customer data interfaces could be written to only use data older than one week to verify identity.
One product that was discussed to help is an OWASP project called AppSensor. Based on how it was presented, AppSensor is an open source application that, when configured, will validate inputs for existing applications. Now, instead of rewriting all your applications to validate it's own inputs, AppSensor will validate them for you.
Friday, September 18, 2015
Thursday, September 10, 2015
Time-Lapse Photography: First attempt.
I decided to let my phone run, taking a picture every 5sec while I did my homework this afternoon.
While this is not an ideal photo shoot scenario, I really like the results I got.
These are my first attempts at time-lapse photography.
While this is not an ideal photo shoot scenario, I really like the results I got.
These are my first attempts at time-lapse photography.
Subscribe to:
Posts (Atom)