Upload
young-choon-tae
View
309
Download
1
Embed Size (px)
DESCRIPTION
cissp -> Application Security
Citation preview
Application Security
toc
• good and bad
• bad things first
• to be good
• and more
good and bad
• bad things first
bad app for
• hobby
• money (trend)
hobby
• virus
• worm
virus
• script
• stealth
money
• tick
• dos
side of good
• repository
• code
repository
• database (+warehouse)
• directory service
• expert system
code
• more than secure coding
to be good app
• follow the protocol
• based on infra
cmm
• initial
• repeatable
• defined
• managed
• optimizing
and more
process
• needs
• logical design (using UML)
• real design (using UML)
• coding
• test
• implementation & maintenance
• end is near
database
• DDL, DML
• dictionary
• rollback, commit and checkpoint
• ODBC
oo
attack!
• [infra] nos
• [infra] daemon
• code
attack nos
• icmp - flood, can’t handle (ping of death)
• tcp/ip - same (flag, syn)
attack daemon
• dns - cache poison (-> dnssec)
• ssh1 - des (-> ssh2 with other cryto)
• openssl (-> patch)
attack code
• cross-site scripting (XSS)
• SQL injection
fine