Protection and Verification of Security Design Flaws

Explore a comprehensive conference talk from Spring I/O 2017 that delves into the protection and verification of security design flaws in software applications. Learn about the two main types of software vulnerabilities: security bugs and design flaws. Discover why automated tools can easily detect security bugs, while design flaws remain challenging to identify. Understand the significant impact of design flaws on businesses, including economic costs and delayed time-to-market. Gain insights into a novel solution that combines application security architecture and testing tools to protect against and automatically verify design flaws. Follow practical examples using Spring reference applications (PetClinic) based on Spring MVC and Spring REST, along with popular pentesting tools like Burp. Examine real-world cases of design bugs, including examples from AT&T, Stack Overflow, Github, and JBoss. Investigate traditional approaches to protecting against design flaws and their limitations. Explore contract-based security in practical use and receive valuable recommendations for improving application security.

Intro
Contents of Talk
Finding and Fixing Vulnerabilities
A Basic Design Bug - AT&T
Stack Overflow
Github
Jboss and the JMX Consoles
Problem Statement
How to protect from design flaws with traditional approaches
It does not work in practice
The reason
Design Flow Attack Types
Contract based security in real use
Limitations of this Method
Recommendations