Talk - What's Our Software Doing With All That User Input
Abstract
What are we doing with all the characters that get shoved into our applications? Have we considered every potential execution context? It’s often interesting and surprising to see what sort of concoction of characters can be executed in different places… and linking multiple attack vectors together which the builders haven’t thought about. What are we trusting? Why are we trusting it? What, where and how should we be sanitising?
We have a vast collection of libraries, techniques, cheat sheets, tutorials, guides and tools at our disposal. I often find myself thinking… how can we commoditise the sanitisation of user input and I keep coming up with the same answer. It’s not easy. Every application has a completely different set of concerns.
In order for our software to be shielded from an attack, the builders must think like attackers.
In this talk I’ll attempt to:
- Increase our knowledge and awareness
- Discuss practical techniques and approaches that increase our defences
- Break some software
Kim Carter
Technologist / Engineer, Information Security Professional
Technologist / Engineer, Information Security Professional, Entrepreneur and the founder of BinaryMist Ltd and PurpleTeam-Labs. Ex OWASP NZ Chapter Leader of eight years. Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 20 years of commercial industry experience across many domains.