The Anti pattern

The Anti-Pattern

input = GET[ “username” ]

statement = “code “ + input

execute( statement )

The Anti-Pattern

• sql• ldap• eval• response.write• file.open• reflection• control.the.computer

EXECUTE

Anti-AntiPatterns

Code not Text!

Text query languages suck.

Critera & Entity API: WIN

Code not Text

Root<Pet> pet = cq.from(Pet.class)cq.where(cb.equals(pet.get(Pet_.name), input))

s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )

Fear String.Concat

Parameterized Queries: use wildcards instead of concatenating user input

Remove String.Concat

s = “SELECT FROM pet WHERE pet.name = @name“ps = prepare( s )ps.bind(“@name”, input)

s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )

Defensein depth

EXECUTE

GUARD Exception

Defense in Depth

input = GET[ “username” ]

if (whitelist.bad( input )) { secLog(“reject…”) throw new Exception()}

Summary

• Most common security coding vulns are variants of the same anti-pattern

• Use easy safe-by-design API– Entity & Criteria API – SQLi is hard =)

• Fear String.Concat– String operations are the mother of all evil– Parameterize if you must stick to text!

• Defend in Depth! – The anti-pattern can also be broken by input

validation.

The Anti pattern

Technology

Transcript of The Anti pattern

Cassandra Day Denver 2014: Cassandra Anti-Pattern Jeopardy

Anti-Pattern Specification and Correction Recommendations for ...

Human TLR10 is an anti-inflammatory pattern-recognition ... · PDF fileHuman TLR10 is an anti-inflammatory pattern-recognition receptor Marije ... Ineke C. Verschuerena, Peer Artsc,

Drug Utilization Pattern of Non-Steroidal Anti …...Drug Utilization Pattern of Non-Steroidal Anti-Inflammatory Drugs in Patients Attending Orthopaedic Department of A Hospital in

Lecture continuous integration · • Continuous delivery • Continuous deployment • Benefits, challenges, different approaches ... Patterns and anti-patterns!5 Anti-pattern: "..just

Ontological Patterns, Anti-Patterns and Pattern …gguizzardi/ER2014-keynote-CR.pdfLanguages for Next-Generation Conceptual ... aspects of the physical and ... the development of engineering

Performance comparison of query-based techniques for anti-pattern … · Performance comparison of query-based techniques for anti-pattern detectionq Zoltán Ujhelyia, , Gábor Sz}oke

PATTERN FORMATION OF A PREDATOR-PREY MODEL WITH THE COST OF ANTI-PREDATOR BEHAVIORS · 2020-05-03 · PATTERN FORMATION OF A PREDATOR-PREY MODEL WITH THE COST OF ANTI-PREDATOR BEHAVIORS

Pager Anti Pattern（Joke）

SAFETY / ANTI-FATIGUE MATTINGSafety/Anti-Fatigue Matting (Dry) Great for areas that require stylish anti-fatigue relief and durability. Durable smooth marble-pattern top surface of

Day Trading With the Anti-Climax Pattern eBook

It's Not You, It's Your Anti-Pattern

Ci&T Anti-Software Factory Pattern

An Approach to Design Pattern and Anti-Pattern Detection ...magedelaasar.com/wp-content/uploads/2012/11/An-Approach-to-Design... · An Approach to Design Pattern and Anti-Pattern

Trust anti pattern cards

Free Knitting Pattern Lion Brand® Basic Stitch™ Anti-Pilling Frankie … · 2020-05-13 · Frankie Striped Hat Pattern Number: L90285 When working one of the color rnds of the

Selected Methods for Anti-Pattern Detection in the Model ...kvasnicka/Seminar_of_AI/Polasek...Selected Methods for Anti-Pattern Detection in the Model/Source Code Identifying and Visualisation

An Anti-Pattern for Misuse Cases - Samosweb.Aegean.Gr · An Anti-Pattern for Misuse Cases ... STRIDE Example threats to online banking web application: ... • Identify root cause

Forensic Assertive Community Treatment (FACT): Updating ... · Anti-social attitudes Anti-social friends and peers Anti-social personality pattern Substance abuse Family and/or marital

Product Owner Anti-Patterns - StickyMinds · Certified ScrumMaster Training Anti‐Pattern: Copy the Old • When the project is to build a new application to ... Product Owner Anti