Domain Driven Security

- Dan Bergh Johnsson & Daniel Deogun, Omegapoint

Twitter: @danbjson @DanielDeogun Internetdagarna, 2014-11-24

About…

Daniel Deogun

Senior consultant at Omegapoint in Stockholm. His extensive experience ranges from patient critical pacemaker software to high performant reactive systems. Very passionate about high quality software and was an early adopter of DDD. Combining this with his interest in security has made him a strong advocate of Domain Driven Security.

Dan Bergh Johnsson

Agile aficionado; Domain Driven Design enthusiast; code quality craftsman, with a long time interest in security. The combination made him use quality practices from DDD to adress application security issues - thus being one of the founders of the field Domain Driven Security around 2009

owasp top 10 (2013)A1 - Injection

A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Components with Known Vulnerabilities

A10 - Unvalidated Redirects and Forwards

https://www.owasp.org/index.php/Top_10_2013-Top_10

owasp top 10 (2013)A1 - Injection

A3 - Cross-Site Scripting (XSS)

https://www.owasp.org/index.php/Top_10_2013-Top_10

Security and Quality

Security is not the most important quality attribute

but

quality is the most important security attribute.

- Dr John Wilander (OWASP Champion)

A1 - Injection

“Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”

- OWASP top 10

A1 - Injection

Code Example…

Domain-Driven Security

Domain Driven Design applied to Application Security

Coined in 2009 by John Wilander, Dan Bergh Johnsson, and Erlend Oftedal (aka @webtonull); later embraced by Daniel Deogun

A3 - Cross-Site Scripting (XSS)

“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.”

- OWASP top 10

Example - Coder’s Blog…

• Let’s say we’re running a website where anyone can ask questions about code

• Is it possible to avoid XSS?

Stored XSS

<script>alert(’42’)</script> Browser

Stored XSS & Broken Context Mapping

<script>alert(’42’)</script>

Writer Context Reader Context

Browser

Injection Flaws & Broken Context Mapping

’OR 1=1

User

User Table

Food For Thought

• Developers cannot think about security all the time

• Quality attitude leads to security

• Code should mean something, not just do stuff.

• There is no such thing as just a string (Dr. John Wilander)

• Validate input and map everything to domain objects

• Security through clarity

Next Step

Green-field Trivial, uninterestingBrown-field w/ service-API Domain types for all API-method parametersBrown-field spaghetti Extract a module Stuck?Google ”Domain Driven Security” Watch http://bit.ly/dds-video-2013 Call us, we have lots of tricks

Thanks

Twitter: @danbjson @DanielDeogun

https://github.com/Omegapoint/dds-demo-voSlides on SlideShare