Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, October 25 • 2:00pm - 2:45pm
Enforcing Authorization with Cryptography

Sign up or log in to save this to your schedule and see who's attending!

An attacker’s ability, with only user credentials, to tamper with requests and directly access sensitive data ("Insecure Direct Object Reference") exposes valuable data and can even result in impersonation. OWASP’s 2007, 2010 and 2013 Top 10 lists include this problem. Common solutions include (1) using indirect object reference maps, or (2) performing authorization checks thoroughly. 

Of the solutions above, only random indirect object maps solve all potential problems associated with insecure object references. However, this may require tons of memory. This talk presents cryptographically protected references: trading increased but acceptable computation time for very little memory requirements. 

Using threat modeling, the talk outlines relevant attack vectors. Next, the talk walks the audience through alternatives in secure design comparing each from security and performance perspectives. For each alternative, concrete comparison includes benchmark results. 

Is secure object reference about access control? Is it about random-looking parameters? What does this have to do with database keys? Audience members will leave with specific guidance to share with developers.

Speakers
avatar for Amit Sethi

Amit Sethi

Senior Principal Consultant, Cigital
Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Masters degree in Cryptography. He has extensive experience performing penetration testing, source code reviews and architectural risk analysis of a wide variety of systems as well as helping organizations solve complex security... Read More →


Friday October 25, 2013 2:00pm - 2:45pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

Attendees (23)