1. -

2. root@.....com, root@......ru, root@......kz, . - - 3. IT- - - 4. Disclaimer , , , 5. (, , security expert) ? , , 6. , (threat modeling) - Microsoft? , Microsoft , STRIDE Visio, , 7. STRIDE Spoofing Tampering () Repudiation Information disclosure () Denial of service Elevation of privilege 8. () LAMP (M) (A,P) , (L) 9. DAC discretionary accesscontrol, Unix r/w/x bits MAC mandatory access control, - RBAC role-based access control, - Microsoft? , RBAC MS Win NT ( Netware) RBAC 10. , ! 11. , POLP principle of least privilege , 12. (M) S Spoofing? - , TCP-, , 13. (M) T,R Little Bobby Tables (http://xkcd.com/327) We will learn how to sanitize to sanitize ourdatabase inputs a bit l8r , , 14. (M) I , ? WHERE name LIKE %ash% ( ) , : ? ??? 15. - ? md5($password) vasya: 698d51a19d8a121ce581499d7b701668petya: 698d51a19d8a121ce581499d7b701668 md5(111)? Rainbow tables md5($salt . $password) $salt , - ( ?) 16. MD5 GPU brute force speed exceed 200millions MD5 hash/second (default charset [a-z,0-9]) As of 2011, commercial products are availablethat claim the ability to test up to 2,800,000,000passwords per second on a standard desktopcomputer using a high-end graphics processor(NTLM hash) ( SHA-512, Whirlpool) Key stretching, PBKDF2 17. (M) D , , , 18. (M) E PHPMyAdmin ( VPN) POLP 19. (M) E MySQL , 20. (A,P) S cookie SSL , cookie cookie , ( IP-) 21. (A,P) T , , ! ! POLP ? ? 22. (A,P) R , , , , ( ?) , 23. (A,P) I (!!!) ID URL? HTTP headers SQLinjection, 24. SQL injection Little Bobby Tables is back again! ? PHP , , , string escaping OWASP , ... prepared statements injection! preparedstatement , ! ! 25. (A,P) D ( ) , Highload Lab iptables ipset 26. (A,P) E root , security framework unit securityframework , - 27. (A,P) E CAPTCHA, IP password policy (IP , UA) (, SMS) 28. (L) S (, ) (IP- + , IP- + ) 29. (L) T AIDE, Tripwire ( , etc) ? - (syslog ) Lennart Poettering , (- ) 30. (L) R ? ssh root, su sudo , 31. (L) I Grsecurity, SELinux, RSBAC, AppArmor Tomoyo , , POLP permissive mode , enforcing mode POSIX ACLs 32. (L) D (NAGIOS, Icinga, Zabbix, etc) / 33. (L) E ( DenyHosts, fail2ban ) ? , ? Port knocking VPN security updates remote vulnerabilities 34. ? 35. S JavaScript-, XSS- CSRF- 36. XSS , JS OWASP ... PHP : 37. CSRF Cross Site Request Forgery a.com a.com GET- , GET-, a.com GET POST one-time challenges 38. T,R,D , cookies, local file storage , , , , , DoS ? , 39. I,E XSS , :http://habrahabr.ru/company/dsec/blog/141684/ , 40. Rainbow series (good luck!) OWASP Guide Security mailing lists , , etc http://security.stackexchange.com 41. ? 42. alexclear@gmail.com http://alexclear.livejournal.com http://github.com/alexclear skype://demeliorator