Alexander Pirker

101 Typical Security Pitfalls

A number like 257 silently becomes 1, breaking your cryptography and leaking secrets. Discover the subtle dangers of implicit type casting.

101 Typical Security Pitfalls
#1about 3 minutes

Defining the context of application security

Security is not absolute and must be evaluated based on the application type, environment, data sensitivity, and performance constraints.

#2about 2 minutes

Understanding the impact of major vulnerabilities

Recent widespread vulnerabilities like Log4Shell and Spring4Shell demonstrate the critical need for proactive security in software development.

#3about 3 minutes

Preventing XSS by sanitizing on the backend

Client-side input sanitization is easily bypassed, so all user-provided data must be sanitized on the backend to prevent XSS attacks.

#4about 4 minutes

Preventing remote code execution from poor input validation

Failing to validate input parameters against an allowlist can lead to command injection, allowing an attacker to open a reverse shell.

#5about 4 minutes

Preventing denial of service attacks from service crashes

Supplying malformed data, like a public key of the wrong length, can trigger a panic in a library and cause a denial-of-service attack.

#6about 4 minutes

How data type downcasting can break cryptography

Implicitly downcasting a larger integer to a smaller type like a byte can lead to information leakage by causing index collisions.

#7about 4 minutes

Preventing information leakage from out-of-bounds memory reads

Failing to validate the length parameter in a memory copy operation can lead to an out-of-bounds read, leaking sensitive stack memory.

#8about 3 minutes

Four key principles for writing secure code

Developers should prioritize input data sanitation, careful data type selection, proper memory management, and graceful error handling.

#9about 1 minute

Q&A on common pitfalls and sanitization tools

The most common security pitfall is XSS from frontend bypasses, and DOMPurify is a recommended tool for HTML sanitization.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

See all videos
Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

From learning to earning

Jobs that call for the skills explored in this talk.