Security is not absolute and must be evaluated based on the application type, environment, data sensitivity, and performance constraints.
Recent widespread vulnerabilities like Log4Shell and Spring4Shell demonstrate the critical need for proactive security in software development.
Client-side input sanitization is easily bypassed, so all user-provided data must be sanitized on the backend to prevent XSS attacks.
Failing to validate input parameters against an allowlist can lead to command injection, allowing an attacker to open a reverse shell.
Supplying malformed data, like a public key of the wrong length, can trigger a panic in a library and cause a denial-of-service attack.
Implicitly downcasting a larger integer to a smaller type like a byte can lead to information leakage by causing index collisions.
Failing to validate the length parameter in a memory copy operation can lead to an out-of-bounds read, leaking sensitive stack memory.
Developers should prioritize input data sanitation, careful data type selection, proper memory management, and graceful error handling.
The most common security pitfall is XSS from frontend bypasses, and DOMPurify is a recommended tool for HTML sanitization.
Sensory-Minds GmbH
Offenbach am Main, Germany
33:29Sebastian Leuer
30:54Martina Kraus
27:32Jasmin Azemović
26:59Jakub Andrzejewski
44:11Raul Onitza-Klugman & Kirill Efimov
29:47Thomas Chauchefoin & Paul Gerste
58:19Michael Koppmann
27:10Sonya Moisset
Jobs that call for the skills explored in this talk.
Punk Security Ltd.
