let's sleep better: programming techniques to face new security attacks in cloud
TRANSCRIPT
@gpaterno
Giuseppe “Gippa” Paternò
Let's sleep betterprogramming techniques to face new security attacks
class Person(forms.Form):
username = forms.CharField(max_length=50)
name = forms.CharField(max_length=50)
surname = forms.CharField(max_length=50)
email = forms.EmailField(max_length=50, label=‘E-mail’)
form = Person(request.POST)
if form.is_valid():
request.session['name'] = form.cleaned_data['name']
request.session['surname'] = form.cleaned_data['surname']
Badfrom django.http import HttpResponse
def say_hello(request):
name = request.GET.get('name', 'world')
return HttpResponse('<h1>Hello, %s!</h1>' % name)
Goodfrom django.shortcuts import render
def say_hello(request):
name = request.GET.get('name', 'world')
return render(request, 'hello.html', {'name': name})
# template.html
<h1>Hello, {{ name }}!</h1>
Baddef dump_file(request):
filename = request.GET["filename"]
filename = os.path.join(BASE_PATH, filename)
content = open(filename).read()
Goodpath = posixpath.normpath(urllib.unquote(path))
for part in path.split('/'):
if not part:
continue
drive, part = os.path.splitdrive(part)
head, part = os.path.split(part)
if part in (os.curdir, os.pardir):
continue
newpath = os.path.join(newpath, part).replace('\\', '/')
Middleware
MIDDLEWARE_CLASSES = (
'django.middleware.csrf.CsrfViewMiddleware',
In Template
form method="POST" action="{% url my_view %}">
{% csrf_token %}
{{ form.as_p }}
<button class="btn btn-primary" type="submit">Submit</button>
</form>
@gpaterno
… if you can’t use your framework …
Escape User Input
White List
Stored Procedures
Parametrised Queries
@gpaterno
10 millions of victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009)
221 billions $ lost every year due to identity theft (Aberdeen Group)
35 billion corporate and government records compromised in 2010 (Aberdeen Group)
2 yearsof a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004)
2 billions $ damages reported in Italy in 2009 (Ricerca ABI)
app = Applications.objects.filter(uuid=app_id, secret=app_secret)[0]
can_delete = app.can_delete
can_write = app.can_write
privacy = app.privacy
try:
# IPv4
if ipaddress.ip_address(remote_address).version == 4:
if ipaddress.IPv4Address(remote_address) in \
ipaddress.IPv4Network(app.ipv4_net):
is_authorized = True
# IPv6
else:
if ipaddress.IPv6Address(remote_address) in \
ipaddress.IPv6Network(app.ipv6_net):
is_authorized = True
except:
is_authorized = False
from ratelimit.decorators import ratelimit
@ratelimit(key='ip')
def myview(request):
# ...
@ratelimit(key='ip', rate='100/h')
def secondview(request):
# ...
@gpaterno
Example: SecurePass APIs
• RESTful APIs
• mixture of POST (in request) and JSON (in response)
• Channel encrypted with TLS high cypher
• Endpoint identified by APP ID and APP Secret
• Example: /api/v1/users/info
API limits:
• in capabilities, APP ID read-only or read-write
• in network, APP ID can be limited to a given IPv4/IPv6
• in scope, APP APP ID is linked to only a specific realm/domain ID is linked to only a specific realm/domain
@gpaterno
For the braves: Mandatory Access Control
• Isolate API endpoint processes from each other and other processes on a machine.
• Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux
• Objective: containment and escalation of API endpoint security breaches.
• Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events.
@gpaterno
Authenticate User (2FA must)
Request Device ID to backend
Keep track of device info (OS, name, …)
Generate unique ID for the mobile
Use Device ID for every request
Update last device ID timestamp
Re-challenge user auth if not used
Allow device deletion (lost/stolen)
@gpaterno
Static code analysers
• http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
• https://github.com/google/firing-range
@gpaterno
<vendor>
</vendor>
Cloud Identity Management Two Factor Authentication Web Single Sign-On
Few minutes to integrate www.secure-pass.net (free account available)
Remote audit of the service Compliance check Easy to read report
http://www.garl.ch/
@gpaterno
“Giuseppe is paving the way for enterprises to embrace OpenStack. Telecom Italia is, nonetheless, among these enterprises.”
Gianluca Pancaccini, CIO of Telecom Italia
"Giuseppe has done a great job of creating an important source of information on OpenStack technology“
Jeff Cotten, CEO of RackSpace International
“SUSE appreciate Giuseppe clear and concise explanation of OpenStack and it's architecture. This will be a valuable resource.”
Ralf Flaxa, VP of Engineering SUSE
Donate now: https://life-changer.helvetas.ch/openstack