sf startup-security
TRANSCRIPT
Securing Your ApplicationsMichael [email protected]@_mwc
Thursday, May 30, 13
You are a target
The attackers are talented and motivated
Thursday, May 30, 13
Data Loss: Growing Problem
http://datalossdb.org/statistics
Thursday, May 30, 13
Data Loss & Breaches from Hacking
http://datalossdb.org/statistics2013 Verizon DBR
Thursday, May 30, 13
Data Loss: Outside Attackers
http://datalossdb.org/statistics2013 Verizon DBR
Thursday, May 30, 13
Security The Basics
• Understand the problem space & challenges
• SSL isn’t as easy “https”
• You can’t store passwords with just hashing
• SQL Injection & Cross Site Scripting should be understood by all developers
Thursday, May 30, 13
Where To Start?
• Focus on Risk - not vulnerability “flavor of the day”
• Reference top risks and customize
• OWASP Top 10
https://www.owasp.org/index.php/Top_10_2013-Top_10
1. Injection
2. Broken Authentication & Session Management
3. Cross Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards
Thursday, May 30, 13
Password Storage
Thursday, May 30, 13
Password Storage Options
• Plain text / Home grown obfuscation
• md5
• sha2 (256 / 512)
• sha2 with generic salt
• sha2 with per user salt
• Bcrypt or PBKDF2
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
Weakest
Strongest
Currently Considered Acceptable
Thursday, May 30, 13
SQL Injection
Thursday, May 30, 13
SQL Injection Worries
• Issue
• SQL statements don’t properly handle user supplied data
• Users change intent of SQL executed by DB
• Risk
• Data Compromise
• Corruption of Data
Thursday, May 30, 13
Into the Details
• IntentSelect * from users where lastname = ‘+ someVar +’;
• Attacker enters:x’ or 1=1--
• ResultSelect * from users where lastname = ‘+ x’ or 1=1-- +’;
• SolutionParameterized Queries
Thursday, May 30, 13
Cross Site Scripting
Thursday, May 30, 13
<div class="featured"><form action="/en-US/firefox/users/login" method="post" id="login" class="featured-inner object-lead">
<div> <input type="hidden" name="data[Login][referer]"
XSS Example
Name:_____
submit
Login: ___Pass: ____
submit to evil site
javascript
javascript
<install malware>
(1) Attacker submits malicious code
(2) Code is now part of webpage
(3) Malicious site steals passwords & installs malware
(4) Attacker spreads malicious URLhttp://site.com/%3cscript%3edocument%2e
Thursday, May 30, 13
Tackling Cross Site Scripting
• In Code
• Output encoding
• Context is important - see OWASP XSS Cheat Sheet
• Working with browsers to eliminate XSS
• Content Security Policy
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
https://developer.mozilla.org/en-US/docs/Security/CSP
Thursday, May 30, 13
SSL
Thursday, May 30, 13
Insecure Session Management
• Secure login over HTTPS
• Password submitted encrypted
• Immediate redirect to HTTP
• Session ID sent cleartext <-- vulnerability point
Request'SessionID:'5593…'
Response'
SSL#Request'
Response'Set'SessionID:'5593…'
https://site.com/login
http://site.com/profile
Thursday, May 30, 13
Insecure Redirects
• User requests HTTP page, response redirects HTTPS
• 302 Response is HTTP <-- Vulnerability Point
SSL#
Get$http://mybank.com$
302$Redirect$Location:$https://mybank.com$
Get$https://mybank.com$
200$Found$
mybank.com
Thursday, May 30, 13
Secure Design for Communication
• HTTP Strict Transport Security (HSTS)
• Opt-in security control
• Website instructs compatible browser to enable STS for site
• HSTS Forces (for enabled site):
• All communication over HTTPS
• No insecure HTTP requests sent from browser
• No option for user to override untrusted certificates
Thursday, May 30, 13
Strict Transport Security
• Browser prevents HTTP requests to HSTS site
• Any request to site is “upgraded” to HTTPS
• No clear text HTTP traffic ever sent to HSTS site
• Browser assumes HTTPS for HSTS sites
SSL#
Get$$http://mybank.com$ Get$https://mybank.com$
200$Found$
HST
S#
Thursday, May 30, 13
Building a Security Culture
Thursday, May 30, 13
Security Culture
• Set guidelines that are usable
• Ensure security is a priority, not a “tax”
• Security can live in all stages:
• Planning, Dev, QA, Deployment, Monitoring
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
Thursday, May 30, 13
Tools to Assist
• Free
• OWASP ZAP Proxy - owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• Security Cheat Sheets - owasp.org/index.php/Cheat_Sheets
• Learning Lab OWASP Webgoat - owasp.org/index.php/Category:OWASP_WebGoat_Project
• Extensive OWASP guidelines - owasp.org
• Professional Tools
• Static / Dynamic Analysis
• Security Architecture Reviews
• Ongoing or point-in-time penetration tests
Thursday, May 30, 13
Take Aways
• Security is a concern for your business
• Tackle security fundamentals
• Build a culture of security & leverage available resources
Thursday, May 30, 13
Thanks!
@_mwc
Thursday, May 30, 13