sf startup-security

Securing Your ApplicationsMichael [email protected]@_mwc

Thursday, May 30, 13

mailto:[email protected]


You are a target

The attackers are talented and motivated


Data Loss: Growing Problem

http://datalossdb.org/statistics




Data Loss & Breaches from Hacking

http://datalossdb.org/statistics2013 Verizon DBR






Data Loss: Outside Attackers

http://datalossdb.org/statistics2013 Verizon DBR






Security The Basics

• Understand the problem space & challenges

• SSL isn’t as easy “https”

• You can’t store passwords with just hashing

• SQL Injection & Cross Site Scripting should be understood by all developers


Where To Start?

• Focus on Risk - not vulnerability “flavor of the day”

• Reference top risks and customize

• OWASP Top 10

https://www.owasp.org/index.php/Top_10_2013-Top_10

1. Injection

2. Broken Authentication & Session Management

3. Cross Site Scripting (XSS)

4. Insecure Direct Object References

5. Security Misconfiguration

6. Sensitive Data Exposure

7. Missing Function Level Access Control

8. Cross Site Request Forgery (CSRF)

9. Using Components with Known Vulnerabilities

10. Unvalidated Redirects and Forwards




Password Storage


Password Storage Options

• Plain text / Home grown obfuscation

• md5

• sha2 (256 / 512)

• sha2 with generic salt

• sha2 with per user salt

• Bcrypt or PBKDF2

https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Weakest

Strongest

Currently Considered Acceptable




SQL Injection


SQL Injection Worries

• Issue

• SQL statements don’t properly handle user supplied data

• Users change intent of SQL executed by DB

• Risk

• Data Compromise

• Corruption of Data


Into the Details

• IntentSelect * from users where lastname = ‘+ someVar +’;

• Attacker enters:x’ or 1=1--

• ResultSelect * from users where lastname = ‘+ x’ or 1=1-- +’;

• SolutionParameterized Queries


Cross Site Scripting


<div class="featured"><form action="/en-US/firefox/users/login" method="post" id="login" class="featured-inner object-lead">

<div> <input type="hidden" name="data[Login][referer]"

XSS Example

Name:_____

submit

Login: ___Pass: ____

submit to evil site

javascript

javascript

<install malware>

(1) Attacker submits malicious code

(2) Code is now part of webpage

(3) Malicious site steals passwords & installs malware

(4) Attacker spreads malicious URLhttp://site.com/%3cscript%3edocument%2e


http://site.com

http://site.com

Tackling Cross Site Scripting

• In Code

• Output encoding

• Context is important - see OWASP XSS Cheat Sheet

• Working with browsers to eliminate XSS

• Content Security Policy

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

https://developer.mozilla.org/en-US/docs/Security/CSP






SSL


Insecure Session Management

• Secure login over HTTPS

• Password submitted encrypted

• Immediate redirect to HTTP

• Session ID sent cleartext <-- vulnerability point

Request'SessionID:'5593…'

Response'

SSL#Request'

Response'Set'SessionID:'5593…'

https://site.com/login

http://site.com/profile




http://site.com

http://site.com

Insecure Redirects

• User requests HTTP page, response redirects HTTPS

• 302 Response is HTTP <-- Vulnerability Point

SSL#

Get$http://mybank.com$

302$Redirect$Location:$https://mybank.com$

Get$https://mybank.com$

200$Found$

mybank.com


Secure Design for Communication

• HTTP Strict Transport Security (HSTS)

• Opt-in security control

• Website instructs compatible browser to enable STS for site

• HSTS Forces (for enabled site):

• All communication over HTTPS

• No insecure HTTP requests sent from browser

• No option for user to override untrusted certificates


Strict Transport Security

• Browser prevents HTTP requests to HSTS site

• Any request to site is “upgraded” to HTTPS

• No clear text HTTP traffic ever sent to HSTS site

• Browser assumes HTTPS for HSTS sites

SSL#

Get$$http://mybank.com$ Get$https://mybank.com$

200$Found$

HST

S#


Building a Security Culture


Security Culture

• Set guidelines that are usable

• Ensure security is a priority, not a “tax”

• Security can live in all stages:

• Planning, Dev, QA, Deployment, Monitoring

https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines




Tools to Assist

• Free

• OWASP ZAP Proxy - owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

• Security Cheat Sheets - owasp.org/index.php/Cheat_Sheets

• Learning Lab OWASP Webgoat - owasp.org/index.php/Category:OWASP_WebGoat_Project

• Extensive OWASP guidelines - owasp.org

• Professional Tools

• Static / Dynamic Analysis

• Security Architecture Reviews

• Ongoing or point-in-time penetration tests


Take Aways

• Security is a concern for your business

• Tackle security fundamentals

• Build a culture of security & leverage available resources


Thanks!

[email protected]

@_mwc




sf startup-security

Documents

cross site scriptingthursday

cross site scripting

data loss breaches

intent of sql

https password

user supplied data users

sql injectionthursday

sensitive data exposure7