DevSecCon London 2017: Hands-on secure software development from design to deployment by Gabor Pek
39
Join the conversation #DevSecCon BY Gábor Pék, Co-founder and CTO at Avatao Hands-on secure software development from design to deployment
-
Upload
devseccon-limited -
Category
Technology
-
view
163 -
download
1
Transcript of DevSecCon London 2017: Hands-on secure software development from design to deployment by Gabor Pek
Join the conversation #DevSecCon
BY Gábor Pék, Co-founder and CTO at Avatao
Hands-on secure software development from design to deployment
About me
Intel virtualization hacks (e.g., XSA-59)
Reserarch of advanced targeted attacks (Duqu, Flame, miniDuke)
Founder of !SpamAndHex (3x DEFCON CTF Finalist team)
PhD in virtualization and malware security (CrySyS Lab, BME)
Co-founder and CTO at Avatao (a CrySyS Lab Spin-off)
CrySyS Lab analyses high-profile targeted
attacks
!SpamAndHex3x DEFCON CTF Finalists
Security is missing from education
Practical security at universities?
Apps failing security checksApps failing security checksApps failing security checksApps failing security checks
Barnaby Jack pacemaker hack
Autonomous cars
Hacking in the media
Need good developers, not only hackers
The real learning: take it apart…Real learning:let them take it apart…
…but then you have to build something better
… but then you have to build something better
How to do it in practice?
”Bug parade is only half of the problem”
- Gary McGraw
Software security must cover each phase of SDLC!
Source -
The storyThe story
Let’s do something practicalAttack, fix and rewrite the legacy system of a spaceline company.
Legacy New
Try’n’Err Spaceline
Legacy New
https://avatao.com/events/devseccon2017
Check the Platform
Design
Bad DB design
Feature - Store basic user informationVulnerability - No UNIQUE constraint on usernameFix legacy - Use of constraints
Bad DB design
Implementation
Weak password policy
Feature - Handle user passwordsVulnerability - Passwords are stored in plaintextFix legacy - Use strong hash functionsMisc - Check password strength– Regex– Zxcvbn from Dropbox
Weak Password Policy
Vulnerability - Authentication can be bypassed by SQL injectionFeature - LoginFix legacy - Prepared statementsWrite new – Use hibernate
Authentication Bypass
Vulnerability - Accessing privileged resourcesFeature - Flight and user informationFix legacy - Check access control by user ID Write new - Use Spring to check ID and role
Insecure Direct Object Reference
Vulnerability - Evil REs stuck on crafted inputs.– (a+)+– ([a-zA-Z]+)*– (a|aa)+– (a|a?)+– (.*a){x} | for x > 10
Feaure - Registration (email RE in Spring)
Source - OWASP
Regular Expression DoS
Open Redirect
Vulnerability - Open RedirectFeaure - LoginAttack new - Craft malicious URLs to bypass unvalidated redirects.
Open Redirect
Operation
Source – The Phoenix Project
Tomcat listens on localhost:8005 by default to allow for shutdown.
Task - Say ”SHUTDOWN”.
The Final Countdown
Takeaway
Do your homework, first design
Frameworks
No framework is a silver bullet against bad code
Examples demonstrated–ReDOS, –Open Redirect in Spring
Frameworks
Rubber duck debugging
FrameworksAutomated tests
Software security should go from design to deployment
