Security is not a feature

53
SECURITY IS NOT A FEATURE It’s a state of mind

description

 

Transcript of Security is not a feature

Page 1: Security is not a feature

SECURITY IS NOT A FEATUREIt’s a state of mind

Page 2: Security is not a feature

WHY TALK ABOUT SECURITY?• Everyone knows you filter input and escape output• Everyone knows you use https or tls or some other magic cryptography• Everyone knows you use prepared statements• Everyone knows you apply security patches to your system• Everyone knows as long as you’re PCI compliant you’re safe• Everyone knows a firewall appliance blocks everything• Everyone is stupid

Page 3: Security is not a feature

E_TOTALLY_SCREWED

Page 4: Security is not a feature

AND REMEMBER, THE NSA IS WATCHING…

Page 5: Security is not a feature

Symantec 2014 Internet Security Threat Report, Volume 19

LIES AND DAMN STATISTICS

• 91% increase in targeted attacks campaigns in 2013• 62% increase in the number of breaches in 2013• Over 552M identities were exposed via breaches in 2013• 23 zero-day vulnerabilities discovered• 38% of mobile users have experienced mobile cybercrime in past 12 months• Spam volume dropped to 66% of all email traffic• 1 in 392 emails contain a phishing attacks• Web-based attacks are up 23%• 1 in 8 legitimate websites have a critical vulnerability

Page 6: Security is not a feature

MAKE IT SOOk, site done, now security++

Page 7: Security is not a feature

“”

THE STATE OF BEING PROTECTED OR SAFE FROM HARM

THINGS DONE TO MAKE PEOPLE OR PLACES SAFE

Definition of Security from merriam-webster

Both a state and a process

Page 8: Security is not a feature

SECURITY !== …• A feature at the end of the project• Meeting some compliance checklist• A single person or team’s job• Hiring someone to do it afterward• A tool or appliance• A boolean

Page 9: Security is not a feature

SECURITY === …• An ongoing process• A paranoid way of thinking• The acknowledgment that you will be hacked at some point• Habit• Everybody’s problem

Page 10: Security is not a feature

LAYERS OF SECURITY• Physical• System• Network• Application• User System• Browser

Page 11: Security is not a feature

DEVELOPERS DEVELOPERS DEVELOPERS

• Application Security

• Knowing your threats.• Securing the network, host and application.• Incorporating security into your software development process

Page 12: Security is not a feature

IT’S ALL ABOUT THE DATAOwnership and Potential for Abuse

Page 13: Security is not a feature

A WORD OF WARNINGChecklists do not solve all problems, but they do help those with swiss-

cheese memories (like me)

Page 14: Security is not a feature

STEP 1: KNOW YOUR DATA• What are you storing?• Who does it come from?• Who owns it?• Does it need to have restricted access?• Is it confidential?• Does it need to be archived?• Do we NEED this data?

Page 15: Security is not a feature

STEP 2: KNOW YOUR USERS• Are you attractive for hactivists?• Are you attractive for ransom?• Are you likely to be popular enough to be ddos’d?• Will your competitors pay to have you hacked?• Did you piss off an old dev or sysadmin who might be gunning for you?• Do you have a lot of soccer moms?• Do you have a lot of bored geeks?

Page 16: Security is not a feature

STEP 3: KNOW YOUR LAWS• http://www.csoonline.com/article/2126072/compliance/the-security-laws--

regulations-and-guidelines-directory.html

• There are a lot!!

• Basically, if you store financial information, medical information, information about children under 13, or personal information that can be used for identity theft – you need to do some reading up on laws.

Page 17: Security is not a feature

STEP 4: MAKE GOOD DECISIONS• Who has access?• How will things be protected?• How are you backing up?• Do you have disaster plan?• What happens if you get hacked?• What happens if you derp? (Humans are so error-prone)• What level of brokenness can you accept from a third party?

Page 18: Security is not a feature

STEP 5: WRITE IT ALL DOWN• Document• Document• Document• Document• Document• Document• Document• Document …

Page 19: Security is not a feature

ISN’T THIS KIND OF LIKE RISK MANAGEMENT STUFF?

• Yes• No• Maybe

Page 20: Security is not a feature

PRACTICE MAKES PERFECT• Test your data backup and recovery plans• Test your “you got hacked” plans• Test your rules for data access• Test hacking your site – it’s fun!

Page 21: Security is not a feature

DON’T FORGET MURPHY!

Page 22: Security is not a feature

BALANCING ACTSSometimes $x is > $y

Page 23: Security is not a feature

WHY CONTEXT IS IMPORTANT• Always balance• Sailor moon forums are not as important as a bank website• But that’s no reason to screw the basics• People reuse passwords, you can’t stop them• But you can’t be responsible for all user stupidity in the world

Page 24: Security is not a feature

BEING SECURITY MINDEDBut I’m only a developer and have no say!

Page 25: Security is not a feature

THE PHYSICAL LAYER• Usually someone else’s problem and decision• But not always – did you get a say on the hosting provider?• So do your research

Page 26: Security is not a feature

THE SYSTEM LAYER• Often someone else’s problem• Unless you’re devops• In which case – do your research• Wait – in any case do your research• Update, update, update and FIGHT for updates!!

Page 27: Security is not a feature

THE NETWORK LAYER• Learn how to use wireshark• Learn about network design• Learn about https and man-in-the-middle• So when they ask you to talk to a database in another subnet you can tell

them “not without the proper encryption”

Page 28: Security is not a feature

THE APPLICATION LAYER• This is your problem• “Just get it finished, we’ll secure it later” <- stupidest thing ever• Good habits in coding breed secure code• How do you create good habits?

Page 29: Security is not a feature

STEP 1: BECOME PARANOID• Yes, they are trying to hack you• No, it doesn’t matter how small you are• All users are evil… cats• (or stupid cats, same result)

Page 30: Security is not a feature

STEP 2: KNOW YOUR VECTORS• Input Validation• Authentication• Authorization• Configuration management, Sensitive information, System• Cryptography• Parameter manipulation• Exception/Error management• Auditing and logging

Page 31: Security is not a feature

OWASP TOP TEN• Injection• Broken Authentication and Session Management• Cross-Site Scripting (XSS)• Insecure Direct Object References• Security Misconfiguration• Sensitive Data Exposure• Missing Function Level Access Control• Cross-Site Request Forgery (CSRF)• Using Components with Known Vulnerabilities• Unvalidated Redirects and Forwards

Page 32: Security is not a feature

INPUT VALIDATION• Validate Input, Escape Output• OWASP: Injection, XSS, Unvalidated Redirects and Forwards

• Make sure you get what you expected, always• Do not assume anything• Always be aware of context

Page 33: Security is not a feature

BEST PRACTICES• Force escaping – echo in templates is #1 place to find this• Use a good library (see frameworks or packagist)• Use prepared statements• Remember other places sql can be injected! (Like statements, etc)• NoSQL is vulnerable too! (hint: mongodb and $in)• Force validation

• do not let people touch superglobals or other user data “raw”

Page 34: Security is not a feature

AUTHENTICATION• Proper session handling and password management• OWASP: Broken Authentication and Session Management, CSRF

• Sessions are hard, learn how to do them right• HTTP(s) is stateless, remember that!!• Remember outsourcing to third parties brings additional issues

Page 35: Security is not a feature

BEST PRACTICES• Use a good session library

• Takes care of session fixation• Takes care of timeouts• Encrypted connections• Http only cookies• Session regeneration

• Use php’s password hashing tools or the library to replace for old versions• DO NOT ROLL YOUR OWN

• Protect against brute force attacks

Page 36: Security is not a feature

AUTHORIZATION• What is your allowed access?• OWASP: Insecure Direct Object References, Missing Function Level Access

Control

• Make sure you are locking down all paths to restricted data• Whitelist instead of blacklisting access

Page 37: Security is not a feature

BEST PRACTICES• Use a library• Test your code, both by hand and with testing frameworks• Audit access to sensitive information• Audit logins• Make sure authentication is correct! Bad Authentication == bad

authorization!

Page 38: Security is not a feature

CONFIGURATION MANAGEMENT, SENSITIVE INFORMATIONSYSTEM SECURITY

• Access to information or system information• OWASP: Security Misconfiguration, Sensitive Data Exposure

• Make sure you don’t let people see everything about your system and setup

Page 39: Security is not a feature

BEST PRACTICES• Automate all the things!• Use “environment” setups for settings, but ALWAYS DEFAULT TO

PRODUCTION• Turn off PHP information, apache information, phpinfo()• Turn off PHP errors• Make system updates a part of the process!

Page 40: Security is not a feature

CRYPTOGRAPHY

• Using the wrong tool for the job• OWASP: Security Misconfiguration, Using Components with Known

Vulnerabilities

• Cryptography is hard• Are you a math major with specialization in cryptography?

Page 41: Security is not a feature

BEST PRACTICES• Do not roll your own

• Use PHP libraries• Use PHP password tools

• Keep those libraries up to date!• Heartbleed

Page 42: Security is not a feature

PARAMETER MANIPULATION• Evil Cat Users will muck with anything they can

• Headers• Query params• Post data• Cookies

• OWASP: All of them

• Be prepared for everything

Page 43: Security is not a feature

BEST PRACTICES• Validate everything explicitly • Whitelist, don’t blacklist• Do not ever sanitize, instead escape output

Page 44: Security is not a feature

EXCEPTION/ERROR MANAGEMENT

• Showing sensitive information or exploiting errors to tie up resources• OWASP: Sensitive Data Exposure

• Make sure the USER doesn’t see the problem, that’s for the developer and sysadmin

Page 45: Security is not a feature

BEST PRACTICES• Log (most) everything• Don’t display errors

Page 46: Security is not a feature

AUDITING AND LOGGING• Do it• Test it• People will try REALLY hard to bypass it, so watch for patterns!

Page 47: Security is not a feature

THE USER SYSTEM LAYER• Encrypt anything you store on a user’s system• Don’t trust anything from a user’s system• Cross your fingers

Page 48: Security is not a feature

THE BROWSER LAYER• Use a good library for cross-browser abstraction• Make sure to be aware of browser bugs and exploits• Use the flags browser provide• Remember that xss and all the other attacks occur in javascript too!• http://

www.slideshare.net/michael_coates/enabling-browser-security-in-web-applications <- read up on mitigation

Page 49: Security is not a feature

HOW CAN YOU HELP?• Wish #1 – an open source PHP penetration test tool• Wish #2 – an open source PHP static analysis tool

Page 52: Security is not a feature

PHP SECURITY RESOURCES• http://www.php.net/manual/en/security.php • http://phpsec.org/ • http://docforge.com/wiki/Web_application/Security • http://www.phptherightway.com/ • http://websec.io/ • https://drupal.org/developing/best-practices