1. Thoughts on Defensive WebDevelopmentTodays Flavor - SitecoreThomas A. Powelltpowell@pint.comJoe Lima jlima@port80software.com

2. Before We Start Getting defensive requires a mindsetchange Serious threats really exist They can happen to you Much can be prevented Butthere is no such thing asabsolute security 3. Todays Focus - Sitecore First Question: Is Sitecore the target or is ita site run by Sitecore? Oh BTW security isnt really as app specificas you might think If it is you might have really big problems! If you dont remember much today youwont act so lets get memorable 4. OpenSource Fail? Its open code to hackers too and ifwidely used becomes a big target 5. Zoinks! 6. Woohoo! 7. CarefulDid they turn on you yet and with whatforce? 8. There Be Web Orcs!I can SQL injectz you! 9. And They Cause Troubles 10. Why Ego DefacementRelax Faked This type of tagging for cred 11. Why - HactivismAll fun and games until LOIC is aimed at your site 12. Why 4 LulzOk so it isnt funny to you but it is to them 13. Why SpreadMalware GermsPut malware on your home page to infect others 14. Why ID TheftYou (or your users) are a commodity(at least your id, IP or cc# is) 15. Why Zombie RecruitingGrow and army and thenAwake my Zombie army and attack! 16. Why For The $! 17. Yes - Bad people arerealcredit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove And theyre in your country too 18. Build some walls 19. Man the defenses! No worry, firewall is in place 20. Were awake!and what exactly do you see? 21. Just another day on the Internetz 22. The Usual Suspects Input TamperingSQL InjectionXSSCSRF RFI/LFI 23. The Toolbox is Overflowing 24. Attack #1Stupid Bot Brigade - Charge! ../cmd.exe &1=1;droptable 25. Attack #2Im just a lowly peasant HTTP request, may I pass? 26. Think like a bouncer? Yer not on the list. Come on in?! 27. The weak minded areeasily trickedThese are not the requests you are lookingfor 28. 0-day to the Face!To get our new signature files youneed a valid support plan 29. The Appearance ofSecurityThe Intent Thief: How quaint a club! 30. Real Security Tradeoffs This... 31. Security Tradeoffs...or this? 32. I want it all! 33. Attack Surfaces are Growing and many more. Notice thatthese may be indirect 34. Many Targets Within 35. Whats Your Password?Keys to the Sitecore (or any CMS)Kingdom 36. Finding the Right DoorIs your Sitecore instance publicIP accessible and at the standard path? 37. Psst.This isnt hidden 38. No Try Limit = NoSecurity Eventually* No retry limits + No Easy Alerting Let a bot work on it 39. Policy Time! Active Directory module forauthentication can helpleverage any better policiesyou may have already Custom validators can (andshould) be built Enforcement is key 40. Keeping It Clean Scan files with external services Strip XSS triggers like 51. Dangerous Domains? CMS in its own domain by default But public and private sites with shared content arent An easy fix -- if you remember to do it! 52. More XSS FunProduct reviews, forums, and blogcomments are generally ripe for XSStrouble 53. XSS Just Part of the XSS site with cookie grabberPlan on review, blog comments, etc. Do something to attract attention of site admin, like email saying problem on page X (the one with XSS) Grab cookie for auth Go back to admin or known URL of a backend add user account, etc. 54. Cookies really areYummy!Me likey the Web...everyone gives me COOKIES!!! Num num numnum 55. Always Easiest toAttack People!Name : Jim LaFleurOccupation : Chief of SecurityOrganization: Dharma Initiative Find Jims name/email in your sitecomments, Linkedin, Facebook, etc. 56. Spear Phish Scenario Find XSS hole forreflection, searchquery, URL, etc. Email as end user asking forsupport on the XSSable URLor get them to click on theXSS Steal their cookie and login asthem 57. Rise of DoSing &Electronic Sit Ins 58. DoS Attack Sadness It can be legit traffic that justoverwhelm with regular correctHTTP Watch dynamic pages inparticular POSTs and writes in particular They can crowd source it easily Countermeasures cost you $ ifattackers know how to do it right 59. Just Throw Money At IT Sure it helps but there is no silverbullet box especially without a posturechange 60. Wrap Your App Reality is in some casesyou just have to put aWAF in no way to patchfast enough WAFs have their issuesthough often not strongenough or too strong WAFs are only a part ofcovering yourself 61. Tech Cant Solve This 62. Go Back to DevSchoolIf Johnny builds a Web site he must nottrust______A) form inputs B) query strings C) cookiesD) end users E) all of the above 63. Summary Dont broadcast you use Sitecore (or.ASPX, IIS, etc.) Remove backend from public access Strengthen your auth 2 factor if youcan! Avoid rich user submissions Harden your sessions 64. Summary Scrub your source Add an App Firewall Plan for DOS attacks Talk to your people And most importantly pay attention 65. Questions? Thomas A. Powelltpowell@pint.com Joe Lima jlima@port80software.comhttp://www.pint.com http://www.port80software.com Twitter: PINTSDTwitter: port80software