OWASP 301: Infrastructure-based Security

Transcript

1. OWASP 301:
   Infrastructure-Based Security
   Eric Mann
   

   View Slide

2. ASR 3 - Sensitive Data
   Exposure
   

   View Slide

3. Many web applications do not
   adequately protect sensitive
   data, such as credit cards, tax
   IDs, and authentication
   credentials.
   

   View Slide

4. Photo borrowed from Schneier on Security:
   https://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html
   

   View Slide

5. Sensitive Data Retention
   What data do you retain?
   Why do you need this data in the first place?
   Who has access to the data?
   Where are backups stored?
   Who has access to the data via the backup system?
   

   View Slide

6. Encoding is not
   encryption!
   

   View Slide

7. function encodeString($str) {
   for ($i = 0; $i < 5; $i++) {
   $str = strrev(base64_encode($str));
   }
   return $str;
   }
   function decodeString($str) {
   for ($i = 0; $i < 5; $i++) {
   $str = base64_decode(strrev($str));
   }
   return $str;
   }
   encodeString('this is a secret');
   QVlRHZlbopUYxQWShRkTUR1aaVUWuB3UNdlR2NmRWplUuJkVUxGcPFGbGVkVqp0VUJjUZdVVaNVTtVUP
   

   View Slide

8. ASR 5 - Broken Access
   Control
   

   View Slide

9. Restrictions on what
   authenticated users are
   allowed to do are not properly
   enforced.
   

   View Slide

10. $app->post( '/profile',
    function ($request, $response, $args) {
    if (!isset($_SESSION['user_id']) ||
    !$this->users->get($_SESSION['user_id'])) {
    return $response->withRedirect('/?error=notloggedin');
    }
    $userID = $request->getParam('user_id');
    $fname = $request->getParam('fname');
    $lname = $request->getParam('lname');
    $email = $request->getParam('email');
    // Retrieve the user's account from the database (via the app container)
    $user = $this->users->get(intval($userID));
    $user->profile->fname = filter_var($fname, FILTER_SANITIZE_STRING);
    $user->profile->lname = filter_var($lname, FILTER_SANITIZE_STRING);
    $user->profile->email = filter_var($email, FILTER_SANITIZE_EMAIL);
    $this->users->update($user);
    }
    );
    

    View Slide

11. United Airlines experienced this vulnerability in their mobile app in 2015 -
    https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability//
    

    View Slide

12. ASR 6 - Security
    Misconfiguration
    

    View Slide

13. Secure settings should be
    defined, implemented, and
    maintained, as defaults are
    often insecure.
    

    View Slide

14. PHP Settings
    Disable error display (display_errors)
    Disable remote includes (allow_url_fopen and allow_url_include)
    Set reasonable resource maximums (upload_max_filesize and memory_limit)
    Leverage the disable_functions directive to block dangerous functions:
    exec, passthru, shell_exec, system, proc_open, popen,
    parse_ini_file, show_source, eval, create_function
    

    View Slide

15. Webserver Settings (Nginx / Apache / etc)
    Disable server tokens and signature disclosure
    Configure a static server name (don’t trust potentially malicious HOST headers)
    Disable directory traversal
    ALWAYS configure strong SSL certificates for secure access
    Return proper error codes
    

    View Slide

16. Database (MySQL) Settings
    Set an appropriate bind-address
    Ensure users are configured from the correct host, not a % wildcard
    Limit user permissions on the database to just what the application needs
    

    View Slide

17. ASR 9 - Using
    Components with
    Known Vulnerabilities
    

    View Slide

18. Applications using
    components with known
    vulnerabilities may undermine
    application defenses and
    enable a range of possible
    attacks and impacts.
    

    View Slide

19. Audit Application Dependencies
    Monitor Composer-installed dependencies for outdated or vulnerable libraries
    Leverage unattended-upgrades to keep system packages up-to-date
    Audit the packages installed on your server - don’t install things you don’t need
    

    View Slide

20. Custom error messages can help demonstrate when a security hole has been plugged. Or
    annoy those who were exploiting it in the first place...
    

    View Slide

21. Audit Application Dependencies
    Monitor Composer-installed dependencies for outdated or vulnerable libraries
    Leverage unattended-upgrades to keep system packages up-to-date
    Audit the packages installed on your server - don’t install things you don’t need
    Only run current, supported versions of PHP!!!
    

    View Slide

22. ASR 10 - Insufficient
    Logging & Monitoring
    

    View Slide

23. Attackers rely on the lack of
    monitoring and timely
    response to achieve their
    goals without being detected.
    

    View Slide

24. It’s Important to Track:
    What happened
    When it happened
    Where it happened (in terms of code and the IP of the server)
    To whom it happened
    What input triggered the event
    

    View Slide

25. Event Classes
    Input Validation Errors
    Output Validation Errors
    Authentication Events
    Authorization (Access Control) Failures
    Application Errors
    Application Startup/Shutdown
    High-risk Operations
    

    View Slide

26. (Full image slide. No text)
    

    View Slide

27. Questions?
    

    View Slide

28. Thank you
    [email protected] | 503.925.6266
    

    View Slide