OWASP Wellington - Security matters

OWASP Wellington - Security matters

A high level overview of what security measures you can easily take to mitigate common attack vectors on the web. From https to password managers and social engineering to password rules

78c8b0dece5b99f0fecd2eb64d08eb83?s=128

Firesphere

March 25, 2019
Tweet

Transcript

  1. Presentation

  2. Safety first Simon `Firesphere` Erkelens | 2018 Security matters

  3. About me Simon `Firesphere` Erkelens • SilverStripe bespoke software engineer

    & security expert • Team: Ninja Unicorns • Upcoming SilverStripe meetup: 3rd of April at Biz Dojo • Author of MFA modules for SilverStripe 3 & 4 • Cat owner • Hans the cow is my mascotte • I have a zoo on my desk • Scarily obsessed with security* • LEGO! • Born Dutch • Bribable with Whisk(e)y, beer or LEGO • I have a lot of stickers! That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. ⬅ That’s my cat, Marika, she would like a boop That’s Hans ➡ ⬅The zoo Simon `Firesphere` Erkelens | 2018
  4. Think before you do Why safety first Because it can’t

    be second • Security should be the first thing on your mind • Use the tools available • Think about the implications of your work • Have security issues as a part of your checklist • And, remember... Simon `Firesphere` Erkelens | 2018
  5. What can you do Expect a data breach You will

    be breached. If not today, it’ll be tomorrow • Preparing for the worst is better than hoping for the best • Most breaches are due to bad practices by (in no particular order): • SysOps • DevOps • Software Engineers • Clients • End users • CMS Users • P E O P L E Simon `Firesphere` Erkelens | 2018
  6. Let me introduce DefuseSec, also known as Taylor Hornby Simon

    `Firesphere` Erkelens | 2018
  7. Case in point, my favourite twitter convo Taylor Hornby falling

    for social engineering Social engineering is very easy. Even if your target knows it’ll happen, even inviting people to try it, and note that this is a security expert.
  8. A few basics So, what can you do Here’s what

    we’ll cover • Make sure your own projects are safe • OWASP (You may heard of it?) • Use password managers • Add HTTPS • Update your password rules • Implement Multi Factor Authentication • Add Content Security Policies to your site • Add Subresource Integrity, so you know what runs Simon `Firesphere` Erkelens | 2018
  9. Have their security-advisories in your project PHP Roave Security best

    practices • roave/security-advisories • require or require-dev • Keep up to date with the latest known security issues Simon `Firesphere` Erkelens | 2018
  10. They can monitor your projects Snyk Open Source Security Platform

    • node.js • .net • Java • Scala • Golang • Python • Ruby • PHP Simon `Firesphere` Erkelens | 2018
  11. Did you know GitHub can send you these? GitHub security

    notifications Security best practices • Pretty straightforward to set up in your settings Simon `Firesphere` Erkelens | 2018
  12. Just follow OWASP best practices OWASP Open Web Application Security

    Project • Their Top 10 of vulnerability risks is a good place to start • Juice Shop project • Zed Attack Proxy • And a lot more! Simon `Firesphere` Erkelens | 2018
  13. A password manager helps! Password managers Don’t use sticky notes

    • DO NOT EVER disable pasting of passwords in password fields • Explain to your client why • Explain the benefits • Suggest them to your client, here are a few: • BitWarden (My favourite, I’m not being paid to say this) • 1Password • LastPass Simon `Firesphere` Erkelens | 2018
  14. Put all your sites on HTTPS. HTTPS The S stands

    for “Secure Connection” • Try visiting an http site on hotel wifi and compare it to https • httpforever.com • Let’s Encrypt • CertBot, ACME2, Secure updates… Let’s Encrypt • Don’t go EV, never go EV • Seriously, it’s a waste of money nowadays • Keep your certificates up to date • CertBot does that for you • Register as HSTS • Force HTTPS across your entire site • Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018
  15. Seriously, HTTPS The S stands for “Secure Connection” Simon `Firesphere`

    Erkelens | 2018 Public hotel wifi, same page, http vs. https
  16. Not enough funny gifs mate! Simon `Firesphere` Erkelens | 2018

    Okay, sorry, let me fix that for you!
  17. Password Rules Here’s my set of rules Simon `Firesphere` Erkelens

    | 2018 Minimum of 16 characters. I don’t care which as long as they’re not the same
  18. An example of how not to do password policies

  19. HaveIBeenPwned Don’t be in HaveIBeenPwned Okay, I care a little

    bit • Check new passwords against known breaches • Block known breached passwords • Doesn’t matter if it wasn’t a breach from your site • Don’t reuse your passwords • Don’t expire passwords • No, seriously, don’t expire passwords • Unless they’re breached that is • Using SilverStripe? • firesphere/haveibeenpwnd Simon `Firesphere` Erkelens | 2018
  20. Why? Multi Factor Authentication Just do it • Any form

    is better than nothing • Users will not like it • Adds security to your accounts • Does not prevent password leaks though Simon `Firesphere` Erkelens | 2018
  21. From “at least better than nothing” to “good” Because anything

    is better • SMS • OTP • TOTP • U2F • WebAuthn Simon `Firesphere` Erkelens | 2018 Multi Factor Authentication
  22. Whitelist sites that can load Content Security Policy Helps preventing

    unwanted scripts • Allowed javascript sources • Allowed image sources • Allowed CSS sources • Allowed inline scripts via nonce or sha • Allowed child sources (iframes) • etc. • etc. • etc. Simon `Firesphere` Erkelens | 2018
  23. Keep track of your CSP violations Content Security Policy report-uri

    • report-uri.com • Fix them up where needed • Reporting Simon `Firesphere` Erkelens | 2018
  24. report-uri.com It’s free even! Simon `Firesphere` Erkelens | 2018

  25. Simon `Firesphere` Erkelens | 2018

  26. Validate the scripts are what you expect SubResource Integrity Are

    the scripts you’re loading really what you think of them? • Base64 of a sha-256/384/512 hash • Store the hash, don’t calculate on runtime • Hash different means block the loading • Analytics change immediately visible • Admitted, it’s bloody annoying while writing code Simon `Firesphere` Erkelens | 2018
  27. Who to follow Twitter • @Firesphere (that’s me!) • @troyhunt

    (Troy Hunt) • @scott_helme (Scott Helme) • @j_opdenakker (John Opdenakker) • @DefuseSec (Taylor Hornby) • @silverstripe (That’s where I work) • @roaveteam (Roave) • @ismonkeyuser (Wonderfully relatable comics) Simon `Firesphere` Erkelens | 2018
  28. Get in touch Where to talk to us • Slack:

    owasp.slack.com • Meetup.com • SilverStripe Community Slack: www.silverstripe.org/community/slack-signup/ Simon `Firesphere` Erkelens | 2018
  29. Any questions? Simon `Firesphere` Erkelens | 2018 Pretty sure you

    have questions? Speak up!
  30. Thank you! @Firesphere https://github.com/Firesphere simonerkelens@silverstripe.com https://speakerdeck.com/firesphere https://casa-laguna.net License: CC BY-NC-ND

    4.0