Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Safety First

Firesphere
February 26, 2019

Safety First

Security matters. What can you as a developer do, to improve security of your projects?

Firesphere

February 26, 2019
Tweet

More Decks by Firesphere

Other Decks in Programming

Transcript

  1. About me Simon `Firesphere` Erkelens • SilverStripe bespoke software engineer

    • Team: Ninja Unicorns (And a little bit of CCS) • Community admin (Slack & Forum) • I maintain the StripeSlackBot • That’s Python , SilverStripe 4 & Solr • Author of MFA modules for SilverStripe 3 & 4 • Cat owner • Hans the cow is my mascotte • I have a zoo on my desk • Scarily obsessed with security • Also Solr and search in general • LEGO! • Born Dutch (expect cursing) • Originator and former organizer of StripeCon EU • I wonder how much I can fit on a single slide • Yes, this is on purpose • Bribable with Whisk(e)y, beer or LEGO That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. That’s my cat, Marika ⬇ That’s Hans ➡ The zoo ⬇ ⬅ Apollo 13 Saturn V LEGO rocket!
  2. What can you do Expect a databreach You will be

    breached. If not today, it’ll be tomorrow • Preparing for the worst is better than hoping for the best • Most breaches are due to bad practices by (in no particular order): • SysOps • DevOps • Software Engineers • Clients • End users • CMS Users • Bad password practices • Not using a password manager Simon `Firesphere` Erkelens | 2018
  3. This... This is my absolute favourite twitter convo! Taylor Hornby

    falling for social engineering Social engineering is still very easy. Even if your target knows it’ll happen, even inviting people to try it, and this is a security expert!
  4. There are a few things you can do Your security

    measures Passwords, HTTPS, etc. • Roave Security-advisories • OWASP • Password managers • HTTPS • Password rules • Multi Factor Authentication • Content Security Policy Simon `Firesphere` Erkelens | 2018
  5. Have their security-advisories in your module/project Roave Security best practices

    • roave/security-advisories • require or require-dev • Keep up to date with the latest known security issues Simon `Firesphere` Erkelens | 2018
  6. Just follow OWASP best practices OWASP Open Web Application Security

    Project • Their Top 10 of vulnerability risks is a good place to start • Juice Shop project • Zed Attack Proxy • And a lot more! Simon `Firesphere` Erkelens | 2018
  7. A password manager helps! Password managers Don’t use sticky notes

    • Explain to your client why • Explain the benefits • DO NOT EVER disable pasting of passwords in password fields • Suggest them to your client, here are a few: • BitWarden (My favourite, I’m not being paid to say this) • 1Password • LastPass Simon `Firesphere` Erkelens | 2018
  8. Put all your sites on HTTPS. HTTPS The S stands

    for “Secure Connection” • Try visiting an http site on hotel wifi and compare it to https • See screenshots on next slide • Let’s Encrypt • CertBot, ACME2, Secure updates… Let’s Encrypt • Don’t go EV, never go EV • Seriously, it’s a waste of money nowadays • Keep your certificates up to date • CertBot does that for you • Register as HSTS • Force HTTPS across your entire site • Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018
  9. Seriously, HTTPS The S stands for “Secure Connection” Simon `Firesphere`

    Erkelens | 2018 Public hotel wifi, same page, http vs. https
  10. Password Rules It’s really simple Simon `Firesphere` Erkelens | 2018

    Minimum of 16 characters. I don’t care which as long as they’re not the same
  11. HaveIBeenPwned And don’t appear in HaveIBeenPwned Okay, I care a

    little bit • Check new passwords against known breaches • Block known breached passwords • Doesn’t matter if it wasn’t a breach from your site • Don’t reuse your passwords • Don’t expire passwords • No, seriously, don’t expire passwords • Unless they’re breached that is Simon `Firesphere` Erkelens | 2018
  12. Any MFA implementation is better than none MFA Just do

    it • Users will hate you for it • Until they see how their CMS account credentials are suddenly used on their banking without them knowing Simon `Firesphere` Erkelens | 2018
  13. Whitelist sites that can load CSP Helps preventing unwanted scripts

    • Report-uri.com • Allowed javascript sources • Allowed image sources • Allowed CSS sources • etc. Simon `Firesphere` Erkelens | 2018
  14. Who to follow Twitter • @Firesphere (that’s me!) • @troyhunt

    (Troy Hunt) • @scott_helme (Scott Helme) • @j_opdenakker (John Opdenakker) • @SilverStripe (You know, that company) • @DefuseSec (Taylor Hornby) • @roaveteam (Roave) Simon `Firesphere` Erkelens | 2018