Security for Ruby/Rails Developers

Transcript

1. Ruby/Rails  Security  

2. None

3. Sources:  h+ps://haveibeenpwned.com/PwnedWebsites                

                    h+p://betanews.com/2014/12/17/the-­‐top-­‐10-­‐worst-­‐security-­‐breaches-­‐of-­‐2014/  
4. None

5. Adobe   Poor  EncrypDon   Sony   SQL  InjecDon  +

    OnSite  Breach  /  Stolen   CredenDals   Dominos   Weak  MD5  password  Hashing   Snapchat   Brute  force  enumeraDon  of  phone  numbers   Yahoo   SQL  InjecDon   Target     Stolen  HVAC  credenDals  &  pivoted  into  POS   system   eBay   Stolen  employee  credenDals   Ashley   Madison   Internal  data  dump   Source:  h+p://krebsonsecurity.com/2014/02/target-­‐hackers-­‐broke-­‐in-­‐via-­‐hvac-­‐company/                                h+p://www.businessinsider.com/how-­‐the-­‐hackers-­‐broke-­‐into-­‐sony-­‐2014-­‐12  

6. Gavin  Miller     @gavingmiller   gavinmiller.io  

7. Cisco   Advanced  Malware  Protec>on  (AMP)   [we're  also  hiring

    Sr.  Rails  devs]  

8. Goals   Could  my  business/project  be     breached  like

    that?     Glimpse  into  how  hackers  operate     Pee  your  pants  a  li;le   Scare  you  a  =ny  bit  

9.  Beginner/Intermediate  Security   •  A;acks:     – SQL  Injec=on,  Timing

    A;acks   •  Tools:   – sqlmap,  Shodan   •  Preven=on:   – Brakeman,  CVES,  Process  

10. SQL  Injec>on    

11. SQL  Injec>on  

12. Demo  

13. None

14. Source:  h*p://www.troyhunt.com/2015/09/good-­‐news-­‐your-­‐credit-­‐card-­‐is-­‐fine-­‐and.html  

15. Quiz  Time  

16. Timing  AIacks   •  Work  by  exploi=ng  early-­‐exits  in  

    comparison  algorithms  
17. None
18. None
19. None
20. None
21. None

22. Exploitable?   Ruby  comparison  takes  0.840ns/byte   (effec=vely  per  character)

        Can  measure  a  30μs  difference  over  the   internet   Which  means  you  can't  exploit  a  =ming  a;ack   over  the  internet  …  (in  Ruby)     Source:  h+ps://www.youtube.com/watch?v=idjDiBtu93Y  

23. Exploitable!   So  get  closer…   EC2  to  EC2  can

     measure  a  15-­‐400ns   difference.   Bingo!       Source:  h+ps://www.youtube.com/watch?v=idjDiBtu93Y  

24. How?   Source:  h+ps://www.youtube.com/watch?v=idjDiBtu93Y  

25. How?   Source:  h+ps://www.youtube.com/watch?v=idjDiBtu93Y   Normal  Histogram   Vulnerable  Histogram

     
26. None

27. Preven>on  

28. Copy-­‐Paste  Coding  

29. Process   "Put  someone  on  your  team  in  charge  of

     tracking  your   dependencies  (C  libraries,  Ruby  gems,  Python   easy_install  thingies)  and  have  a  process  by  which  you   periodically  check  to  make  sure  you’re  capturing   upstream  security  fixes.     You  should  run  your  service  aware  of  the  fact  that   major  vulnerabili=es  in  third-­‐party  library  code  are   oden  fixed  without  fanfare  or  advisories;  when   maintainers  don’t  know  exactly  who’s  affected  how,   the  whole  announcement  might  happen  in  a  git   commit."                -­‐  tptacek  (Thomas  Ptacek)              h;ps:/ /news.ycombinator.com/item?id=3940286  

30. Mailing  Lists  &  CVEs   •  Ruby  Security  List  

    –  h;ps:/ /groups.google.com/forum/#!forum/ruby-­‐security-­‐ann   •  Rails  Security  List   –  h;ps:/ /groups.google.com/forum/?fromgroups#!forum/ rubyonrails-­‐security   •  CVE  Databases   –  h;ps:/ /www.cvedetails.com/  
31. None

32. 2013  Rails  YAML  CVE  

33. /security  

34. /security  

35. bundle  outdated  

36. bundle-­‐audit  check  

37. Brakeman  

38. Brakeman  

39. Thanks  :)     Make  good  decisions