Fundamental JS Security - Bandung JS

Transcript

1. Fundamental JS Security

2. Hello! Saya Yahya F. Al Fatih 15 years experience in

   IT security 10 years as web developer Wawadukan community CTO at Crowde 2

3. 3 Security (?)

4. 4 2017

5. 5

6. 6

7. 1001 alasan mereka melakukan hacking 7 - Sebuah tantangan -

   Forge Knowledge - Server Baru - Showoff (?) - Diputusin mantan - Kepo mantan - Dendam sama dosen - Pengen internet gratis - Greedy cryptocurrency - miner - Bitcoin - dsb

8. 8

9. “ Hack + JS ? Why not 9

10. Hack JS - BeeF JS - Keylogger JS - Coinhive

    JS - Rowhammer JS - LOIC JS - XSS’OR JS 10

11. BeeF JS 11 Keylogger JS http://beefproject.com/ https://github.com/beefproject/beef https://www.rapid7.com/db/modules/auxiliary/server/capture/http_javascript_keylogger https://github.com/JohnHoder/Javascript-Keylogger

12. Coinhive JS 12 Rowhammer JS

13. LOIC JS 13 XSS’OR JS

14. 14 To Understand About Robbery, Let’s Think Like a Thief

15. 15

16. 16 Target Alternate Target Fingerprint Vuln Scanning Injection Backdoor

17. Sebagai Developer Kita mampu menyelesaikan bug, dengan menambal bug dengan

    bug lain :D 17

18. “ Sebagai Developer harus menghilangkan pikiran primitif tentang cybersecurity 18

19. 19 Security Motte and Bailey

20. 20

21. 21

22. 22

23. 23

24. 24

25. 25

26. 26

27. 27

28. 28 Escaping Dark age Security

29. 29 What we need in cyber security is not a

    firewall, not a motte and palisade to keep our bailey inviolate, but an immune system

30. 30 Immune System =/= Secure System Immune System = Well

    Maintained System

31. “ Bagaimana dengan apps mu ? 31

32. 32

33. 33 2 apps flaw that hackers love to abuse yes,

    hackers sexually attracted to your vulnerable app

34. - Man in the middle attack - XSS, CSRF, JS

    Based - Server Side (SQL Injection, dll) - Fraud (phising account, enumeration attack) - Denial of Service Risk facing Web Developer 34

35. 35 1. Vulnerable Packages

36. “ Most of your Apps Vulnerabilities Come from npm 36

    > 375,000 packages > 70,000 publisher > ~14% of npm packages carry known vulnerabilities

37. “ 37

38. “ Do you have any solution ? :( 38 >

    Dependencies Vulnerability scanner > re-check for every new feature is pushed > Manually Check Exploit database > patch~ > update~

39. 39 2. Vulnerable Code

40. 40 SQL Injection

41. “ 41 What should I do with my code ?

    :( > Security Guide for Developer https://github.com/k1m0ch1/secguide

42. 42 Cara aman menyimpan secret key ke dalam aplikasi adalah

    dengan cara tidak menyimpan secret key ke dalam aplikasi

43. “ Kapan Menggunakan HTTPS ? AKA Secure HTTP 43

44. “ ALWAYS! Every Site, Every Request 44

45. “ Content Manipulation 45

46. 46

47. 47

48. - Cloudflare - Lets Encrypt HTTPS Free!!! 48

49. “ PASSWORD 49

50. 6 reason password rules are bullshit - can’t remember -

    Special F#C@ING char - Special word - Too long - Expired password - CAN’T REMEMBER 50

51. “ 51

52. - Do not set arbitary length limit (NIST standar is

    256 character) - Never prohibit any special character - Allow paste and password manager - Always [salted] hash. Never store password using 2 way encryption - Offer two-factor authentication Handling Password 52

53. “ People cannot create strong, unique password accross all their

    service using only their brain to remember 53

54. - Jangan menggunakan password yang kadaluarsa - Jangan pake rule

    aneh aneh - Jangan pake password hint New NIST Recommendation 54

55. - haveibeenpwned.com Password DUMP 55

56. 56 2018(?)

57. Apakah Machine Learning dan A.I. akan memecahkan semua Masalah ?

    57

58. 58 Long Story Short Secure isn’t about perfect, but it’s

    something

59. 59 Thanks! Any questions? Find me at [email protected] and k1m0ch1.github.io

    Credit Presentation Simon Sturmer - How to Integrate Information Security into your Software Development Life Cycle