Security Best Practice

Transcript

1. Security Best Practice

2. Hello! Saya Yahya F. Al Fatih 7 years experience in

   bank infrastructure pentest 5 years experience in government infrastructure pentest Wawadukan community Security Researcher at ID SIRTII Development Operation at Crowde 2

3. 3 Security (?)

4. 4

5. - Security itu Sulit - Tech Proffesional sulit memahaminya -

   Terlalu banyak informasi yang memusingkan - The tools we have are broken Masalah 5

6. 6 Security Motte and Bailey

7. 7

8. 8

9. 9

10. 10

11. 11

12. 12

13. 13

14. 14

15. 15 Escaping Dark age Security

16. 16 What we need in cyber security is not a

    firewall, not a motte and palisade to keep our bailey inviolate, but an immune system

17. 17 Immune System =/= Secure System Immune System = Well

    Maintained System

18. A real thing happened in the world 18

19. 19

20. Hacker Best Practice The Awesome of people currency!!!!! 20

21. - Forge Knowledge - Server Baru - Showoff (?) Sebuah

    tantangan untuk para hacker 21

22. 22

23. 23 Target Alternate Target Fingerprint Vuln Scanning Injection Backdoor

24. Tools Target Scanning - Subdomain scanner - Data Leak dork

    24

25. Fingerprint - NMAP - Dirsearch - Manually 25

26. Vuln Scanning - GoogleDork - Acunetix Vuln Scanner - Metasploit

    (scanner) - Manually 26

27. Injection - SQLmap - Exploitdb - Metasploit (Injection) 27

28. Backdoor - Backconnect - C99 28

29. Developer Guide The Awesome of people currency!!!!! 29

30. Sebagai Developer Kita mampu menyelesaikan masalah, dengan menambal masalah dengan

    masalah lain :D 30

31. 31

32. Penyebab Vulnerability - Heartbleed (?) - WannaCry (?) - BlueBorne

    (?) - Experian (?) - Bejibun bug 32

33. - Buffer Overflow dan memory safety issue - Broken and

    unpatched software - Programmer mistake Hal hal yang membuat developer pusing 33

34. Patch your bug 34

35. 35

36. - OS and driver patch - Server Software (apache, mysql,

    dll) - Run times (PHP, Ruby, dll) - Tooling ( Curl, IDE ) - Libraries (Rail, react, django) - semuanya Make a policy about update 36

37. 37 Cara aman menyimpan secret key ke dalam aplikasi adalah

    dengan cara tidak menyimpan secret key ke dalam aplikasi

38. - Man in the middle attack - XSS, CSRF, JS

    Based - Server Side (SQL Injection, dll) - Fraud (phising account, enumeration attack) - Denial of Service Risk facing Web Developer 38

39. 39

40. “ Kapan Menggunakan HTTPS ? AKA Secure HTTP 40

41. “ ALWAYS! Every Site, Every Request 41

42. “ Content Manipulation 42

43. 43

44. 44

45. - Cloudflare - Lets Encrypt HTTPS Free!!! 45

46. “ PASSWORD 46

47. “ 47

48. - Do not set arbitary length limit (NIST standar is

    256 character) - Never prohibit any special character - Allow paste and password manager - Always [salted] hash. Never store password using 2 way encryption - Offer two-factor authentication Handling Password 48

49. “ People cannot create strong, unique password accross all their

    service using only their brain to remember 49

50. - Jangan menggunakan password yang kadaluarsa - Jangan pake rule

    aneh aneh - Jangan pake password hint New NIST Recommendation 50

51. - haveibeenpwned.com Password DUMP 51

52. Sysadmin Guide (Infrastructure) The Awesome of people currency!!!!! 52

53. - Security Header - Default Configuration - Kernel - Permission

    - Firewall/ IDS/ IPS Guide 53

54. Personal Guide The Awesome of people currency!!!!! 54

55. - Password - Software yang dipakai - Update/ Patch -

    haveibeenpwned.com Guide 55

56. Apakah Machine Learning dan A.I. akan memecahkan semua Masalah ?

    56

57. 57 Long Story Short Secure isn’t about perfect, but it’s

    something

58. 58 LINK CHECKLIST https://github.com/sbilly/awesome-security https://github.com/OWASP/DevGuide/tree/master/01-Foundatio ns https://github.com/FallibleInc/security-guide-for-developers https://github.com/FallibleInc/security-guide-for-developers/blob/ master/security-checklist.md

59. 59 Thanks! Any questions? Find me at [email protected] and k1m0ch1.github.io

    Credit Presentation Simon Sturmer - How to Integrate Information Security into your Software Development Life Cycle