Secure Your Application

Transcript

1. Bukalapak Moch Lutfi Software Engineer - Core Developer Experience @kaptenupi

   25 November 2019 Secure your application

2. Today’s challenges Bukalapak

3. Bukalapak 22 M Software Developers around the world ~Evans Data

4. Bukalapak 111 Billions Lines of code written by developers every

   year ~ CSO Online

5. Bukalapak 1 to 4 Exploitable Security bugs in every 50.000

   Lines of codes ~StackOverflow

6. Bukalapak 92 % Reported vulnerabilities are in applications - NIST

7. Bukalapak

8. Bukalapak 1 in 3 Of newly scanned applications had sql

   injections over past 5 years ~ Cisco

9. Bukalapak Sql Injection founded in 1998 But It still exists

   in 2019

10. Don’t try this at home Bukalapak

11. Bukalapak

12. Bukalapak

13. Bukalapak

14. Bukalapak

15. Bukalapak Simple architecture consumer Website Mobile apps IOT device API

    Gateway Backend DB Microservice A Microservice B DB SERVER DB

16. Code “ “ Input Validation & sanitizing 01 02 Code

    analysis 03 Fuzzy testing Bukalapak

17. Validate & sanitize input 01 `OR 1=1` SQL Injections Cross

    Site Scripting XSS Attacks Server Site Request Forgery SSRF Attacks Bukalapak Going Secure or Go Home

18. FRONTEND BACKEND

19. Bukalapak Validate & sanitize input: SQL injections http://sqlfiddle.com/#!9/a6c585/125200 CREATE TABLE

    IF NOT EXISTS `docs` ( `id` int(6) unsigned NOT NULL, `rev` int(3) unsigned NOT NULL, `content` varchar(200) NOT NULL, PRIMARY KEY (`id`,`rev`) ) DEFAULT CHARSET=utf8; INSERT INTO `docs` (`id`, `rev`, `content`) VALUES ('1', '1', 'The earth is flat'), ('2', '1', 'One hundred angels can dance on the head of a pin'), ('1', '2', 'The earth is flat and rests on a bull\'s horn'), ('1', '3', 'The earth is like a ball.'); SELECT * from docs where rev=1 OR 1=1

20. Bukalapak package injection import ( "database/sql" "fmt" ) func findUser(db

    *sql.DB, name string) { query := fmt.Sprintf("SELECT * FROM users WHERE name = '%s'", name) db.Query(query) } func findUserSafe(db *sql.DB, name string) { query := "SELECT * FROM users WHERE name = $1" db.Query(query, name) } Validate & sanitize input: SQL injections

21. Bukalapak package injection import ( "database/sql" "fmt" "strings" ) func

    insertUsers(db *sql.DB, names []string) { var values []string for _, name := range names { values = append(values, fmt.Sprintf("('%s')", name)) } query := fmt.Sprintf( "INSERT INTO users (name) VALUES %s", strings.Join(values, ","), ) db.Query(query) } func insertUsersSafe(db *sql.DB, names []string) { // How would you write it? ;) } Validate & sanitize input: SQL injections package injection import ( "database/sql" "fmt" "strings" ) func insertUsers(db *sql.DB, names []string) { var values []string for _, name := range names { values = append(values, fmt.Sprintf("('%s')", name)) } query := fmt.Sprintf( "INSERT INTO users (name) VALUES %s", strings.Join(values, ","), ) db.Query(query) } func insertUsersSafe(db *sql.DB, names []string) { var values []string for _, name := range names { values = append(values, fmt.Sprintf("('%s')", name)) } query := "INSERT INTO users (name) VALUES $1" db.Query(query, strings.Join(values, ",")) }

22. Bukalapak Validate & sanitize input: SQL injections

23. Bukalapak Validate & sanitize input: XSS attacks // index.html Hello,

    {{ .Name }}!

24. Bukalapak Validate & sanitize input: SSRF attacks source: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/

25. Bukalapak Mitigating SSRF - Whitelists and DNS resolution - Do

    not reuse the input URL - Disable unused URL schemas - Authentication on internal services

26. Code Analysis 02 - golanci-lint - js-lint - etc Linter

    - gosec - brakeman - Sonarqube - Npm audit - bandit Security Check Bukalapak

27. Bukalapak Gosec

28. Bukalapak Brakeman { "warnings": [ { "warning_type": "Remote Code Execution",

    "warning_code": 24, "fingerprint": "96a9c33f611f9edcad02be7098eeea100d84418d1e6fd774460d3a3f341bd065", "check_name": "UnsafeReflection", "message": "Unsafe reflection method `safe_constantize` called with parameter value", "file": "app/controllers/exclusive/toggle_features_controller.rb", "line": 9, "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/", "code": "params[:feature].camelize.safe_constantize", "render_path": null, "location": { "type": "method", "class": "ToggleFeaturesController", "method": null }, "user_input": "params[:feature].camelize", "confidence": "High" }, ], "ignored_warnings": [], "errors": [],

29. Bukalapak All in one tools - Sonarqube - Codeclimate -

    Codacy - Synk.io

30. Bukalapak Fuzzy testing 03 https://github.com/google/gofuzz https://play.golang.org/p/qw5paVHtfUd

31. Dependency checklist Bukalapak - Control your dependency tree - Add

    dependency consciously - Continuously verify the dependencies - Always have reproducible build - Upgrade dependencies frequently

32. 01. Improve your security awareness 02. Sanitize 03. Code Analysis

    04. Fuzzy Test Bukalapak Summary つづく...

33. QA Session Bukalapak

34. Bukalapak We are hiring! https://careers.bukalapak.com Send your CV to moch.lutfi@bukalapak.com

    Telegram/Twitter: @kaptenupi

35. Thanks Bukalapak