First steps into security engineering
PyCaribbean 2019 / Santo Dominga 2019-02-16
Christian Heimes
Principal Software Engineer
[email protected] / [email protected]
@ChristianHeimes
Slide 2
Slide 2 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
2
Who am I?
●
from Hamburg/Germany
●
Python and C developer
●
Python core contributor since 2008
●
maintainer of ssl and hashlib module
●
Python security team
Slide 3
Slide 3 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
3
Professional life
●
Principal Software Engineer at Red Hat
●
Security Engineering
●
FreeIPA Identity Management
●
Dogtag PKI
Slide 4
Slide 4 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
4
Slide 5
Slide 5 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
5
Dane Hillard https://twitter.com/easyaspython/status/1096749245275820037
Slide 6
Slide 6 text
Agenda
&
Goals
Slide 7
Slide 7 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
7
This talk is
●
opinionated
●
subjective
●
biased
●
incomplete
●
edutainment
Disclaimer
Slide 8
Slide 8 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
8
1. think
2. learn
Slide 9
Slide 9 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
9
Slide 10
Slide 10 text
Motivation
Why should you care?
Slide 11
Slide 11 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
11
https://www.cnet.com/news/verizon-and-yahoo-agree-to-cut-4-billion-deal-by-350-million/
https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached
Slide 12
Slide 12 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
12
https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
Slide 13
Slide 13 text
Propositions
&
Statements
Slide 14
Slide 14 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
15
Security is a feature.
Security is a selling point.
Slide 15
Slide 15 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
16
Attackers just need one vulnerability,
defenders need to be perfect.
Slide 16
Slide 16 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
17
Users don't care about security.
They are ignorant, disregardful, and
responsible for security incidents.
Slide 17
Slide 17 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
18
?
Slide 18
Slide 18 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
19
wrong
dangerous
arrogant
(I used to think like that.)
Slide 19
Slide 19 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
20
We fight for the users!
(Tron)
Slide 20
Slide 20 text
0. attitude
1. think
2. learn
Slide 21
Slide 21 text
Security is not a feature
Slide 22
Slide 22 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
23
“Our cars are less likely to
explode
than competing products.”
Slide 23
Slide 23 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
24
Slide 24
Slide 24 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
26
Slide 25
Slide 25 text
Security is not dichotomic.
Slide 26
Slide 26 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
28
Alex Gaynor
The worst truism in information security
Attackers just need one vulnerability,
defenders need to be perfect
https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/
Slide 27
Slide 27 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
29
But what about the exploding cars?
Slide 28
Slide 28 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
30
“unbreakable” encryption
absolute security
Slide 29
Slide 29 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
31
threat model
cost–benefit analysis
documentation
Slide 30
Slide 30 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
32
Threat Model: biometrics
The Photographer [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0) or
GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons
Slide 31
Slide 31 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
33
Cost - Benefit
Slide 32
Slide 32 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
34
Mitigation: Defense in depth
Slide 33
Slide 33 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
35
Slide 34
Slide 34 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
36
Slide 35
Slide 35 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
37
Slide 36
Slide 36 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
38
https://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-a8130796.html
Slide 37
Slide 37 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
39
Amazon Says One Engineer's Simple
Mistake Brought the Internet Down
2017-02-28
Slide 38
Slide 38 text
Please
mind the user
between the chair and the keyboard
Slide 39
Slide 39 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
41
Arz [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons
Slide 40
Slide 40 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
42
So Long, And No Thanks for the Externalities:
The Rational Rejection of Security Advice by Users
Cormac Herley, Microsoft Research
Slide 41
Slide 41 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
43
Human factor
●
Social engineering
●
CEO scam: Ubiquiti Networks victim of $39 million
https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social-
engineering-attack.html
●
Password in exchange for chocolate (up to 47.9%)
Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026
●
dissatisfied employees
●
ignorant management
Slide 42
Slide 42 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
44
Slide 43
Slide 43 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
45
Your grandmother has installed Flash.
Slide 44
Slide 44 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
46
User Interface
Lion Air Flight 610:
Pilots fought automatic safety system
before plane plunged
Slide 45
Slide 45 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
47
Slide 46
Slide 46 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
48
Challenger / Chernobyl
Slide 47
Slide 47 text
0. attitude
1. think
2. learn
Slide 48
Slide 48 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
50
Professionally paranoid
Slide 49
Slide 49 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
51
be creative
&
learn from the past
Slide 50
Slide 50 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
52
Consider leaky abstraction layers
Slide 51
Slide 51 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
53
Example: Memory safety
Slide 52
Slide 52 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
54
Hardware security
RSA Key Extraction via Acoustic Cryptanalysis
https://www.tau.ac.il/~tromer/acoustic/
Slide 53
Slide 53 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
55
Physical security against intru-deers
https://twitter.com/DCFurs/status/1087663240421593089
Slide 54
Slide 54 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
56
cybersquirrel1.com – attacks on power grid
http://cybersquirrel1.com/
Slide 55
Slide 55 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
57
Ethics and responsibility
Slide 56
Slide 56 text
0. attitude
1. think
2. learn
Slide 57
Slide 57 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
59
I know that I know nothing
(Socratic paradox)
Slide 58
Slide 58 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
60
Skill #1
Communication
Slide 59
Slide 59 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
61
Stop reading, start doing!
Parisa Tabriz
So, you want to work in security?
https://medium.freecodecamp.org/so-you-want-to-work-in-security-bc6c10157d23
Slide 60
Slide 60 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
62
Available for free: https://www.cl.cam.ac.uk/~rja14/book.html
Slide 61
Slide 61 text
Human Computer Interaction
UI / UX
Slide 62
Slide 62 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
64
“Soft” skills
●
team work / team diversity
●
locate and evaluate information
●
law / legal affairs
●
business
●
ethics & compliance
●
rhetoric
●
read and write documentation
Slide 63
Slide 63 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
65
Social Engineering
●
The Social Engineering Framework
https://www.social-engineer.org/framework/
●
Social Engineering, The Art of Human Hacking
Christopher Hadnagy (2010)
●
The Art Of Deception
Kevin D. Mitnick (2003)
Slide 64
Slide 64 text
OpSec
DevOps
Admin
Slide 65
Slide 65 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
67
Digital self-defense
●
secure your hardware
●
disk encryption
●
privacy
●
ad-blocker
●
email provider
●
good passwords / 2FA
●
update, update, update!
https://freedom.press/training/
Slide 66
Slide 66 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
68
Operating Systems
●
man pages
●
Advanced Programming in the UNIX Environment
Stevens / Rago (2013)
Slide 67
Slide 67 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
69
Computer networks and system tools
●
IPv4, IPv6, routing, TCP, UDP, DNS, firewall
●
auditing, logging
●
SELinux
●
analysis and pentesting tools
●
wireshark
●
nmap
●
metasploit
●
IDA Interactive Disassembler
Slide 68
Slide 68 text
Software
Slide 69
Slide 69 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
71
General Resource
●
OWASP: Open Web Application Security Project
●
CWE: Common Weakness Enumeration
●
CVE: Common Vulnerabilities and Exposures
●
IETF RFCs
Slide 70
Slide 70 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
72
Top 10 bugs
●
injection attacks (SQL, LDAP, JSON, XQuery, XPath, ...)
●
broken authentication and access control
●
Cross-Site scripting (XSS)
●
XML entities
●
Insecure Deserialization (images, docs, ASN.1)
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
74
Programming languages
●
C
●
Assembly
●
eBPF, BPF
●
Go
●
Java
●
JavaScript
●
Python
●
Rust
Slide 73
Slide 73 text
Cryptography
Slide 74
Slide 74 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
76
Cryptography
●
The Code Book, Simon Singh
●
Cryptography Engineering, Ferguson/Schneier/Tadayashi
●
Serious Cryptography, JP Aumasson
Slide 75
Slide 75 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
77
Cryptography
free online resources
●
Cryptography I, Dan Boneh
https://www.coursera.org/learn/crypto
●
The cryptopals crypto challenges
https://cryptopals.com/
●
Crypto 101, LvH,
https://www.crypto101.io/
●
Mathematics of Public Key Cryptography,
Steven Galbraith (2012)
Slide 76
Slide 76 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
78
TLS/SSL, Certificates
●
Bulletproof SSL and TLS, Ivan Ristic
●
CA/Browser Forum Baseline Requirements
https://cabforum.org/
●
Mozilla Server Side TLS
https://wiki.mozilla.org/Security/Server_Side_TLS
Slide 77
Slide 77 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
79
Passwords / Authentication
●
NIST 800-63-3: Digital Identity Guidelines
●
OAuth, OpenID Connect
●
2FA (FIDO, WebAuthn)
●
Troy Hunt,
https://haveibeenpwned.com/
Slide 78
Slide 78 text
Misc
Slide 79
Slide 79 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
81
News, blogs
●
Linux Weekly News https://lwn.net/
●
Troy Hunt https://www.troyhunt.com/
●
Krebs on Security https://krebsonsecurity.com/
●
Bruce Schneier https://www.schneier.com/
●
https://www.feistyduck.com/bulletproof-tls-newsletter/
Slide 80
Slide 80 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
82
Conference videos
●
Chaos Communication Conference (e.g. 35C3)
●
Black Hat
●
DEFCON
●
Real World Crypto
Slide 81
Slide 81 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
83
Security people
●
Adam Langley
●
Alex Gaynor
●
Brian Krebs (Krebs On Security)
●
Bruce Schneier
●
Dan Bernstein (djb)
●
Frank Denis
●
Hanno Böck
●
JP Aumasson
●
Katie Moussouris
●
Matt Blaze
●
Matthew Green
●
Nick Sullivan
●
Parisa Tabriz
●
Ryan Sleevi
●
Tanja Lange
●
Tavis Ormandy
●
Thomas Ptacek
●
Tony Arcieri
●
Troy Hunt
Slide 82
Slide 82 text
Summary
Slide 83
Slide 83 text
First steps into security engineering, PyCaribbean 2019 @ChristianHeimes
85
Summary
●
Mind the user
●
Keep learning
●
Get experience
Write your own crypto (don't use it in production)
Please send your suggestions
[email protected] / @ChristianHeimes
Slide 84
Slide 84 text
THANK YOU
plus.google.com/+RedHat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
linkedin.com/company/red-hat