Women of Silicon Roundabout security workshop

by Jenny Duckett

Slide 1

Slide 1 text

Rosa Fox and Jenny Duckett Government Digital Service @rosaemerald, @jenny_duckett

Slide 2

Slide 2 text

Welcome!

Slide 3

Slide 3 text

GDS What do we mean by security on the web?

Slide 4

Slide 4 text

GDS We aren’t security experts

Slide 5

Slide 5 text

GDS Web security is a huge topic

Slide 6

Slide 6 text

GDS ...but understanding some general principles really helps

Slide 7

Slide 7 text

GDS Don’t trust user input

Slide 8

Slide 8 text

GDS Tools can help, but understand how to use them properly and their limitations

Slide 9

Slide 9 text

GDS There is one thing you need to know before we begin: Computer Misuse Act 1990 Unauthorised access to computer material can be punishable by imprisonment

Slide 10

Slide 10 text

Code injection

Slide 11

Slide 11 text

GDS Getting your code onto someone else’s server and making it run The code can come from any user input It can damage anything on the server

Slide 12

Slide 12 text

GDS Practical exercise! First link at https://speakerdeck.com/jennyd https://www.codebashing.com/sql_demo Step 8 email address = [email protected]

Slide 13

Slide 13 text

GDS SQL injection 'SELECT * FROM data WHERE name=' + 'bobby' + ';'

Slide 14

Slide 14 text

GDS SQL injection 'SELECT * FROM data WHERE name=' + '1; DROP TABLE users' + ';'

Slide 15

Slide 15 text

GDS https://xkcd.com/327/

Slide 16

Slide 16 text

GDS Remote code execution using ImageMagick... ImageTragick!

Slide 17

Slide 17 text

GDS “We had thousands of hits in the first 15 minutes. We were at the top of hacker news, which a lot of people see. We were getting the word out on something tragickally simple to exploit. We'd do it again.” https://imagetragick.com/

Slide 18

Slide 18 text

Code also runs in browsers

Slide 19

Slide 19 text

GDS Cookies and Authentication (logging in!)

Slide 20

Slide 20 text

Cross-site scripting (XSS)

Slide 21

Slide 21 text

It’s useful to think of this as JavaScript injection GDS

Slide 22

Slide 22 text

GDS Practical exercise! Second link at https://speakerdeck.com/jennyd https://cxa.codebashing.com/courses/nodejs /lessons/persistent_stored_xss

Slide 23

Slide 23 text

What else can you do with XSS? GDS

Slide 24

Slide 24 text

Two types of XSS: ● persistent (stored) ● reflected GDS

Slide 25

Slide 25 text

http://example.com/search?query=alert('xss') GDS

Slide 26

Slide 26 text

Social engineering

Slide 27

Slide 27 text

GDS People are fallible

Slide 28

Slide 28 text

GDS Make security that works for people https://www.ncsc.gov.uk/information/people-strongest-link

Slide 29

Slide 29 text

GDS https://www.youtube.com/watch?v=bjYhmX_OUQQ

Slide 30

Slide 30 text

Learn more about web security

Slide 31

Slide 31 text

GDS OWASP Top 10 Falsehoods developers believe about security Ruby on Rails security guide www.hacksplaining.com Google Gruyere