Slide 1

Slide 1 text

A Beginner's Toolkit for Securing Web Apps Florencia Herra Vega, CUSEC 2017

Slide 2

Slide 2 text

who are you anyway? florencia herra vega @flohdot CTO, peerio.com by alonso lópez

Slide 3

Slide 3 text

we are the stonemasons of the 21st century… building rickety af catherals

Slide 4

Slide 4 text

security = somebody else’s problem?

Slide 5

Slide 5 text

psst…… your user might be evil

Slide 6

Slide 6 text

individual evil

Slide 7

Slide 7 text

wholesale evil

Slide 8

Slide 8 text

a common weapons arsenal xss! sql injection! unprotected databases! stolen passwords!

Slide 9

Slide 9 text

go forth and be concerned

Slide 10

Slide 10 text

is your infrastructure leaky? web server database hello I am a web server I listen on port 80 send me requests

Slide 11

Slide 11 text

is your infrastructure leaky? hello I am a database server I listen on port 27017 let my data be FREE! web server database hello I am a web server I listen on port 80 send me requests

Slide 12

Slide 12 text

hello I am a database server I listen on port 27017 let my data be FREE! is your infrastructure leaky? hello I am a database server I listen on port 27017 let my data be FREE! web server database hello I am a web server I listen on port 80 send me requests database web server hello I am a web server I listen on port 80 send me requests

Slide 13

Slide 13 text

is your infrastructure leaky? > Redis is designed to be accessed by trusted clients inside > trusted environments. This means that usually it is not a good > idea to expose the Redis instance directly to the internet or, > in general, to an environment where untrusted clients can > directly access the Redis TCP port or UNIX socket. somewhere in the depths of the documentation….

Slide 14

Slide 14 text

what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat mediate fluke

Slide 15

Slide 15 text

what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat mediate fluke ! hash

Slide 16

Slide 16 text

what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat mediate fluke password123 ! ! hash !!!! !!!!

Slide 17

Slide 17 text

what’s in a password? password123 + 14rFtg45 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat mediate fluke password123 + T5hGYpwD ⛺ hash

Slide 18

Slide 18 text

what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat mediate fluke password123

Slide 19

Slide 19 text

beware of user content

Slide 20

Slide 20 text

user content all up in your databases select * from articles where id = $totally_legit_USER_INPUT

Slide 21

Slide 21 text

user content in your html

Slide 22

Slide 22 text

user content in your html try it yourself! alert(‘oops’);

Slide 23

Slide 23 text

just a whole bunch of really old protocols chattering away nbd

Slide 24

Slide 24 text

what even is state?

Slide 25

Slide 25 text

what even is state? username: alice cart_contents: iphone, earbuds store_credit: 10000

Slide 26

Slide 26 text

what even is state? all requests to bla.com

Slide 27

Slide 27 text

encryption eh? HAVE SOME PERSONAL DATA!!!!!!!! psst i’m gonna tell you a secret

Slide 28

Slide 28 text

encryption eh? [unintelligible shouting] [gibberish] HTTPS to the rescue

Slide 29

Slide 29 text

the state of modern webpages super cool recipe blog one weird trick wow wow Entrepreneur piverate integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable. Like this! Tweet this! unbelievable whisking technique 152 comments against sous-vide: a polemic buy my book Patreon GitTip Flattr Bitcoin youtube ad network social media google analytics

Slide 30

Slide 30 text

do you trust your third party content providers? (are they worth it?)

Slide 31

Slide 31 text

improve your baking •no javascript access •secure (TLS-only) •don’t store valuable business data •expire quickly

Slide 32

Slide 32 text

Use a framework! (but also, take it apart)

Slide 33

Slide 33 text

how can people misuse your system?

Slide 34

Slide 34 text

go forth and be concerned & get in touch: @flohdot

Slide 35

Slide 35 text

General Resources • Kelsey Gilmore-Innis — Seriously Strong Security on a Shoestring (Pycon) https://www.youtube.com/watch?v=8FeNdXzVLEs • A more detailed guide to a lot of the things in this talk, by Martin Fowler: https://martinfowler.com/articles/web-security-basics.html • The Tangled Web by Michal Zalewski — the best book for understanding the guts of internet architecture and its security problems • Rails security guides with great info on sessions: http:// guides.rubyonrails.org/security.html

Slide 36

Slide 36 text

General Resources • On the surveillance state: Bruce Schneier — Data & Goliath, Liars & Outliers • Two “true crime” books that are really fun: • On cyberweapons: Countdown to Zero Day by Kim Zetter • On the botnet industrial complex: Spam Nation by Brian Krebs

Slide 37

Slide 37 text

HTTPS • Free, easy-to-set-up certificates for your web server! https://certbot.eff.org/ • SSL Labs — test if a website’s transport encryption is any good https:// www.ssllabs.com/ssltest/ • My talk on HTTPS for muggles (now with more Harry Potter metaphors) — https://www.youtube.com/watch?v=oKgzftLmyiE • SSL: it’s hard to get right https://recompilermag.com/issues/issue-1/ssl-its- hard-to-do-right/ • Learn about networking! It will help you understand security Julia Evan’s drawings are a fun place to start: https://drawings.jvns.ca/

Slide 38

Slide 38 text

infrastructure • Silence on the Wire, by Michal Zalewski • Penetration Testing, by Georgia Weidman • Intro to isolating servers within a private network with iptables https://www.digitalocean.com/community/tutorials/how-to-isolate- servers-within-a-private-network-using-iptables — also look for DigitalOcean guides to ufw • Consider using a PaaS like Heroku and let them deal with your infrastructure.

Slide 39

Slide 39 text

Passwords • Hash functions taste great — Curtis Lassam https:// www.youtube.com/watch?v=1c8K0hrglRg • Dropbox’s password entropy calculator https://github.com/ dropbox/zxcvbn • Awesome passphrases from Peerio https:// passphrases.peerio.com