Slide 1

Slide 1 text

Presentation

Slide 2

Slide 2 text

Safety first Simon `Firesphere` Erkelens | 2019 Security matters

Slide 3

Slide 3 text

About me Simon `Firesphere` Erkelens ● SilverStripe bespoke software engineer & security expert ● Team: Ninja Unicorns ● Author of MFA modules for SilverStripe 3 & 4 ● Cat owner ● Hans the cow is my mascotte ● I have a zoo on my desk ● Scarily obsessed with security* ● LEGO! ● Born Dutch ● Bribable with Whisk(e)y, beer or LEGO ● I have a lot of stickers! (Come talk to me if you want one) That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. ⬅ That’s my cat, Marika, she would like a boop That’s Hans ➡ ⬅The zoo Simon `Firesphere` Erkelens | 2019

Slide 4

Slide 4 text

Think before you do Why safety first Because it can’t be second ● Security should be the first thing on your mind ● Use the tools available ● Think about the implications of your work ● Have security issues as a part of your checklist ● And, remember... Simon `Firesphere` Erkelens | 2019

Slide 5

Slide 5 text

What can you do Expect a data breach You will be breached. If not today, it’ll be tomorrow ● Preparing for the worst is better than hoping for the best ● Most breaches are due to bad practices by (in no particular order): ● SysOps ● DevOps ● Software Engineers ● Clients ● End users ● CMS Users ● P E O P L E Simon `Firesphere` Erkelens | 2019

Slide 6

Slide 6 text

Let me introduce DefuseSec, also known as Taylor Hornby Simon `Firesphere` Erkelens | 2019

Slide 7

Slide 7 text

Case in point, my favourite twitter convo Taylor Hornby falling for social engineering Social engineering is very easy. Even if your target knows it’ll happen, even inviting people to try it, and note that this is a security expert.

Slide 8

Slide 8 text

A few basics So, what can you do Here’s what we’ll cover ● Make sure your own projects are safe ● OWASP ● Use password managers ● Add HTTPS ● Update your password rules ● Implement Multi Factor Authentication ● Make sure your content is what you expect ● Monitor your implementations Simon `Firesphere` Erkelens | 2019

Slide 9

Slide 9 text

Have their security-advisories in your project PHP Roave Security best practices ● roave/security-advisories ● require or require-dev ● Keep up to date with the latest known security issues Simon `Firesphere` Erkelens | 2019

Slide 10

Slide 10 text

They can monitor your projects Snyk Open Source Security Platform ● node.js ● .net ● Java ● Scala ● Golang ● Python ● Ruby ● PHP Simon `Firesphere` Erkelens | 2019

Slide 11

Slide 11 text

Did you know GitHub can send you these? GitHub security notifications Security best practices ● Pretty straightforward to set up in your settings Simon `Firesphere` Erkelens | 2019

Slide 12

Slide 12 text

Just follow OWASP best practices OWASP Open Web Application Security Project ● Their Top 10 of vulnerability risks is a good place to start ● Juice Shop project ● Zed Attack Proxy ● And a lot more! Simon `Firesphere` Erkelens | 2019

Slide 13

Slide 13 text

Put all your sites on HTTPS. HTTPS The S stands for “Secure Connection” ● Try visiting an http site on hotel wifi and compare it to https ● httpforever.com ● Let’s Encrypt ● CertBot, ACME2, Secure updates… Let’s Encrypt ● Don’t go EV, never go EV ● Seriously, it’s a waste of money nowadays ● Keep your certificates up to date ● CertBot does that for you ● Register as HSTS and set your HSTS time-out ● Force HTTPS across your entire site ● Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2019

Slide 14

Slide 14 text

Seriously, HTTPS The S stands for “Secure Connection” Simon `Firesphere` Erkelens | 2019 Public hotel wifi, same page, http vs. https

Slide 15

Slide 15 text

SSL Labs HTTPS Validate your SSL certificate ● Check your server configuration ● Validate your certificate is up to date ● Figure out what needs improving Simon `Firesphere` Erkelens | 2019

Slide 16

Slide 16 text

Not enough funny gifs mate! Simon `Firesphere` Erkelens | 2019 Okay, sorry, let me fix that for you!

Slide 17

Slide 17 text

A password manager helps! Password managers Don’t use sticky notes ● DO NOT EVER disable pasting of passwords in password fields ● Explain to your client why ● Explain the benefits ● Suggest them to your client, here are a few: ● BitWarden (My favourite, I’m not being paid to say this) ● 1Password ● LastPass Simon `Firesphere` Erkelens | 2019

Slide 18

Slide 18 text

Password Rules Here’s my set of rules Simon `Firesphere` Erkelens | 2019 Minimum of 16 characters. I don’t care which as long as they’re not the same

Slide 19

Slide 19 text

An example of how not to do password policies

Slide 20

Slide 20 text

HaveIBeenPwned Don’t be in HaveIBeenPwned Okay, I care a little bit ● Check new passwords against known breaches ● Block known breached passwords ● Doesn’t matter if it wasn’t a breach from your site ● Don’t reuse your passwords ● Don’t expire passwords ● No, seriously, don’t expire passwords ● Unless they’re breached that is ● Using SilverStripe? ● firesphere/haveibeenpwnd Simon `Firesphere` Erkelens | 2019

Slide 21

Slide 21 text

Why? Multi Factor Authentication Just do it ● Any form is better than nothing ● Users will not like it ● Adds security to your accounts ● Does not prevent password leaks though Simon `Firesphere` Erkelens | 2019

Slide 22

Slide 22 text

From “at least better than nothing” to “good” Because anything is better ● SMS ● OTP ● TOTP ● U2F ● WebAuthn Simon `Firesphere` Erkelens | 2019 Multi Factor Authentication

Slide 23

Slide 23 text

Does it really need to be public? Protect your assets Firewall lockdown for example ● Does your admin interface need to be completely public? ● What happens on the internet, stays on the internet ● Is that S3 bucket secured? Simon `Firesphere` Erkelens | 2019

Slide 24

Slide 24 text

In the time it takes you to go “Oh shit did I just…” Protect your secrets Be careful what you commit ● That secret you commited has been compromised ● Check twice, commit once ● Immediately invalidate keys if needed Simon `Firesphere` Erkelens | 2019

Slide 25

Slide 25 text

Cookies should be safe (to eat) Secure your http-only - secure ● HTTP Only if you don’t need to read them with javascript ● Use the secure flag, only transport cookies over https ● Eat them Simon `Firesphere` Erkelens | 2019

Slide 26

Slide 26 text

Whitelist sites that can load Content Security Policy Helps preventing unwanted scripts ● Allowed javascript sources ● Allowed image sources ● Allowed CSS sources ● Allowed inline scripts via nonce or sha ● Allowed child sources (iframes) ● etc. ● etc. ● etc. Simon `Firesphere` Erkelens | 2019

Slide 27

Slide 27 text

Keep track of your CSP violations Content Security Policy report-uri ● report-uri.com ● Fix them up where needed ● Reporting Simon `Firesphere` Erkelens | 2019

Slide 28

Slide 28 text

report-uri.com It’s free even! Simon `Firesphere` Erkelens | 2019

Slide 29

Slide 29 text

Simon `Firesphere` Erkelens | 2019

Slide 30

Slide 30 text

Validate the scripts are what you expect SubResource Integrity Are the scripts you’re loading really what you think of them? ● Base64 of a sha-256/384/512 hash ● Store the hash, don’t calculate on runtime ● Hash different means block the loading ● Analytics change immediately visible ● Admitted, it’s bloody annoying while writing code ● Simon `Firesphere` Erkelens | 2019

Slide 31

Slide 31 text

Have a look at securityheaders.com Security Headers How to make sure you’re doing the best you can ● Identify missing headers ● Links to how to implement missing headers ● Advice on how to improve Simon `Firesphere` Erkelens | 2019

Slide 32

Slide 32 text

Didn’t get an A+ or better? Security Headers How to make sure you’re doing the best you can ● It’s okay, you’re not the only one ● Find out how to improve ● Improve one step at the time ● It’s not critical, but definitely best practice Simon `Firesphere` Erkelens | 2019

Slide 33

Slide 33 text

Who to follow Twitter ● @Firesphere (that’s me!) ● @troyhunt (Troy Hunt) ● @scott_helme (Scott Helme) ● @j_opdenakker (John Opdenakker) ● @DefuseSec (Taylor Hornby) ● @silverstripe (That’s where I work) ● @roaveteam (Roave) ● @ismonkeyuser (Wonderfully relatable comics) Simon `Firesphere` Erkelens | 2019

Slide 34

Slide 34 text

Get in touch Where to talk to us ● Slack: phpug.slack.com #phpnz ● Meetup.com Simon `Firesphere` Erkelens | 2019

Slide 35

Slide 35 text

Any questions? Simon `Firesphere` Erkelens | 2019 Pretty sure you have questions? Speak up!

Slide 36

Slide 36 text

Thank you! @Firesphere https://github.com/Firesphere [email protected] https://speakerdeck.com/firesphere https://casa-laguna.net License: CC BY-NC-ND 4.0

Slide 37

Slide 37 text

Interesting links link ● JWT: ● https://www.owasp.org/images/0/07/20190222--Nyffenegger-JWAT.pdf ● https://slides.com/rowdymehul/owaspnz2019#/ ● https://youtu.be/aYz8yPymyvk ● CSP: ● https://youtu.be/tlCOd-zjdQM Simon `Firesphere` Erkelens | 2019