Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Safety first Simon `Firesphere` Erkelens | 2018 Security matters

Slide 3

Slide 3 text

About me Simon `Firesphere` Erkelens ● SilverStripe bespoke software engineer ● Team: Ninja Unicorns (And a little bit of CCS) ● Community admin (Slack & Forum) ● I maintain the StripeSlackBot ● That’s Python , SilverStripe 4 & Solr ● Author of MFA modules for SilverStripe 3 & 4 ● Cat owner ● Hans the cow is my mascotte ● I have a zoo on my desk ● Scarily obsessed with security ● Also Solr and search in general ● LEGO! ● Born Dutch (expect cursing) ● Originator and former organizer of StripeCon EU ● I wonder how much I can fit on a single slide ● Yes, this is on purpose ● Bribable with Whisk(e)y, beer or LEGO That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. That’s my cat, Marika ⬇ That’s Hans ➡ The zoo ⬇ ⬅ Apollo 13 Saturn V LEGO rocket!

Slide 4

Slide 4 text

What can you do Expect a databreach You will be breached. If not today, it’ll be tomorrow ● Preparing for the worst is better than hoping for the best ● Most breaches are due to bad practices by (in no particular order): ● SysOps ● DevOps ● Software Engineers ● Clients ● End users ● CMS Users ● Bad password practices ● Not using a password manager Simon `Firesphere` Erkelens | 2018

Slide 5

Slide 5 text

This... This is my absolute favourite twitter convo! Taylor Hornby falling for social engineering Social engineering is still very easy. Even if your target knows it’ll happen, even inviting people to try it, and this is a security expert!

Slide 6

Slide 6 text

There are a few things you can do Your security measures Passwords, HTTPS, etc. ● Roave Security-advisories ● OWASP ● Password managers ● HTTPS ● Password rules ● Multi Factor Authentication ● Content Security Policy Simon `Firesphere` Erkelens | 2018

Slide 7

Slide 7 text

Have their security-advisories in your module/project Roave Security best practices ● roave/security-advisories ● require or require-dev ● Keep up to date with the latest known security issues Simon `Firesphere` Erkelens | 2018

Slide 8

Slide 8 text

Just follow OWASP best practices OWASP Open Web Application Security Project ● Their Top 10 of vulnerability risks is a good place to start ● Juice Shop project ● Zed Attack Proxy ● And a lot more! Simon `Firesphere` Erkelens | 2018

Slide 9

Slide 9 text

A password manager helps! Password managers Don’t use sticky notes ● Explain to your client why ● Explain the benefits ● DO NOT EVER disable pasting of passwords in password fields ● Suggest them to your client, here are a few: ● BitWarden (My favourite, I’m not being paid to say this) ● 1Password ● LastPass Simon `Firesphere` Erkelens | 2018

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

Put all your sites on HTTPS. HTTPS The S stands for “Secure Connection” ● Try visiting an http site on hotel wifi and compare it to https ● See screenshots on next slide ● Let’s Encrypt ● CertBot, ACME2, Secure updates… Let’s Encrypt ● Don’t go EV, never go EV ● Seriously, it’s a waste of money nowadays ● Keep your certificates up to date ● CertBot does that for you ● Register as HSTS ● Force HTTPS across your entire site ● Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018

Slide 12

Slide 12 text

Seriously, HTTPS The S stands for “Secure Connection” Simon `Firesphere` Erkelens | 2018 Public hotel wifi, same page, http vs. https

Slide 13

Slide 13 text

Not enough funny gifs mate! Simon `Firesphere` Erkelens | 2018 Okay, sorry, let me fix that for you!

Slide 14

Slide 14 text

Password Rules It’s really simple Simon `Firesphere` Erkelens | 2018 Minimum of 16 characters. I don’t care which as long as they’re not the same

Slide 15

Slide 15 text

HaveIBeenPwned And don’t appear in HaveIBeenPwned Okay, I care a little bit ● Check new passwords against known breaches ● Block known breached passwords ● Doesn’t matter if it wasn’t a breach from your site ● Don’t reuse your passwords ● Don’t expire passwords ● No, seriously, don’t expire passwords ● Unless they’re breached that is Simon `Firesphere` Erkelens | 2018

Slide 16

Slide 16 text

Any MFA implementation is better than none MFA Just do it ● Users will hate you for it ● Until they see how their CMS account credentials are suddenly used on their banking without them knowing Simon `Firesphere` Erkelens | 2018

Slide 17

Slide 17 text

Whitelist sites that can load CSP Helps preventing unwanted scripts ● Report-uri.com ● Allowed javascript sources ● Allowed image sources ● Allowed CSS sources ● etc. Simon `Firesphere` Erkelens | 2018

Slide 18

Slide 18 text

Who to follow Twitter ● @Firesphere (that’s me!) ● @troyhunt (Troy Hunt) ● @scott_helme (Scott Helme) ● @j_opdenakker (John Opdenakker) ● @SilverStripe (You know, that company) ● @DefuseSec (Taylor Hornby) ● @roaveteam (Roave) Simon `Firesphere` Erkelens | 2018

Slide 19

Slide 19 text

Any questions? Simon `Firesphere` Erkelens | 2018 Pretty sure you have questions? Speak up!

Slide 20

Slide 20 text

Thank you! @Firesphere https://github.com/Firesphere [email protected] https://speakerdeck.com/firesphere https://casa-laguna.net