No content

Safety first Simon `Firesphere` Erkelens | 2018 Security matters

About me Simon `Firesphere` Erkelens ● SilverStripe bespoke software engineer ● Team: Ninja Unicorns (And a little bit of CCS) ● Community admin (Slack & Forum) ● I maintain the StripeSlackBot ● That’s Python , SilverStripe 4 & Solr ● Author of MFA modules for SilverStripe 3 & 4 ● Cat owner ● Hans the cow is my mascotte ● I have a zoo on my desk ● Scarily obsessed with security ● Also Solr and search in general ● LEGO! ● Born Dutch (expect cursing) ● Originator and former organizer of StripeCon EU ● I wonder how much I can fit on a single slide ● Yes, this is on purpose ● Bribable with Whisk(e)y, beer or LEGO That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. That’s my cat, Marika ⬇ That’s Hans ➡ The zoo ⬇ ⬅ Apollo 13 Saturn V LEGO rocket!

What can you do Expect a databreach You will be breached. If not today, it’ll be tomorrow ● Preparing for the worst is better than hoping for the best ● Most breaches are due to bad practices by (in no particular order): ● SysOps ● DevOps ● Software Engineers ● Clients ● End users ● CMS Users ● Bad password practices ● Not using a password manager Simon `Firesphere` Erkelens | 2018

This... This is my absolute favourite twitter convo! Taylor Hornby falling for social engineering Social engineering is still very easy. Even if your target knows it’ll happen, even inviting people to try it, and this is a security expert!

There are a few things you can do Your security measures Passwords, HTTPS, etc. ● Roave Security-advisories ● OWASP ● Password managers ● HTTPS ● Password rules ● Multi Factor Authentication ● Content Security Policy Simon `Firesphere` Erkelens | 2018

Have their security-advisories in your module/project Roave Security best practices ● roave/security-advisories ● require or require-dev ● Keep up to date with the latest known security issues Simon `Firesphere` Erkelens | 2018

Just follow OWASP best practices OWASP Open Web Application Security Project ● Their Top 10 of vulnerability risks is a good place to start ● Juice Shop project ● Zed Attack Proxy ● And a lot more! Simon `Firesphere` Erkelens | 2018

A password manager helps! Password managers Don’t use sticky notes ● Explain to your client why ● Explain the benefits ● DO NOT EVER disable pasting of passwords in password fields ● Suggest them to your client, here are a few: ● BitWarden (My favourite, I’m not being paid to say this) ● 1Password ● LastPass Simon `Firesphere` Erkelens | 2018

No content

Put all your sites on HTTPS. HTTPS The S stands for “Secure Connection” ● Try visiting an http site on hotel wifi and compare it to https ● See screenshots on next slide ● Let’s Encrypt ● CertBot, ACME2, Secure updates… Let’s Encrypt ● Don’t go EV, never go EV ● Seriously, it’s a waste of money nowadays ● Keep your certificates up to date ● CertBot does that for you ● Register as HSTS ● Force HTTPS across your entire site ● Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018

Seriously, HTTPS The S stands for “Secure Connection” Simon `Firesphere` Erkelens | 2018 Public hotel wifi, same page, http vs. https

Not enough funny gifs mate! Simon `Firesphere` Erkelens | 2018 Okay, sorry, let me fix that for you!

Password Rules It’s really simple Simon `Firesphere` Erkelens | 2018 Minimum of 16 characters. I don’t care which as long as they’re not the same

HaveIBeenPwned And don’t appear in HaveIBeenPwned Okay, I care a little bit ● Check new passwords against known breaches ● Block known breached passwords ● Doesn’t matter if it wasn’t a breach from your site ● Don’t reuse your passwords ● Don’t expire passwords ● No, seriously, don’t expire passwords ● Unless they’re breached that is Simon `Firesphere` Erkelens | 2018

Any MFA implementation is better than none MFA Just do it ● Users will hate you for it ● Until they see how their CMS account credentials are suddenly used on their banking without them knowing Simon `Firesphere` Erkelens | 2018

Whitelist sites that can load CSP Helps preventing unwanted scripts ● Report-uri.com ● Allowed javascript sources ● Allowed image sources ● Allowed CSS sources ● etc. Simon `Firesphere` Erkelens | 2018

Who to follow Twitter ● @Firesphere (that’s me!) ● @troyhunt (Troy Hunt) ● @scott_helme (Scott Helme) ● @j_opdenakker (John Opdenakker) ● @SilverStripe (You know, that company) ● @DefuseSec (Taylor Hornby) ● @roaveteam (Roave) Simon `Firesphere` Erkelens | 2018

Any questions? Simon `Firesphere` Erkelens | 2018 Pretty sure you have questions? Speak up!

Thank you! @Firesphere https://github.com/Firesphere [email protected] https://speakerdeck.com/firesphere https://casa-laguna.net