Devs Alive: Do the Five

Slide 1

Slide 1 text

Preventing kids drowning is vitally important

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Turns out...

Slide 4

Slide 4 text

...they've actually been teaching IT security all these years

Slide 5

Slide 5 text

type(self) David Beitey (@davidjb) Many hats DevOps, SysAdmin, Security Researcher...

Slide 6

Slide 6 text

Top 10 Critical Web App Security Risks* (*Abridged)

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

5. Fence the (thread) pool

Slide 9

Slide 9 text

Broken Authentication and Broken Access Control

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

Vectors Known credentials: admin / password or data breaches Password-only auth URLs accessible without permission Cross-Site Request Forgeries (CSRF) https://bank.com/payPerson? name=David&amount=EVERYTHING

Slide 12

Slide 12 text

Prevention Immediately change default credentials Enforce multi-factor auth (users + servers) Rate limit logins Principle of least privilege Validate actions with tokens

Slide 13

Slide 13 text

4. Shut the (logic) gate

Slide 14

Slide 14 text

Injection aka Untrusted input that manipulates your system/users (SQLi + XSS)

Slide 15

Slide 15 text

Big 4 bank, right now

Slide 16

Slide 16 text

Attacks Aim: get raw SQL to the database or raw JS/HTML/CSS onto a page https://example.com/contact.php ?name=Robert'); DROP TABLE Students;-- https://example.com/search ?query=alert('xss')<script>

Slide 17

Slide 17 text

Prevention Always treat data as untrusted Santise/ﬁlter/validate via whitelists Use frameworks & platforms with built-in security (eg not raw PHP) Monitoring & user awareness

Slide 18

Slide 18 text

3. Teach your (apps) to (HTTPS)wim

Slide 19

Slide 19 text

Sensitive Data Exposure aka Lack of data protection

Slide 20

Slide 20 text

Vectors Not using TLS (eg http://) Storing plain-text credentials Weakly protected storage (S3 buckets, open databases)...

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Prevention Always use HTTPS (free certs/Let's Encrypt) Avoid storing data unless necessary Don't roll your own crypto Use best practices (eg Django/Rails), esp. for sensitive data

Slide 23

Slide 23 text

2. Supervise (deps)

Slide 24

Slide 24 text

Known Vulnerabilities aka Unpatched systems, unmaintained/untrusted code

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

Prevention Update, monitor & patch everything (with testing!) Remove unnecessary code Use only ofﬁcial, secure software Monitor CVE lists & use tools for checking dependencies Security-by-obscurity not okay

Slide 27

Slide 27 text

1. Learn how to (escalate)

Slide 28

Slide 28 text

Logging & Monitoring aka Insufﬁcient awareness of suspicious activity

Slide 29

Slide 29 text

Prevention Logging with sufﬁcient context Monitoring and alerting humans Create a response/recovery plan

Slide 30

Slide 30 text

Security is hard You won’t stop everything: forward planning Many more than 5 or 10 risks Easy wins with limited budgets Follow best practices

Slide 31

Slide 31 text

MOAR OWASP Top 10 PDF ( ) Security Weakest Link Game ( ) Google's DEF CON presentations ( ) owasp.org https://www.isdecisions.com/user-security- awareness-game/ https://xss-game.appspot.com/ defcon.org

Slide 32

Slide 32 text

Presentation @ https://github.com/davidjb/devs-alive/

Slide 33

Slide 33 text

Broken HTTPS + Flash + Data leaks + CSRF + ??? Maybe don't trust their IT experience

Slide 34

Slide 34 text

No content