First steps into security engineering
DevConf.IN 2019 / Bengaluru 2019-08-03
Christian Heimes
Principal Software Engineer
[email protected] / [email protected]
@ChristianHeimes
Slide 2
Slide 2 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Who am I?
●
from Hamburg/Germany
●
Python and C developer
●
Python core contributor since 2008
●
maintainer of ssl and hashlib module
●
Python security team
m
Кристиан Хай ес
ख्रिस्तियन
ক্রিস্টিয়ান হেইন্স
ક્રિશ્ચયન હેઇમ્સ
ക്രിസ്ത്യൻ
ख्रिश्चन
ಕ್ರಿಸ್ಟಿಯಾನ್
نایٹسرک
கிறிஸ்டின் ஹெய்ம்ஸ்
Slide 3
Slide 3 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Professional life
●
Principal Software Engineer at Red Hat
●
Security Engineering
●
FreeIPA Identity Management
●
Dogtag PKI
Slide 4
Slide 4 text
Agenda
&
Goals
Slide 5
Slide 5 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Slide 6
Slide 6 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
This talk is
●
opinionated
●
subjective
●
biased
●
incomplete
●
edutainment
Disclaimer
Slide 7
Slide 7 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
1. think
2. learn
Slide 8
Slide 8 text
Motivation
Why should you care?
Slide 9
Slide 9 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
proud craftsman
responsible engineer
Slide 10
Slide 10 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
$$$
Slide 11
Slide 11 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached
Slide 12
Slide 12 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1
Slide 13
Slide 13 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
https://nypost.com/2016/10/06/verizon-wants-1b-discount-on-yahoo-deal-after-hacking-reports/
https://www.cnet.com/news/verizon-and-yahoo-agree-to-cut-4-billion-deal-by-350-million/
Slide 14
Slide 14 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Slide 15
Slide 15 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Life and Death
Slide 16
Slide 16 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
Slide 17
Slide 17 text
Propositions
&
Statements
Slide 18
Slide 18 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Security is a feature.
Security is a selling point.
Slide 19
Slide 19 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Attackers just need one vulnerability,
defenders need to be perfect.
Slide 20
Slide 20 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Users don't care about security.
They are ignorant, disregardful, and
responsible for security incidents.
Slide 21
Slide 21 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
?
Slide 22
Slide 22 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
wrong
dangerous
arrogant
(I used to think like that.)
Slide 23
Slide 23 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
We fight for the users!
(Tron)
Slide 24
Slide 24 text
0. attitude
1. think
2. learn
Slide 25
Slide 25 text
Security is not an
(optional) feature
Slide 26
Slide 26 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
“Our cars are less likely to
explode
than competing products.”
Slide 27
Slide 27 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Slide 28
Slide 28 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Slide 29
Slide 29 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Alex Gaynor
The worst truism in information security
Attackers just need one vulnerability,
defenders need to be perfect
https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/
Slide 30
Slide 30 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
But what about the exploding cars?
Slide 31
Slide 31 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
“unbreakable” encryption
absolute security
Slide 32
Slide 32 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
threat model
cost–benefit analysis
documentation
Slide 33
Slide 33 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Threat Model: biometrics
The Photographer [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0) or
GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons
Slide 34
Slide 34 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Cost - Benefit
Slide 35
Slide 35 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Mitigation: Defense in depth
Slide 36
Slide 36 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Slide 37
Slide 37 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Slide 38
Slide 38 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Slide 39
Slide 39 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
https://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-a8130796.html
Slide 40
Slide 40 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Amazon Says One Engineer's Simple
Mistake Brought the Internet Down
2017-02-28
Slide 41
Slide 41 text
Please
mind the user
between the chair and the keyboard
Slide 42
Slide 42 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Arz [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons
Slide 43
Slide 43 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
So Long, And No Thanks for the Externalities:
The Rational Rejection of Security Advice by Users
Cormac Herley, Microsoft Research
Slide 44
Slide 44 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Human factor
●
Social engineering
●
CEO scam: Ubiquiti Networks victim of $39 million
https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social-
engineering-attack.html
●
Password in exchange for chocolate (up to 47.9%)
Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026
●
dissatisfied employees
●
ignorant management
Slide 45
Slide 45 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Slide 46
Slide 46 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Your grandmother has installed Flash.
Slide 47
Slide 47 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
User interface, training, documentation
Lion Air Flight 610:
Pilots fought automatic safety system
before plane plunged.
Slide 48
Slide 48 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Challenger / Chernobyl 1986
Slide 49
Slide 49 text
0. attitude
1. think
2. learn
Slide 50
Slide 50 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Professionally paranoid
Slide 51
Slide 51 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Persecution mania
Cracking Passwords using Keyboard Acoustics and Language Modeling
Andrew Kelly, University of Edinburgh (2010)
Eavesdrop on Conversations Using a
Bag of Chips with MIT’s ‘Visual Microphone’
https://singularityhub.com/2014/08/13/eavesdrop-on-conversations-using-a-bag-of-chips-with-mits-visual-microphone/
Researcher Turns HDD
Into Rudimentary Microphone
Slide 52
Slide 52 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
be creative
&
learn from the past
Slide 53
Slide 53 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Consider leaky abstraction layers
Slide 54
Slide 54 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Example: Memory safety
Slide 55
Slide 55 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Hardware security
RSA Key Extraction via Acoustic Cryptanalysis
https://www.tau.ac.il/~tromer/acoustic/
Slide 56
Slide 56 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Physical security against intru-deers
https://twitter.com/DCFurs/status/1087663240421593089
Slide 57
Slide 57 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
cybersquirrel1.com – attacks on power grid
http://cybersquirrel1.com/
Slide 58
Slide 58 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
IoT – Internet of Things
The “S” in “IoT” stands for security.
The “P” in “IoT” stands for privacy.
(Sorry, German humour)
Slide 59
Slide 59 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Ethics and responsibility
Slide 60
Slide 60 text
0. attitude
1. think
2. learn
Slide 61
Slide 61 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
I know that I know nothing
(Socratic paradox)
Slide 62
Slide 62 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Skill #1
Communication
Slide 63
Slide 63 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Stop reading, start doing!
Parisa Tabriz
So, you want to work in security?
https://medium.freecodecamp.org/so-you-want-to-work-in-security-bc6c10157d23
Slide 64
Slide 64 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Available for free: https://www.cl.cam.ac.uk/~rja14/book.html
Slide 65
Slide 65 text
Human Computer Interaction
UI / UX
Slide 66
Slide 66 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
“Soft” skills
●
team work / team diversity
●
locate and evaluate information
●
law / legal affairs
●
business
●
ethics & compliance
●
rhetoric
●
read and write documentation
Slide 67
Slide 67 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Social Engineering
●
The Social Engineering Framework
https://www.social-engineer.org/framework/
●
Social Engineering, The Art of Human Hacking
Christopher Hadnagy (2010)
●
The Art Of Deception
Kevin D. Mitnick (2003)
Slide 68
Slide 68 text
OpSec
DevOps
Admin
Slide 69
Slide 69 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Digital self-defense
●
secure your hardware
●
disk encryption
●
privacy
●
ad-blocker
●
email provider
●
good passwords / 2FA
●
update, update, update!
https://freedom.press/training/
Slide 70
Slide 70 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Operating Systems
●
man pages
●
Advanced Programming in the
UNIX Environment
Stevens / Rago (2013)
Slide 71
Slide 71 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Computer networks and system tools
●
IPv4, IPv6, routing, TCP, UDP, DNS, firewall
●
auditing, logging
●
SELinux
●
analysis and pentesting tools
●
wireshark
●
nmap
●
metasploit
●
IDA Interactive Disassembler
Slide 72
Slide 72 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
DevOps
Securing DevOps: Security in the Cloud
Julien Vehent (2018)
Slide 73
Slide 73 text
Software
Slide 74
Slide 74 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
General Resource
●
OWASP: Open Web Application Security Project
●
CWE: Common Weakness Enumeration
●
CVE: Common Vulnerabilities and Exposures
●
IETF RFCs
Slide 75
Slide 75 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Top 10 bugs
●
injection attacks (SQL, LDAP, JSON, XQuery, XPath, ...)
●
broken authentication and access control
●
Cross-Site scripting (XSS)
●
XML entities
●
Insecure Deserialization (images, docs, ASN.1)
Slide 76
Slide 76 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Unicode
>>> import unicodedata
# homograph / homoglyphic confusion attack
>>> unicodedata.name('Руthοn'[0])
CYRILLIC CAPITAL LETTER ER
>>> import unicodedata
# homograph / homoglyphic confusion attack
>>> unicodedata.name('Руthοn'[0])
CYRILLIC CAPITAL LETTER ER
# persistent XSS with wide unicode normalization
>>> wide = ' < script > '
>>> safe = wide.replace('<', '<') # quote
>>> unicodedata.name(safe[0])
'FULLWIDTH LESS-THAN SIGN'
>>> unicodedata.normalize('NFKD', safe)
''
# persistent XSS with wide unicode normalization
>>> wide = ' < script > '
>>> safe = wide.replace('<', '<') # quote
>>> unicodedata.name(safe[0])
'FULLWIDTH LESS-THAN SIGN'
>>> unicodedata.normalize('NFKD', safe)
'<script>'
Slide 77
Slide 77 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Programming languages
●
C
●
Assembly
●
eBPF, BPF
●
Go
●
Java
●
JavaScript
●
PHP
●
Python
●
Rust
Slide 78
Slide 78 text
Cryptography
Slide 79
Slide 79 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Cryptography
●
The Code Book, Simon Singh
●
Cryptography Engineering, Ferguson/Schneier/Tadayashi
●
Serious Cryptography, JP Aumasson
Slide 80
Slide 80 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Cryptography
free online resources
●
Cryptography I, Dan Boneh
https://www.coursera.org/learn/crypto
●
The cryptopals crypto challenges
https://cryptopals.com/
●
Crypto 101, LvH,
https://www.crypto101.io/
●
Mathematics of Public Key Cryptography,
Steven Galbraith (2012)
Slide 81
Slide 81 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
TLS/SSL, Certificates
●
Bulletproof SSL and TLS, Ivan Ristic
●
CA/Browser Forum Baseline Requirements
https://cabforum.org/
●
Mozilla Server Side TLS
https://wiki.mozilla.org/Security/Server_Side_TLS
Slide 82
Slide 82 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Passwords / Authentication
●
NIST 800-63-3: Digital Identity Guidelines
●
OAuth, OpenID Connect
●
2FA (FIDO, WebAuthn)
●
Troy Hunt,
https://haveibeenpwned.com/
Slide 83
Slide 83 text
Misc
Slide 84
Slide 84 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
News, blogs
●
Linux Weekly News https://lwn.net/
●
Troy Hunt https://www.troyhunt.com/
●
Krebs on Security https://krebsonsecurity.com/
●
Bruce Schneier https://www.schneier.com/
●
https://www.feistyduck.com/bulletproof-tls-newsletter/
Slide 85
Slide 85 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Conference videos
●
Chaos Communication Conference (e.g. 35C3)
●
Black Hat
●
DEFCON
●
Real World Crypto
Slide 86
Slide 86 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Security people
●
Adam Langley
●
Alex Gaynor
●
Brian Krebs (Krebs On Security)
●
Bruce Schneier
●
Dan Bernstein (djb)
●
Frank Denis
●
Hanno Böck
●
JP Aumasson
●
Katie Moussouris
●
Matt Blaze
●
Matthew Green
●
Nick Sullivan
●
Parisa Tabriz
●
Ryan Sleevi
●
Tanja Lange
●
Tavis Ormandy
●
Thomas Ptacek
●
Tony Arcieri
●
Troy Hunt
Slide 87
Slide 87 text
Summary
Slide 88
Slide 88 text
First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
Summary
●
“I know that I know nothing” (expert specialist)
→
●
Keep learning
●
Mind the user
●
Get experience
●
Write your own crypto (do NOT use it in production)
Please send me your suggestions