Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Pratul Kalia
October 07, 2017
Programming
0
210

Stop the security theater!

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
Simplifying Software Estimation
pratul
0
82
Effective and efficient mobile engineering
pratul
0
79
Designing future-proof Android applications
pratul
0
88
Android - an introduction for developers
pratul
3
180
Semantic Content Repositories
pratul
1
70
How To Become A Hacker
pratul
3
270

Other Decks in Programming

See All in Programming
トランクベース開発の実現に向けた開発プロセスとCIパイプラインの継続的改善
aanrii
5
990
Babylon.js書籍出版の裏側。ツイートから始まった奇跡の1年を振り返る
iwaken71
0
120
PHPで任意精度演算を行って「正しい」金額計算をする方法 / Perform arbitrary precision arithmetic in PHP to achieve "accurate" monetary calculations
hiro_y
1
300
改めて整理するWebアプリのビルド・デプロイの基本【コンテナ編】
os1ma
2
330
Structure for Enterprise-Scale Angular Applications: Nx Monorepos, Micro Frontends, and Module Federation
manfredsteyer
PRO
0
140
PHPUnit 10 概論 / Introduction of PHPUnit 10
cocoeyes02
0
360
【Symfony超入門】コマンドだけでCRUD画面を作るチート法
kin29
0
150
パフォーマンスを改善せよ!大規模システム改修の仕事の進め方 / Improve performance with Big project for PHPerKaigi 2023
taclose
0
620
PHP8によるデザインパターン入門 / Introduction to Design Patterns with PHP8
fendo181
1
730
Run Your Firebase for Web App Locally Using Firebase Emulator Suite
dicoding
0
400
Lightweight Architectures With Angular's Latest Innovations
manfredsteyer
PRO
0
400
DDD Demystified ~結局DDDとは何なのか?何でないのか?~ #phperkaigi_reject
77web
0
640

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
233
9.8k
Support Driven Design
roundedbygravity
88
8.9k
Robots, Beer and Maslow
schacon
154
7.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
55k
Mobile First: as difficult as doing things right
swwweet
213
7.9k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
Embracing the Ebb and Flow
colly
76
3.6k
Documentation Writing (for coders)
carmenintech
51
3k
Done Done
chrislema
178
15k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
24
5.1k
In The Pink: A Labor of Love
frogandcode
133
21k
Scaling GitHub
holman
453
140k

Transcript

  1. Stop the security theater!
    pratul kalia
    @prxtl
    uncommon.is

    View Slide

  2. “the practice of investing in
    countermeasures intended to provide the
    feeling of improved security while doing
    little or nothing to achieve it.”

    View Slide

  3. View Slide

  4. Cost-benefit analysis
    ● Imperative to all security discussions
    ● Security of personal app vs business-critical app

    View Slide

  5. Password rules are pointless
    ● You’re not using a modern password-hashing algorithm
    ● Only length matters!

    View Slide

  6. Do it right!
    ● bcrypt
    ● bcrypt
    ● bcrypt
    whoops...
    - zomato

    View Slide

  7. Stop “inventing” your own security practices
    ● Security is very, very hard to get right
    ● You’re not that smart!
    ● It is easier to do the known right thing... than to know
    what you’re doing wrong

    View Slide

  8. Don’t try to “save” your API endpoints
    ● Your backend should not get affected by a rogue client
    ● MITM all the way
    ● Certificate pinning does not solve this!
    whoops...
    - “Basic HTTP auth over TLS”

    View Slide

  9. Stop client-side encryption
    ● Don’t place your key under the doormat
    ● Security by obscurity is weak
    whoops...
    - “Double encryption!”

    View Slide

  10. Anything part of your APK can be read
    ● This includes all API keys
    ● … access tokens
    ● … anything else hard-coded

    View Slide

  11. Auth token in SharedPreferences
    ● No problems!
    ● Other apps on the system cannot read your app’s data

    View Slide

  12. Data you don’t have, cannot be stolen
    ● Store user data with utmost caution
    ● You’re a user too!
    example...
    - “Who else in my Contacts uses this app?”

    View Slide

  13. What about rooted devices?
    ● All.
    ● bets.
    ● are.
    ● off.

    View Slide

  14. Remember alternate attack vectors
    ● Bribe a security
    guard?
    ● Bribe an employee?

    View Slide

  15. Time for something real.

    View Slide

  16. Insecure data storage
    ● Anything in “private” storage cannot be read by other
    apps in the system
    ● … but anything in “external” storage can be read by
    anyone!

    View Slide

  17. Insecure TLS usage
    ● Always TLS v1.2!
    ○ TLS v1.1 is acceptable… but don’t!
    ● Disable SSL v2 and SSL v3, disable RC4
    ● Use OkHttp!!1!1!

    View Slide

  18. Please break your own systems
    ● Please!
    ● Pay for it!

    View Slide

  19. fin

    View Slide