Breach Prevention for Developers at KSU

Transcript

1. Frank S. Rietta, 
 M.S. Information Security rietta.com/blog @frankrietta on

   Twitter Data Breach Prevention As a Developer © 2017 Rietta Inc.

2. What We’re Going to Cover • Application Security and Data

   Breaches • Developer’s Backgrounds • Security as a Matter of Ethics and Professionalism • User Stories and Abuser Stories • Drivers’ License Example • Practical Security Take Aways

3. Application Security is the subset of Information Security focused on

   protecting data and privacy from abuse by adversaries who have access to the software system as a whole. Its purpose is to make software resilient to attack, especially when network defenses alone are insufficient.

4. Sensitive Data Means to 
 Read It + Unauthorized Person

   = Breach

5. Source: 
 McCandless (2015)

6. Variety of hacking actions within Web App Attacks patterns (n=205)

   Source: Verizon DBIR (2015), p 41

7. Major Preventable Flaws • Compromised staff credentials, which would be

   preventable by two-factor authentication • Automated technical exploits, that are aggressively applied over a large number of sites, succeeded because basics are ignored • Poor security, including unencrypted backups, leading to an unauthorized person having access to both the data and the means to read it

8. Hoglund, Greg , and Gary McGraw. (2004) Exploiting Software, p

   9. “Most outsourced software (software developed off-site by contractors) is full of backdoors…. Companies that commission this kind of software have not traditionally paid any attention to security at all” (2004).

9. Who are Developers?

10. Source: Informal Internet survey in February 2017 of paid professional

    developers. The 43 respondents are from the Atlanta and Nashville Technical Slack Communities and my Facebook Friends

11. Source: Informal Internet survey in February 2017 of paid professional

    developers. The 43 respondents are from the Atlanta and Nashville Technical Slack Communities and my Facebook Friends

12. To build a successful software application, software developers have to

    take care of many competing concerns.

13. Building our software; keeping our bosses and customers happy! Always

    a new feature!

14. Your code is buggy. We’ve exploited it many ways. Here’s

    our 80 page report.

15. But the Blue Team & the Red Teams Did Not

    Really Collaborate

16. But More Typically

17. Developers at work And by the way, there is no

    red team. That’s not in the budget. Photo Credit: Lisamarie Babik / Wikipedia

18. Foster a Purple Team Business, developers, and security team working

    together!

19. TDD Cycle in a Startup 1. Read the user story

    2. Write a failing test 3. Implement the feature 4. See the tests pass 5. Deploy! Ship it to the cloud!

20. Security is not a Feature, but it is a Matter

    of Ethics and Professionalism

21. – Michael Horn, the CEO of Volkswagen of America, in

    testimony before Congress "This was a couple of software engineers who put this in for whatever reason" Image Source: AP

22. – Michael Horn, the CEO of Volkswagen of America, in

    testimony before Congress "This was a couple of software engineers who put this in for whatever reason" Image Source: AP Threw the Team Under the Buss

23. Alex Stamos, then Yahoo’s chief information security officer (2014) Ignored

    by management; CEO withheld information; and product teams actively ignored “the paranoids”

24. “Security is not a functional requirement” - A graduate school

    professor

25. Security is not a functional requirement

26. None

27. Security-based Development Baking security into the development process

28. Security is a Requirement

29. Commercial Information Classifications 1. Public: Public information 2. Internal Use:

    Confidential business information 3. Confidential: Information that customers consider confidential 4. Sensitive: Personal and Private Information (PII), information that THE LAW considers confidential 5. Highly Sensitive: Encryption keys, server secrets, staff/admin passwords

30. Users can feel a privacy breach even if the terms

    and conditions spell out in mouse print that they agree to such sharing. This is a yellow line violation.

31. User Stories 
 & Abuser Stories I want an easy

    login experience I want to obtain credentials and steal things

32. User Stories Are composed of three aspects: 1. a written

    description of the story used for planning and as a reminder 2. conversations about the story that serve to flesh out the details of the story 3. tests that convey and document details and that can be used to determine when a story is complete

33. The New Customer As a Visitor, I can create a

    new account by filling in my e-mail address and desired password Security Notes: • Can we verify that the user really has the email address on signup? • The password should be at least 12 characters long and should definitely allow for spaces and punctuation

34. The Customer Service Rep As a Staff member, I can

    choose the “Assist Customer” button to login as that customer to provide him or her with excellent service. Security Notes: • We need to have a ton of logging around this feature • Staff members should be required to have authenticated with two- factor so that we do not have an unauthorized person accessing this with just a staff credential • Let’s identify certain private fields that customer service does not need access to while helping the customer. Those should be restricted; can we use the database SQL permissions to raise an exception if any of those fields is accessed while using this feature?

35. The Lawyer As general counsel, when I have received a

    subpoena for all material records for a particular account and have exhausted my options to reject it, I work with a system administrator to produce the data while not pulling unnecessary records. Security Notes: • As a matter of policy, we push back on all Law enforcement requests. • Even when the government compels access, we have to protect privacy.

36. Abuser Stories

37. URL Tweaker As an Authenticated Customer, I see what looks

    like my account number in the URL, so I change it to another number to see what will happen

38. Curious Editor As an Authenticated Customer, I paste HTML that

    includes JavaScript into every field possible to see what happens.

39. Clear Communication About Threats to Inform Development Decisions

40. A secure file upload system example in Ruby on Rails

41. As a Pawn Shop Clerk, I scan a copy of

    the customer’s drivers’ license because the company is required by law to keep this record at least two years from the date we purchase a used valuable from a customer.

42. Security facts for this story • Data is an image

    of a drivers’ license, PII by law • Protected by State Law?: • Yes • Avoid storing it?: • No • Retention Period: • 2 Years

43. • At the conclusion of the data retention period, a

    record should show that the system did collect the required information, but that it has been deleted in the ordinary course of business at the conclusion of the retention period. • With public key encryption using GnuPG, the server will have never had the key needed to decrypt an encrypted drivers license.

44. Design considerations • Protect data with encryption and access control

    • Automatically delete after the expiration date • Log authorized access to the file • The project is already using Paperclip, so let’s stick with that • The application and it’s API endpoints are already SSL-only with Strict Transport Security turned on • Assume the company already knows about GnuPG encryption so that authorized people can decrypt on their duly authorized computers

45. Controller Upload and Download actions Paperclip Filter Encrypt with GnuPG

    rather than resize images. Server has no decryption key available. Model Secure Attachment to track file record and the delete_at date Private OpenStack Files Container Expiration Date Set on Each File, No Publicly Accessible URL Access Control CanCan Ability Definitions

46. models/SecureAttachment.rb Notice the processors and styles options to has_attached_file

47. lib/paperclip_processors/ pgp_encrypt_to_finance_team.rb A simple encryption filter using the gpgme gem,

    that interfaces with GnuPG on the server

48. Stored on an OpenStack Files Container Automatic Delete, Random File

    Names that give no information about the file. Amazon S3 would work as well.

49. Decrypting a particular drivers’ license image file

50. YubiKey Neo OpenPGP Smart Card & FIDO Two Factor Tokens!

51. Additional Practical Countermeasures for Your Developers • Read and code

    review against the OWASP Top 10 • Read up on the Microsoft SDL for Agile, even if you’re not a Windows/.NET shop. Also the STRIDE Threat Model. • Use GnuPG (or PGP) as part of your workflow, • Practice on the OWASP WebGoat, Railsgoat, or Pygoat! • Run automated code audit and analysis tools

52. Recap 1. Data breaches are a major concern that cannot

    be mitigated by wishful thinking alone 2. Application Security is about preventing abuse by adversaries who have access to the system, focusing on the app itself rather than just its environment 3. Have an Information Classification system 4. Treat security as a requirement by writing Abuser Stories along with your User Stories. 5. Apply practical technical countermeasures, such as including OWASP Top 10 and your abuse stories in your automated test suite

53. Thanks!

54. Frank S. Rietta, M.S. Information Security • My blog, where

    I write on security and other topics • https://rietta.com/blog • On Twitter • https://twitter.com/frankrietta • Learn more about Rietta’s community sponsorship, including the Atlanta Ruby Users’ Group videos • https://rietta.com/community

55. Rietta’s Mission Our mission is to build excellent software through

    principled, sustainable development practices that treat the security and well being of the software’s users as a primary concern. Learn more a https://rietta.com/about/