Breach Prevention for Developers at KSU

Ab03678bbcfaa5425274e4d3905ae7b8?s=47 Frank Rietta
February 16, 2017
35

Breach Prevention for Developers at KSU

Presentation given at KSU on February 16, 2017

As an information security professional, it’s critical to know something about how custom web applications are developed and the impact that has on application security. Frank Rietta, a developer and founder of a web app security consultancy, talks about what if we want to build security into a web application hosted in the cloud. Since security cannot be bolted on at the end, Frank talks about tools available to include security as part of the development process, including user stories, abuser stories, and test driven development that includes security tests.

If you’re interested in more videos on this topic, Frank publishes videos free to the public at https://rietta.com/learning/appsec/.

Ab03678bbcfaa5425274e4d3905ae7b8?s=128

Frank Rietta

February 16, 2017
Tweet

Transcript

  1. 1.

    Frank S. Rietta, 
 M.S. Information Security rietta.com/blog @frankrietta on

    Twitter Data Breach Prevention As a Developer © 2017 Rietta Inc.
  2. 2.

    What We’re Going to Cover • Application Security and Data

    Breaches • Developer’s Backgrounds • Security as a Matter of Ethics and Professionalism • User Stories and Abuser Stories • Drivers’ License Example • Practical Security Take Aways
  3. 3.

    Application Security is the subset of Information Security focused on

    protecting data and privacy from abuse by adversaries who have access to the software system as a whole. Its purpose is to make software resilient to attack, especially when network defenses alone are insufficient.
  4. 7.

    Major Preventable Flaws • Compromised staff credentials, which would be

    preventable by two-factor authentication • Automated technical exploits, that are aggressively applied over a large number of sites, succeeded because basics are ignored • Poor security, including unencrypted backups, leading to an unauthorized person having access to both the data and the means to read it
  5. 8.

    Hoglund, Greg , and Gary McGraw. (2004) Exploiting Software, p

    9. “Most outsourced software (software developed off-site by contractors) is full of backdoors…. Companies that commission this kind of software have not traditionally paid any attention to security at all” (2004).
  6. 10.

    Source: Informal Internet survey in February 2017 of paid professional

    developers. The 43 respondents are from the Atlanta and Nashville Technical Slack Communities and my Facebook Friends
  7. 11.

    Source: Informal Internet survey in February 2017 of paid professional

    developers. The 43 respondents are from the Atlanta and Nashville Technical Slack Communities and my Facebook Friends
  8. 17.

    Developers at work And by the way, there is no

    red team. That’s not in the budget. Photo Credit: Lisamarie Babik / Wikipedia
  9. 19.

    TDD Cycle in a Startup 1. Read the user story

    2. Write a failing test 3. Implement the feature 4. See the tests pass 5. Deploy! Ship it to the cloud!
  10. 20.

    Security is not a Feature, but it is a Matter

    of Ethics and Professionalism
  11. 21.

    – Michael Horn, the CEO of Volkswagen of America, in

    testimony before Congress "This was a couple of software engineers who put this in for whatever reason" Image Source: AP
  12. 22.

    – Michael Horn, the CEO of Volkswagen of America, in

    testimony before Congress "This was a couple of software engineers who put this in for whatever reason" Image Source: AP Threw the Team Under the Buss
  13. 23.

    Alex Stamos, then Yahoo’s chief information security officer (2014) Ignored

    by management; CEO withheld information; and product teams actively ignored “the paranoids”
  14. 26.
  15. 29.

    Commercial Information Classifications 1. Public: Public information 2. Internal Use:

    Confidential business information 3. Confidential: Information that customers consider confidential 4. Sensitive: Personal and Private Information (PII), information that THE LAW considers confidential 5. Highly Sensitive: Encryption keys, server secrets, staff/admin passwords
  16. 30.

    Users can feel a privacy breach even if the terms

    and conditions spell out in mouse print that they agree to such sharing. This is a yellow line violation.
  17. 31.

    User Stories 
 & Abuser Stories I want an easy

    login experience I want to obtain credentials and steal things
  18. 32.

    User Stories Are composed of three aspects: 1. a written

    description of the story used for planning and as a reminder 2. conversations about the story that serve to flesh out the details of the story 3. tests that convey and document details and that can be used to determine when a story is complete
  19. 33.

    The New Customer As a Visitor, I can create a

    new account by filling in my e-mail address and desired password Security Notes: • Can we verify that the user really has the email address on signup? • The password should be at least 12 characters long and should definitely allow for spaces and punctuation
  20. 34.

    The Customer Service Rep As a Staff member, I can

    choose the “Assist Customer” button to login as that customer to provide him or her with excellent service. Security Notes: • We need to have a ton of logging around this feature • Staff members should be required to have authenticated with two- factor so that we do not have an unauthorized person accessing this with just a staff credential • Let’s identify certain private fields that customer service does not need access to while helping the customer. Those should be restricted; can we use the database SQL permissions to raise an exception if any of those fields is accessed while using this feature?
  21. 35.

    The Lawyer As general counsel, when I have received a

    subpoena for all material records for a particular account and have exhausted my options to reject it, I work with a system administrator to produce the data while not pulling unnecessary records. Security Notes: • As a matter of policy, we push back on all Law enforcement requests. • Even when the government compels access, we have to protect privacy.
  22. 37.

    URL Tweaker As an Authenticated Customer, I see what looks

    like my account number in the URL, so I change it to another number to see what will happen
  23. 38.

    Curious Editor As an Authenticated Customer, I paste HTML that

    includes JavaScript into every field possible to see what happens.
  24. 41.

    As a Pawn Shop Clerk, I scan a copy of

    the customer’s drivers’ license because the company is required by law to keep this record at least two years from the date we purchase a used valuable from a customer.
  25. 42.

    Security facts for this story • Data is an image

    of a drivers’ license, PII by law • Protected by State Law?: • Yes • Avoid storing it?: • No • Retention Period: • 2 Years
  26. 43.

    • At the conclusion of the data retention period, a

    record should show that the system did collect the required information, but that it has been deleted in the ordinary course of business at the conclusion of the retention period. • With public key encryption using GnuPG, the server will have never had the key needed to decrypt an encrypted drivers license.
  27. 44.

    Design considerations • Protect data with encryption and access control

    • Automatically delete after the expiration date • Log authorized access to the file • The project is already using Paperclip, so let’s stick with that • The application and it’s API endpoints are already SSL-only with Strict Transport Security turned on • Assume the company already knows about GnuPG encryption so that authorized people can decrypt on their duly authorized computers
  28. 45.

    Controller Upload and Download actions Paperclip Filter Encrypt with GnuPG

    rather than resize images. Server has no decryption key available. Model Secure Attachment to track file record and the delete_at date Private OpenStack Files Container Expiration Date Set on Each File, No Publicly Accessible URL Access Control CanCan Ability Definitions
  29. 48.

    Stored on an OpenStack Files Container Automatic Delete, Random File

    Names that give no information about the file. Amazon S3 would work as well.
  30. 51.

    Additional Practical Countermeasures for Your Developers • Read and code

    review against the OWASP Top 10 • Read up on the Microsoft SDL for Agile, even if you’re not a Windows/.NET shop. Also the STRIDE Threat Model. • Use GnuPG (or PGP) as part of your workflow, • Practice on the OWASP WebGoat, Railsgoat, or Pygoat! • Run automated code audit and analysis tools
  31. 52.

    Recap 1. Data breaches are a major concern that cannot

    be mitigated by wishful thinking alone 2. Application Security is about preventing abuse by adversaries who have access to the system, focusing on the app itself rather than just its environment 3. Have an Information Classification system 4. Treat security as a requirement by writing Abuser Stories along with your User Stories. 5. Apply practical technical countermeasures, such as including OWASP Top 10 and your abuse stories in your automated test suite
  32. 53.
  33. 54.

    Frank S. Rietta, M.S. Information Security • My blog, where

    I write on security and other topics • https://rietta.com/blog • On Twitter • https://twitter.com/frankrietta • Learn more about Rietta’s community sponsorship, including the Atlanta Ruby Users’ Group videos • https://rietta.com/community
  34. 55.

    Rietta’s Mission Our mission is to build excellent software through

    principled, sustainable development practices that treat the security and well being of the software’s users as a primary concern. Learn more a https://rietta.com/about/