This is the deck for the talk I gave at Rubyday 2015 in Turin.
Attackers see your web application in a very different way, it's not product, it's a target.
Section objectives • Understand the risk of exposing a poor designed web application • See some real world break-ins • Knows what SQLinj, XSS, exploits, authentication bypass, user enumeration mean
Attackers are everywhere • Villains (want your databases, want to takeover your servers, want you to stop to work) • Bots (the same as villains but fully automated) • Malware (wants to spread itself mostly to hijack your workstation and steal data) • Activists (the same as villains but philosophy driven)
What attackers want - 1 Other people identity Servers Servers picture courtesy by: Matthew Musgrove (https://flic.kr/p/6xsbxQ) Bot picture courtesy by: Jenn and Tony Bot (https://flic.kr/p/6Bk6p8) Botnets
Hosting risks • Cloud is the new black • Shared servers are dangerous • Outsourced security - you’re a number, not a priority - are hosting providers security aware? - do they make VA and WAPT on regular basis? - do they have Web Application Firewalls?
Authentication risks • Information leakage due to SSL poorly configured • User enumeration • Weak credentials. Password policy, anyone? • Authentication bypass due to poor session management - Session fixation
Runtime risks • Cross site scripting - reflected - stored - DOM Based • SQL Injections • Vulnerable third party components (OS, system daemons, libraries, …)
Section objectives • Learn more about security tools (both commercial than opensource… but we love most the latter) • See how some very common attacks can be carried on.
Victim 4: A broken Sinatra app • Sinatra based app • The “Hello World!” of the XSS example • Here to demonstrate how to use BDD and a security story • … and because I love Sinatra
Bonus Victim: Old WordPress • It’s PHP, everybody here is happy to break it! • Empower 25% of the Internet websites out there (58,7% of websites with a CMS installed) - http://w3techs.com/ technologies/details/cm-wordpress/all/ all • Vulnerabilities for plugins and themes out almost everyday
Step 0. Information gathering • Google dorks • Netcraft services • Venerable whois • “ip:” query courtesy by Bing (today we work offline, those techniques won’t be applicable)
Section objectives • Harden your server and keep it updated automagically • Setup some basic ipfilter rules • Setup a web application firewall with nginx and mod_security • Use code review to heal our source code from vulnerabilities • Learn some tips to write safe code starting from today
Heal your basement • Tune your OS with automatic security patching • Install an intrusion detection software (tripwire or aide) • Setup firewalling with iptables • Harden your configuration - install libpam-cracklib - setup password aging
Deploy, the insane way • Not using a versioning system at all • Using SMB provided, cut & paste facilities • Copying all repository content via bulk command • rsync
Deploy, the sane way • Double check ORM / Warden configuration • Provide securely generated seeds • Use staging and make regression tests • Use capistrano-like tools • if DateTime.now.wday == 5 then sleep(172800); // 2 days! :-)
Use code review tools • Choose the tool you’re more comfortable with • Integrate in your rake test strategy • Some KPI you must have: - some stats about your code (LOC/ comment density, …) - vulnerability in third party dependencies - warning about bad programming habits
Testing software is good but… • Customers don’t give enough time - strict timeframes - not clear specs (remember, ideally it’s up to the customer to write BDD scenarios) • We’re not trained to - school teach us we must deploy a code that is working - school doesn’t teach us how to write good test lists
So let’s be realistic • We must test out software • But we don’t have time, we have to ship code • So testing must be - automatic - generic - fast - easy to consume • This way we can iterate over development - testing - shipment
Let’s use [T|B]DD • Write your own security stories • Ask you neighbourhood #appsec guy to write them • Use something already prepared (http:// www.continuumsecurity.net/bdd- getstarted.html) • Integrate your stories in your testing workout • You just scored a A- in your security class