DevConf.CZ 2019: First steps into security engineering

Transcript

1. First steps into security engineering DevConf.CZ 2019 / Brno 2019-01-26

   Christian Heimes Principal Software Engineer [email protected] / [email protected] @ChristianHeimes

2. Agenda & Goals

3. First steps into security engineering, DevConf.CZ 2019 6 This talk

   is • opinionated • subjective • biased • incomplete • edutainment Disclaimer

4. First steps into security engineering, DevConf.CZ 2019 7 1. think

   2. learn

5. First steps into security engineering, DevConf.CZ 2019 8

6. Motivation Why should you care? (Recap DevConf.CZ 2018)

7. First steps into security engineering, DevConf.CZ 2019 10 https://www.cnet.com/news/verizon-and-yahoo-agree-to-cut-4-billion-deal-by-350-million/ https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached

8. First steps into security engineering, DevConf.CZ 2019 11 https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

9. Propositions & Statements

10. First steps into security engineering, DevConf.CZ 2019 14 Security is

    a feature. Security is a selling point.

11. First steps into security engineering, DevConf.CZ 2019 15 Attackers just

    need one vulnerability, defenders need to be perfect.

12. First steps into security engineering, DevConf.CZ 2019 16 Users don't

    care about security. They are ignorant, disregardful, and responsible for security incidents.

13. First steps into security engineering, DevConf.CZ 2019 17 ?

14. First steps into security engineering, DevConf.CZ 2019 18 wrong dangerous

    arrogant (I used to think like that.)

15. First steps into security engineering, DevConf.CZ 2019 19 We fight

    for the users! (Tron)

16. 0. attitude 1. think 2. learn

17. Security is not a feature

18. First steps into security engineering, DevConf.CZ 2019 22 “Our cars

    are less likely to explode than competing products.”

19. First steps into security engineering, DevConf.CZ 2019 23

20. First steps into security engineering, DevConf.CZ 2019 25

21. Security is not dichotomic.

22. First steps into security engineering, DevConf.CZ 2019 27 Alex Gaynor

    The worst truism in information security Attackers just need one vulnerability, defenders need to be perfect https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/

23. First steps into security engineering, DevConf.CZ 2019 28 But what

    about the exploding cars?

24. First steps into security engineering, DevConf.CZ 2019 29 “unbreakable” encryption

    absolute security

25. First steps into security engineering, DevConf.CZ 2019 30 threat model

    cost–benefit analysis documentation

26. First steps into security engineering, DevConf.CZ 2019 31 Threat Model:

    biometrics The Photographer [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons

27. First steps into security engineering, DevConf.CZ 2019 32 Cost -

    Benefit

28. First steps into security engineering, DevConf.CZ 2019 33 Mitigation: Defense

    in depth

29. First steps into security engineering, DevConf.CZ 2019 37 https://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-a8130796.html

30. First steps into security engineering, DevConf.CZ 2019 38 Amazon Says

    One Engineer's Simple Mistake Brought the Internet Down 2017-02-28

31. Please mind the user between the chair and the keyboard

32. First steps into security engineering, DevConf.CZ 2019 40 Arz [CC

    BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons

33. First steps into security engineering, DevConf.CZ 2019 41 So Long,

    And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley, Microsoft Research

34. First steps into security engineering, DevConf.CZ 2019 42 Human factor

    • Social engineer • CEO scam: Ubiquiti Networks victim of $39 million https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social- engineering-attack.html • Password in exchange for chocolate (up to 47.9%) Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026 • dissatisfied employees • ignorant management

35. First steps into security engineering, DevConf.CZ 2019 43

36. First steps into security engineering, DevConf.CZ 2019 44 Your grandmother

    has installed Flash.

37. First steps into security engineering, DevConf.CZ 2019 45 User Interface

    Lion Air Flight 610: Pilots fought automatic safety system before plane plunged

38. First steps into security engineering, DevConf.CZ 2019 46

39. 0. attitude 1. think 2. learn

40. First steps into security engineering, DevConf.CZ 2019 48 Professionally paranoid

41. First steps into security engineering, DevConf.CZ 2019 49 be creative

    & learn from the past

42. First steps into security engineering, DevConf.CZ 2019 50 Consider leaky

    abstraction layers

43. First steps into security engineering, DevConf.CZ 2019 51 Example: Memory

    safety

44. First steps into security engineering, DevConf.CZ 2019 52 Hardware security

    RSA Key Extraction via Acoustic Cryptanalysis https://www.tau.ac.il/~tromer/acoustic/

45. First steps into security engineering, DevConf.CZ 2019 53 Physical security

    against intru-deers https://twitter.com/DCFurs/status/1087663240421593089

46. First steps into security engineering, DevConf.CZ 2019 54 cybersquirrel1.com –

    attacks on power grid http://cybersquirrel1.com/

47. First steps into security engineering, DevConf.CZ 2019 55 Ethics and

    responsibility

48. 0. attitude 1. think 2. learn

49. First steps into security engineering, DevConf.CZ 2019 57 I know

    that I know nothing (Socratic paradox)

50. First steps into security engineering, DevConf.CZ 2019 58 Skill #1

    Communication

51. First steps into security engineering, DevConf.CZ 2019 59 Stop reading,

    start doing! Parisa Tabriz So, you want to work in security? https://medium.freecodecamp.org/so-you-want-to-work-in-security-bc6c10157d23

52. First steps into security engineering, DevConf.CZ 2019 60 Available for

    free: https://www.cl.cam.ac.uk/~rja14/book.html

53. Human Computer Interaction UI / UX

54. First steps into security engineering, DevConf.CZ 2019 62 “Soft” skills

    • team work / team diversity • locate and evaluate information • law / legal affairs • ethics & compliance • rhetoric • read and write documentation

55. First steps into security engineering, DevConf.CZ 2019 63 Social Engineering

    • The Social Engineering Framework https://www.social-engineer.org/framework/ • Social Engineering, The Art of Human Hacking Christopher Hadnagy (2010) • The Art Of Deception Kevin D. Mitnick (2003)

56. OpSec DevOps Admin

57. First steps into security engineering, DevConf.CZ 2019 65 Digital self-defense

    • secure your hardware • disk encryption • privacy • ad-blocker • email provider • good passwords / 2FA • update, update, update! https://freedom.press/training/

58. First steps into security engineering, DevConf.CZ 2019 66 Operating Systems

    • man pages • Advanced Programming in the UNIX Environment Stevens / Rago (2013)

59. First steps into security engineering, DevConf.CZ 2019 67 Computer networks

    and system tools • IPv4, IPv6, routing, TCP, UDP, DNS, firewall • auditing, logging • SELinux • analysis and pentesting tools • wireshark • nmap • metasploit • IDA Interactive Disassembler

60. Software

61. First steps into security engineering, DevConf.CZ 2019 69 General Resource

    • OWASP: Open Web Application Security Project • CWE: Common Weakness Enumeration • CVE: Common Vulnerabilities and Exposures • IETF RFCs

62. First steps into security engineering, DevConf.CZ 2019 70 Top 10

    bugs • injection attacks (SQL, LDAP, JSON, XQuery, XPath, ...) • broken authentication and access control • Cross-Site scripting (XSS) • XML entities • Insecure Deserialization (images, documentations, ASN.1)

63. First steps into security engineering, DevConf.CZ 2019 71 Unicode >>>

    import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER # persistent XSS with wide unicode normalization >>> wide = ' ＜ script ＞ ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>' >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER # persistent XSS with wide unicode normalization >>> wide = ' ＜ script ＞ ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>'

64. First steps into security engineering, DevConf.CZ 2019 72 Programming languages

    • C • Assembly • eBPF, BPF • Go • Java • JavaScript • Python • Rust

65. Cryptography

66. First steps into security engineering, DevConf.CZ 2019 74 Cryptography •

    The Code Book, Simon Singh • Cryptography Engineering, Ferguson/Schneier/Tadayashi • Serious Cryptography, JP Aumasson

67. First steps into security engineering, DevConf.CZ 2019 75 Cryptography free

    online resources • Cryptography I, Dan Boneh https://www.coursera.org/learn/crypto Enroll now • The cryptopals crypto challenges https://cryptopals.com/ • Crypto 101, LvH, https://www.crypto101.io/ • Mathematics of Public Key Cryptography, Steven Galbraith (2012)

68. First steps into security engineering, DevConf.CZ 2019 76 TLS/SSL, Certificates

    • Bulletproof SSL and TLS, Ivan Ristic • CA/Browser Forum Baseline Requirements https://cabforum.org/ • Mozilla Server Side TLS https://wiki.mozilla.org/Security/Server_Side_TLS

69. First steps into security engineering, DevConf.CZ 2019 77 Passwords /

    Authentication • NIST 800-63-3: Digital Identity Guidelines • OAuth, OpenID Connect • 2FA (FIDO, WebAuthn) • Troy Hunt, https://haveibeenpwned.com/

70. Misc

71. First steps into security engineering, DevConf.CZ 2019 79 News, blogs

    • Linux Weekly News https://lwn.net/ • Troy Hunt https://www.troyhunt.com/ • Krebs on Security https://krebsonsecurity.com/ • Bruce Schneier https://www.schneier.com/ • https://www.feistyduck.com/bulletproof-tls-newsletter/

72. First steps into security engineering, DevConf.CZ 2019 80 Conference videos

    • Chaos Communication Conference (e.g. 35C3) • Black Hat • DEFCON • Real World Crypto

73. First steps into security engineering, DevConf.CZ 2019 81 Security people

    • Adam Langley • Alex Gaynor • Brian Krebs (Krebs On Security) • Bruce Schneier • Dan Bernstein (djb) • Frank Denis • Hanno Böck • JP Aumasson • Katie Moussouris • Matt Blaze • Matthew Green • Nick Sullivan • Parisa Tabriz • Ryan Sleevi • Tanja Lange • Tavis Ormandy • Thomas Ptacek • Tony Arcieri • Troy Hunt

74. Summary

75. First steps into security engineering, DevConf.CZ 2019 83 Summary •

    Mind the user • Keep learning • Get experience Write your own crypto (don't use it in production) Please send your suggestions [email protected] / @ChristianHeimes

76. THANK YOU plus.google.com/+RedHat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat linkedin.com/company/red-hat