Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevConf.IN 2019: First steps into security engineering

DevConf.IN 2019: First steps into security engineering

Experience with security is a useful and even profitable skill for every technical and non-technical employee in IT. Contrary to common stereotypes, security is far more than black hoodies, math and crypto. It's also humans and communication skills. Attendees of my talk DevConf.CZ 2018 talk and DevConf.IN key note have ask me how to get started. Let me introduce you to diverse areas of info sec and point you to books, online courses, talks, and other resources to get you started.

https://devconfin19.sched.com/event/RVPb/first-steps-into-security-engineering

Christian Heimes

August 03, 2019
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. First steps into security engineering
    DevConf.IN 2019 / Bengaluru 2019-08-03
    Christian Heimes
    Principal Software Engineer
    [email protected] / [email protected]
    @ChristianHeimes

    View Slide

  2. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Who am I?

    from Hamburg/Germany

    Python and C developer

    Python core contributor since 2008

    maintainer of ssl and hashlib module

    Python security team
    m
    Кристиан Хай ес
    ख्रिस्तियन
    ক্রিস্টিয়ান হেইন্স
    ક્રિશ્ચયન હેઇમ્સ
    ക്രിസ്ത്യൻ
    ख्रिश्चन
    ಕ್ರಿಸ್ಟಿಯಾನ್
    نایٹسرک
    கிறிஸ்டின் ஹெய்ம்ஸ்

    View Slide

  3. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Professional life

    Principal Software Engineer at Red Hat

    Security Engineering

    FreeIPA Identity Management

    Dogtag PKI

    View Slide

  4. Agenda
    &
    Goals

    View Slide

  5. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  6. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    This talk is

    opinionated

    subjective

    biased

    incomplete

    edutainment
    Disclaimer

    View Slide

  7. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    1. think
    2. learn

    View Slide

  8. Motivation
    Why should you care?

    View Slide

  9. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    proud craftsman
    responsible engineer

    View Slide

  10. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    $$$

    View Slide

  11. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached

    View Slide

  12. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

    View Slide

  13. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    https://nypost.com/2016/10/06/verizon-wants-1b-discount-on-yahoo-deal-after-hacking-reports/
    https://www.cnet.com/news/verizon-and-yahoo-agree-to-cut-4-billion-deal-by-350-million/

    View Slide

  14. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  15. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Life and Death

    View Slide

  16. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

    View Slide

  17. Propositions
    &
    Statements

    View Slide

  18. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Security is a feature.
    Security is a selling point.

    View Slide

  19. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Attackers just need one vulnerability,
    defenders need to be perfect.

    View Slide

  20. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Users don't care about security.
    They are ignorant, disregardful, and
    responsible for security incidents.

    View Slide

  21. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    ?

    View Slide

  22. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    wrong
    dangerous
    arrogant
    (I used to think like that.)

    View Slide

  23. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    We fight for the users!
    (Tron)

    View Slide

  24. 0. attitude
    1. think
    2. learn

    View Slide

  25. Security is not an
    (optional) feature

    View Slide

  26. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    “Our cars are less likely to
    explode
    than competing products.”

    View Slide

  27. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  28. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  29. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Alex Gaynor
    The worst truism in information security
    Attackers just need one vulnerability,
    defenders need to be perfect
    https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/

    View Slide

  30. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    But what about the exploding cars?

    View Slide

  31. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    “unbreakable” encryption
    absolute security

    View Slide

  32. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    threat model
    cost–benefit analysis
    documentation

    View Slide

  33. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Threat Model: biometrics
    The Photographer [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0) or
    GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons

    View Slide

  34. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Cost - Benefit

    View Slide

  35. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Mitigation: Defense in depth

    View Slide

  36. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  37. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  38. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  39. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    https://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-a8130796.html

    View Slide

  40. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Amazon Says One Engineer's Simple
    Mistake Brought the Internet Down
    2017-02-28

    View Slide

  41. Please
    mind the user
    between the chair and the keyboard

    View Slide

  42. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Arz [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons

    View Slide

  43. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    So Long, And No Thanks for the Externalities:
    The Rational Rejection of Security Advice by Users
    Cormac Herley, Microsoft Research

    View Slide

  44. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Human factor

    Social engineering

    CEO scam: Ubiquiti Networks victim of $39 million
    https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social-
    engineering-attack.html

    Password in exchange for chocolate (up to 47.9%)
    Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026

    dissatisfied employees

    ignorant management

    View Slide

  45. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  46. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Your grandmother has installed Flash.

    View Slide

  47. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    User interface, training, documentation
    Lion Air Flight 610:
    Pilots fought automatic safety system
    before plane plunged.

    View Slide

  48. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Challenger / Chernobyl 1986

    View Slide

  49. 0. attitude
    1. think
    2. learn

    View Slide

  50. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Professionally paranoid

    View Slide

  51. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Persecution mania
    Cracking Passwords using Keyboard Acoustics and Language Modeling
    Andrew Kelly, University of Edinburgh (2010)
    Eavesdrop on Conversations Using a
    Bag of Chips with MIT’s ‘Visual Microphone’
    https://singularityhub.com/2014/08/13/eavesdrop-on-conversations-using-a-bag-of-chips-with-mits-visual-microphone/
    Researcher Turns HDD
    Into Rudimentary Microphone

    View Slide

  52. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    be creative
    &
    learn from the past

    View Slide

  53. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Consider leaky abstraction layers

    View Slide

  54. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Example: Memory safety

    View Slide

  55. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Hardware security
    RSA Key Extraction via Acoustic Cryptanalysis
    https://www.tau.ac.il/~tromer/acoustic/

    View Slide

  56. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Physical security against intru-deers
    https://twitter.com/DCFurs/status/1087663240421593089

    View Slide

  57. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    cybersquirrel1.com – attacks on power grid
    http://cybersquirrel1.com/

    View Slide

  58. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    IoT – Internet of Things
    The “S” in “IoT” stands for security.
    The “P” in “IoT” stands for privacy.
    (Sorry, German humour)

    View Slide

  59. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Ethics and responsibility

    View Slide

  60. 0. attitude
    1. think
    2. learn

    View Slide

  61. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    I know that I know nothing
    (Socratic paradox)

    View Slide

  62. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Skill #1
    Communication

    View Slide

  63. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Stop reading, start doing!
    Parisa Tabriz
    So, you want to work in security?
    https://medium.freecodecamp.org/so-you-want-to-work-in-security-bc6c10157d23

    View Slide

  64. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Available for free: https://www.cl.cam.ac.uk/~rja14/book.html

    View Slide

  65. Human Computer Interaction
    UI / UX

    View Slide

  66. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    “Soft” skills

    team work / team diversity

    locate and evaluate information

    law / legal affairs

    business

    ethics & compliance

    rhetoric

    read and write documentation

    View Slide

  67. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Social Engineering

    The Social Engineering Framework
    https://www.social-engineer.org/framework/

    Social Engineering, The Art of Human Hacking
    Christopher Hadnagy (2010)

    The Art Of Deception
    Kevin D. Mitnick (2003)

    View Slide

  68. OpSec
    DevOps
    Admin

    View Slide

  69. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Digital self-defense

    secure your hardware

    disk encryption

    privacy

    ad-blocker

    email provider

    good passwords / 2FA

    update, update, update!
    https://freedom.press/training/

    View Slide

  70. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Operating Systems

    man pages

    Advanced Programming in the
    UNIX Environment
    Stevens / Rago (2013)

    View Slide

  71. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Computer networks and system tools

    IPv4, IPv6, routing, TCP, UDP, DNS, firewall

    auditing, logging

    SELinux

    analysis and pentesting tools

    wireshark

    nmap

    metasploit

    IDA Interactive Disassembler

    View Slide

  72. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    DevOps
    Securing DevOps: Security in the Cloud
    Julien Vehent (2018)

    View Slide

  73. Software

    View Slide

  74. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    General Resource

    OWASP: Open Web Application Security Project

    CWE: Common Weakness Enumeration

    CVE: Common Vulnerabilities and Exposures

    IETF RFCs

    View Slide

  75. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Top 10 bugs

    injection attacks (SQL, LDAP, JSON, XQuery, XPath, ...)

    broken authentication and access control

    Cross-Site scripting (XSS)

    XML entities

    Insecure Deserialization (images, docs, ASN.1)

    View Slide

  76. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Unicode
    >>> import unicodedata
    # homograph / homoglyphic confusion attack
    >>> unicodedata.name('Руthοn'[0])
    CYRILLIC CAPITAL LETTER ER
    >>> import unicodedata
    # homograph / homoglyphic confusion attack
    >>> unicodedata.name('Руthοn'[0])
    CYRILLIC CAPITAL LETTER ER
    # persistent XSS with wide unicode normalization
    >>> wide = ' < script > '
    >>> safe = wide.replace('>>> unicodedata.name(safe[0])
    'FULLWIDTH LESS-THAN SIGN'
    >>> unicodedata.normalize('NFKD', safe)
    ''<br/># persistent XSS with wide unicode normalization<br/>>>> wide = ' < script > '<br/>>>> safe = wide.replace('<', '&lt;') # quote<br/>>>> unicodedata.name(safe[0])<br/>'FULLWIDTH LESS-THAN SIGN'<br/>>>> unicodedata.normalize('NFKD', safe)<br/>'<script>'<br/>

    View Slide

  77. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Programming languages

    C

    Assembly

    eBPF, BPF

    Go

    Java

    JavaScript

    PHP

    Python

    Rust

    View Slide

  78. Cryptography

    View Slide

  79. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Cryptography

    The Code Book, Simon Singh

    Cryptography Engineering, Ferguson/Schneier/Tadayashi

    Serious Cryptography, JP Aumasson

    View Slide

  80. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Cryptography
    free online resources

    Cryptography I, Dan Boneh
    https://www.coursera.org/learn/crypto

    The cryptopals crypto challenges
    https://cryptopals.com/

    Crypto 101, LvH,
    https://www.crypto101.io/

    Mathematics of Public Key Cryptography,
    Steven Galbraith (2012)

    View Slide

  81. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    TLS/SSL, Certificates

    Bulletproof SSL and TLS, Ivan Ristic

    CA/Browser Forum Baseline Requirements
    https://cabforum.org/

    Mozilla Server Side TLS
    https://wiki.mozilla.org/Security/Server_Side_TLS

    View Slide

  82. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Passwords / Authentication

    NIST 800-63-3: Digital Identity Guidelines

    OAuth, OpenID Connect

    2FA (FIDO, WebAuthn)

    Troy Hunt,
    https://haveibeenpwned.com/

    View Slide

  83. Misc

    View Slide

  84. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    News, blogs

    Linux Weekly News https://lwn.net/

    Troy Hunt https://www.troyhunt.com/

    Krebs on Security https://krebsonsecurity.com/

    Bruce Schneier https://www.schneier.com/

    https://www.feistyduck.com/bulletproof-tls-newsletter/

    View Slide

  85. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Conference videos

    Chaos Communication Conference (e.g. 35C3)

    Black Hat

    DEFCON

    Real World Crypto

    View Slide

  86. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Security people

    Adam Langley

    Alex Gaynor

    Brian Krebs (Krebs On Security)

    Bruce Schneier

    Dan Bernstein (djb)

    Frank Denis

    Hanno Böck

    JP Aumasson

    Katie Moussouris

    Matt Blaze

    Matthew Green

    Nick Sullivan

    Parisa Tabriz

    Ryan Sleevi

    Tanja Lange

    Tavis Ormandy

    Thomas Ptacek

    Tony Arcieri

    Troy Hunt

    View Slide

  87. Summary

    View Slide

  88. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA 4.0
    Summary

    “I know that I know nothing” (expert specialist)


    Keep learning

    Mind the user

    Get experience

    Write your own crypto (do NOT use it in production)
    Please send me your suggestions

    View Slide

  89. Questions?
    @ChristianHeimes
    [email protected]
    [email protected]
    https://speakerdeck.com/tiran/

    View Slide

  90. THANK YOU
    plus.google.com/+RedHat
    youtube.com/user/RedHatVideos
    facebook.com/redhatinc
    twitter.com/RedHat
    linkedin.com/company/red-hat

    View Slide