It's Coming From Inside the House: An Inside-Out Approach to Node.js Application Security (CircleCityCon)

Transcript

1. @ysmithND i t ’ s c o m i n

   g f r o m i n s i d e t h e h o u s e AN INSIDE-OUT APPROACH TO NODEJS APPLICATION SECURITY yolonda smith

2. @ysmithND STAGE 1

3. @ysmithND CYBER OPERATIONS OFFICER, USAF get to know your captain

4. @ysmithND RECOVERING PRODUCT MANAGER get to know your captain

5. @ysmithND LEAD INFOSEC ANALYST get to know your captain

6. @ysmithND THE COMMON REFRAIN “That’s handled somewhere else [downstream/ upstream/some

   other made up place]” “Is this really that big of a problem? What’s the likelihood that anyone will ever find this?” “Where does it say we have to do that?”

7. @ysmithND THE COMMON REFRAIN

8. @ysmithND we’re making this too hard (still)

9. @ysmithND WE’RE MAKING THIS TOO HARD THE (PERCEIVED) PROBLEM •

   Bread-crumb security • Have to be a domain expert to know what questions to ask OR • Asking a security question turns into a brain dump/lecture • Lots of guidance, not a lot of practical application • Security solutions become awkward bolt-ons OR require concessions in application performance & features to make it work.

10. @ysmithND WE’RE MAKING THIS TOO HARD hot takes ▸ Shouldn’t

    need domain expertise needed to get basics done ▸ Security things for other security people ▸ Security metrics should dovetail to match those of the business ▸ Security with the application not around the application

11. @ysmithND a n e x p e r i m

    e n t HOW CAN WE MAKE THIS EASIER S T A G E 2

12. @ysmithND AN EXPERIMENT WHAT’S “EASIER”? “Easier” => • Provides a

    means to offer intuitive, basic end-to-end security coverage… • …natively in the most popular development language… • ...which works as part of the application, not around it… • …tailored to the application’s requirements AND • flexible enough to adjust when the application changes

13. @ysmithND ___ ___ _ ___ _____ _ _ _ /

    __| | _ \ /_\ |_ \ |_ _| /_\ | \ | | ___ \__ \ | _/ / _ \ | / | | / _ \ | .` | |___| |___/ |_ | /_/ \_ \ |_ |_\ |_| /_ / \_\ |_ | \_| I N T R O DUC I N G

14. @ysmithND THE RESULT : SPARTAN what is it? ▸ Node.js

    application designed as a security library for node.js applications of various types ▸ Writes human-readable security spec & pre- configured modules for immediate integration in new and existing node apps ▸ mocha-chai => unit testing ▸ Coveralls => test coverage ▸ TravisCI-ready Spartan sec urity

15. @ysmithND ABOUT SPARTAN how it works • Application Types •

    Web, Desktop, Mobile, IoT, Kiosk, API • Users (developers) configure security policy by answering a few questions. In return they get • security.json => ‘the security spec’ or ‘policy’ of the application • security.js => the collection of submodules that are generated and preconfigured from the interpreted policy • security/ => customized modules that security.js points to. • Developer simply has to ‘include’ the module in their code like this: ‘let security = require(‘./security’)’

16. @ysmithND WHY THO? why spartan?

17. @ysmithND NO, BUT FOR REAL Y THO? What happens after

    the aliens get past the first line of defense? Application is the inner core at the center of the earth* spartan is the middle finger you give the aliens Client CDN/PoP WAF/Firewall Load Balancer/Proxy Container/Cluster Application Dependencies Supply Chain Source Code

18. @ysmithND d e m o n s t r a

    t i o n YOU CAN PLAY TOO! node npm git* terminal VSCode

19. @ysmithND npm init -y Optional : git init

20. @ysmithND npm install -g spartan-shield yarn add spartan-shield

21. @ysmithND > _spartan -h @ysmithND

22. @ysmithND l e t ’ s p l a y

    a g a m e NEUTRALIZING DIGITAL SKIMMERS WITH _SPARTAN

23. @ysmithND RECAP digital skimmers? • Like ATM-skimmers, except with code

    • Exploit 3rd party vendor’s javascript code • Malicious code goes everywhere the vendor’s code appears 5 Additional Resources: RiskIQ => https://www.riskiq.com/blog/external-threat-management/inside-magecart/ ZDNet => https://www.zdnet.com/article/how-magecart-groups-are-stealing-your- card-details-from-online-stores/

24. @ysmithND @ysmithND

25. @ysmithND NEUTRALIZING DIGITAL SKIMMERS what are the options? 1. JSONP…please,

    God, no… 2. Regenerate js for every page load ▸ Shorten cache period 3. Minimize the amount of 3P javascript running on sensitive pages 4. Limit the context where 3P javascript can run (e.g. sandbox) and what permissions it has (CORS) 5. Track changes in javascript that we do allow ▸ Make sure we know when failures occur

26. @ysmithND q u i c k d e m o

    THIS IS FINE…EVERYTHING IS FINE

27. @ysmithND UNSOLICITED ADVICE summary (for developers) 1. DO know what

    you have, understand its value and watch it a. This includes infrastructure 2. DON’T rely on the pen-test to catch all of the security issues 3. DO devote at least one sprint/epic on secure design & code review 4. DO make sure that you have a means of detecting attempts to circumvent your controls

28. @ysmithND UNSOLICITED ADVICE summary (for security types) 1. We can

    make security more accessible to developers by putting ourselves in developers’ shoes 2. _spartan is how I thought about it—what steps will you take? 3. DO sit in on the design sprints => you don’t have to know how to code to write a story/ requirement 4. DO make it a point to learn the key business success metrics…identify how security initiatives can support/contribute

29. @ysmithND • All things skimmer: • https://otx.alienvault.com/pulse/5ba3c739f1b1ed67ed7764c1 • https://gwillem.gitlab.io/tag/skimming/ •

    https://gwillem.gitlab.io/2018/09/18/abs-cbn.com-hacked/ • Prevention vs Cure • https://www.isixsigma.com/industries/software-it/defect-prevention-reducing- costs-and-enhancing-quality/ • MOAR spartan • https://docs.spartan-security.io resources & references

30. @ysmithND q u e s t i o n s

31. @ysmithND i t ’ s coming from inside the house

    AN INSIDE-OUT APPROACH TO NODEJS APPLICATION SECURITY

32. @ysmithND @ysmithND/@darkmsph1t darkmsph1t.github.io yolonda.io yolonda-smith f i g h t

    m e

33. @ysmithND B A C K U P

34. @ysmithND WHY NODE A NOD TO NODE ▸ About ▸

    Mesh of Chrome V8 Javascript Engine, Event loop + low-level I/O API ▸ “Javascript outside the browser”/“Javascript Everywhere” ▸ Key Benefits ▸ Event driven architecture ▸ Fast, asynchronous I/O processing (non-blocking) ▸ Highly extensible thanks to community-driven package manager, npm ▸ Adoption ▸ Netflix, Walmart, Uber, Paypal, LinkedIn, Medium, NASA, IBM ▸ Optimized for web apps, though growing use in non-web applications

35. @ysmithND

36. @ysmithND

37. @ysmithND DESIGN VISION Inquirer Update Init {security.json} (policy) security.js (boilerplate)

    Interpreter {Answers} Transformer Force Delete No-overwrite Default {Confirmation} modules modules modules modules {security-default.json} (default policy) Set-As-Default

38. @ysmithND concept of operations CACHE DATABASE SESSIONS SECURITY HEADERS FORMS

    CONNECTION SECRETS CLIENT ACCESS CONTROL CSP CACHE CORS APP DEPENDENCIES