Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Deep Dive into Application Security For Rails Engineers
zassmin
May 01, 2019
Technology
0
89
Deep Dive into Application Security For Rails Engineers
zassmin
May 01, 2019
Tweet
Share
Other Decks in Technology
See All in Technology
kentaro
1
340
line_developers
PRO
0
1.8k
osonoi
0
160
clustervr
0
190
nkjzm
1
800
kyonmm
1
1.9k
smzksts
0
200
kanaugust
PRO
0
210
yuhta28
1
200
ama_ch
0
3.3k
ocise
1
910
greymd
0
600
Featured
See All Featured
andyhume
62
3.3k
lara
16
2.6k
jonyablonski
14
1.1k
eitanlees
111
9.9k
shlominoach
176
7.4k
bkeepers
321
53k
3n
163
22k
addyosmani
310
21k
ddemaree
274
31k
smashingmag
229
18k
ufuk
56
5.4k
sugarenia
233
830k
Transcript
Deep Dive into Application Security
CONFIDENTIAL About Me • Application Security Engineer at Coinbase ◦
Focus: coinbase.com • A little on Coinbase
CONFIDENTIAL Talk Overview 1. Application Security Overview 2. Security Reviewing
an Application a. Application + Feature Set b. What can go wrong? c. 5 Security Principles d. Fixing the Problems 3. Recap
Application Security
Helps with defining services that operate safely so bad things
don’t happen to them.
Prevent and detect any action used in an unauthorized manner.
“A substantial dose of patience, creativity, and real technical expertise.”
- Michal Zalewski, The Tangled Web
Security Reviewing an Application
What Application will we review?
Built With • Backend: ◦ Rails ◦ Activerecord ◦ APIs
(3rd party) • Frontend: ◦ Bootstrap (3rd party) ◦ Javascript
None
Winter Exchange Daenerys Account Winter Exchange winterexchange.com Buy DGC Buy
DGC Send DGC Send DGC Send to: 34dig85
Dragon Glass Coin (DGC)
What are we working on? Server Winter Exchange
What are we working on? Server Winter Exchange Browser Daenerys’s
Session GET/POST/PUT/DELETE Establish User Session GET Account Info POST Buy POST Send
What are we working on? Server Winter Exchange POST Buy
POST Send DGC API Bank API
Server Winter Exchange Browser Daenerys’s Session GET/POST/PUT/DELETE Establish User Session
GET Account Info POST Buy POST Send POST Buy POST Send DGC API Bank API What are we working on?
Winter Exchange’s Feature Set • A platform to buy and
send Dragon Glass Coin (DGC) • Holds the users’ DGC • User can send DGC to anyone with an address • Stores users’ Data • User can buy DGC with USD
What can go wrong? - Adam Shostack
GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange
Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
1. Don’t Trust the Client - OWASP, Security By Design
Principles
GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange
Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
Could the Session be Stolen?
Possible Steps to Steal this Session 1. Find a cross
site scripting (XSS) vulnerability 2. Write quick html/javascript 3. Phish the user somehow to use the html/javascript 4. Steal cookie
Do We have a XSS on Winter Exchange? https://github.com/coinbase/salus
2. Don’t Trust Services 3rd Parties - OWASP, Security By
Design Principles
What can we do with a stolen session?
GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange
Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
Winter Exchange Where is Daenerys’s DGC going? Daenerys’s Account Unknown
Address
Fixing the Problems 1. Leaked the Session 2. Cross Site
Scripting Vulnerability in Bootstrap 3. Taking Daenerys’ DGC out of Winter Exchange
https://github.com/twitter/secure_headers
Vulnerability Scanner https://github.com/rubysec/bundler-audit https://github.com/presidentbeef/brakeman https://github.com/coinbase/salus
Patch Your Vulnerabilities
Second Factor Authentication
3. Defense in Depth Secure by Default - OWASP, Security
By Design Principles
GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange
Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
4. Least Privilege - OWASP, Security By Design Principles
What if Daenerys can get someone else’s account information? Daenerys
Account Winter Exchange winterexchange.com/user/3 • Aegon Targaryen • Personal Address: ◦ Tower of Joy • Drivers License • DGC Address
Daenerys Gets Any User’s Account Information
Fixing the Problems 1. Authorization 2. Insecure Direct Object Reference
3. Access to another User’s Account Information a. Leaking Information
Current User in Controller
Pundit https://github.com/varvet/pundit
Write Tests
UUID 1. 32 hexadecimal (base 16) digits, plus hyphens 2.
f81d4fae-7dec-11d0-a765-00a0c91e6bf6 3. One way hashing, deterministically generated
Privacy • Data Classification Policy ◦ Public, Internal, Confidential •
Redacting sensitive information
GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange
Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
5. Fail Securely Explicitly - OWASP, Security By Design Principles
How did Daenerys get 3 Dragons? Daenerys’s Active Session Buying
DGC $100 Process Buy Error Processing Payment Processes Error as Successful request Server Winter Exchange Bank API
Where’s the problem?
A Closer Look at #process_payment
Fixing the Problem 1. Truthy Value 2. Taking Daenerys’ DGC
out of Winter Exchange
Explicit Error Handling
Explicit Error Handling
Explicit Error Handling
Recap
“A substantial dose of patience, creativity, and real technical expertise.”
- Michal Zalewski, The Tangled Web
Questions as your guide: What are we working on? What
can go wrong? - Adam Shostack
There are many solutions to a problem!
Prevention Focused Solutions 1. Restrict cookie flags 2. Sanitize html
3. Patch 3rd party libraries 4. Write tests 5. Have second factor auth 6. Data confidentiality plan 7. UUIDs
Detection Focused Solutions 1. CVE scanners 2. Redacting sensitive information
3. Bug Bounty 4. Alerting and monitoring
Security Principles 1. Don’t Trust the Client 2. Don’t Trust
Services 3rd Parties 3. Defense in Depth Secure by Default 4. Least Privilege 5. Fail Securely Explicitly
Learn More • Coinbase Security Blog: https://blog.coinbase.com/tagged/security • Cryptograve yard:
https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
Resources • Cryptograve yard: https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to
Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Kirill Gorshkov: https://blog.smartdec.net/bug-vs-vulnerability-d6d4dc4068bd • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
Image Resources • Dragon Glass Coin by Lisa Engler: https://dribbble.com/lisaengler
• Ruby on Rails logo: https://commons.wikimedia.org/wiki/File:Ruby_on_Rails_logo.svg • Game of Thrones Logo: https://commons.wikimedia.org/wiki/File:Game_of_Thrones_2011_logo.svg • Warning Sign: https://pixabay.com/vectors/warning-sign-30915/ • Daenerys’s image: https://3diphonewallpaper.com/daenerys-targaryen-game-of-thrones-iphone-wallpaper-9527/ • Cookie: http://www.publicdomainfiles.com/show_file.php?id=13968371414517 • Salus Logo: https://github.com/coinbase/salus • Brakeman Logo: https://github.com/presidentbeef/brakeman • Bundler Audit Logo: https://github.com/rubysec/bundler-audit • Jean Patch photo: https://www.flickr.com/photos/woolgenie/22805676928 • Duo logo and image: https://brandfolder.com/duo/public-brand-assets • Yubico logo and image: https://www.yubico.com/press/images/ • Google Authenticator Logo: https://en.wikipedia.org/wiki/Google_Authenticator • Jon Snow: https://images.app.goo.gl/prM2x1bFJiBdWWM27 • Bitmoji App
None