Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deep Dive into Application Security For Rails Engineers

E25b10f84e99fd7cd844c4352db1eb66?s=47 zassmin
May 01, 2019
Technology
0
89

Deep Dive into Application Security For Rails Engineers

E25b10f84e99fd7cd844c4352db1eb66?s=128

zassmin

May 01, 2019
Tweet

Other Decks in Technology

See All in Technology
23f4d5d797a91b6d17d627b90b5a42d9?s=48 kentaro
1
340
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
1.8k
9ea422a61c1a69c888786830eee3dbe6?s=48 osonoi
0
160
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
190
3009eedce0d0f7ae45987a7bd8f57b85?s=48 nkjzm
1
800
405fe9ab689473f267e2cfbd95f78c75?s=48 kyonmm
1
1.9k
A4d5b3aae2e67f31b513c88c726514c2?s=48 smzksts
0
200
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
210
098ad475722e3697ec2fba28c8654f9f?s=48 yuhta28
1
200
Da40bdb49bfb7a3fc9426dacac78a99c?s=48 ama_ch
0
3.3k
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
910
F082484f19b518225501fafa28d05b93?s=48 greymd
0
600

Featured

See All Featured
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
62
3.3k
245cee81a9c424266e5e401d844ea881?s=48 lara
16
2.6k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
14
1.1k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
111
9.9k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
176
7.4k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
321
53k
Ba530e786553390f3fb271848485681c?s=48 3n
163
22k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
310
21k
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
274
31k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
229
18k
2bb923c57a1fdc3a2eb484bb8d565fd2?s=48 ufuk
56
5.4k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
233
830k

Transcript

  1. Deep Dive into Application Security

  2. CONFIDENTIAL About Me • Application Security Engineer at Coinbase ◦

    Focus: coinbase.com • A little on Coinbase

  3. CONFIDENTIAL Talk Overview 1. Application Security Overview 2. Security Reviewing

    an Application a. Application + Feature Set b. What can go wrong? c. 5 Security Principles d. Fixing the Problems 3. Recap

  4. Application Security

  5. Helps with defining services that operate safely so bad things

    don’t happen to them.

  6. Prevent and detect any action used in an unauthorized manner.

  7. “A substantial dose of patience, creativity, and real technical expertise.”

    - Michal Zalewski, The Tangled Web

  8. Security Reviewing an Application

  9. What Application will we review?

  10. Built With • Backend: ◦ Rails ◦ Activerecord ◦ APIs

    (3rd party) • Frontend: ◦ Bootstrap (3rd party) ◦ Javascript
  11. None

  12. Winter Exchange Daenerys Account Winter Exchange winterexchange.com Buy DGC Buy

    DGC Send DGC Send DGC Send to: 34dig85

  13. Dragon Glass Coin (DGC)

  14. What are we working on? Server Winter Exchange

  15. What are we working on? Server Winter Exchange Browser Daenerys’s

    Session GET/POST/PUT/DELETE Establish User Session GET Account Info POST Buy POST Send

  16. What are we working on? Server Winter Exchange POST Buy

    POST Send DGC API Bank API

  17. Server Winter Exchange Browser Daenerys’s Session GET/POST/PUT/DELETE Establish User Session

    GET Account Info POST Buy POST Send POST Buy POST Send DGC API Bank API What are we working on?

  18. Winter Exchange’s Feature Set • A platform to buy and

    send Dragon Glass Coin (DGC) • Holds the users’ DGC • User can send DGC to anyone with an address • Stores users’ Data • User can buy DGC with USD

  19. What can go wrong? - Adam Shostack

  20. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

  21. 1. Don’t Trust the Client - OWASP, Security By Design

    Principles

  22. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

  23. Could the Session be Stolen?

  24. Possible Steps to Steal this Session 1. Find a cross

    site scripting (XSS) vulnerability 2. Write quick html/javascript 3. Phish the user somehow to use the html/javascript 4. Steal cookie

  25. Do We have a XSS on Winter Exchange? https://github.com/coinbase/salus

  26. 2. Don’t Trust Services 3rd Parties - OWASP, Security By

    Design Principles

  27. What can we do with a stolen session?

  28. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

  29. Winter Exchange Where is Daenerys’s DGC going? Daenerys’s Account Unknown

    Address

  30. Fixing the Problems 1. Leaked the Session 2. Cross Site

    Scripting Vulnerability in Bootstrap 3. Taking Daenerys’ DGC out of Winter Exchange

  31. https://github.com/twitter/secure_headers

  32. Vulnerability Scanner https://github.com/rubysec/bundler-audit https://github.com/presidentbeef/brakeman https://github.com/coinbase/salus

  33. Patch Your Vulnerabilities

  34. Second Factor Authentication

  35. 3. Defense in Depth Secure by Default - OWASP, Security

    By Design Principles

  36. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

  37. 4. Least Privilege - OWASP, Security By Design Principles

  38. What if Daenerys can get someone else’s account information? Daenerys

    Account Winter Exchange winterexchange.com/user/3 • Aegon Targaryen • Personal Address: ◦ Tower of Joy • Drivers License • DGC Address

  39. Daenerys Gets Any User’s Account Information

  40. Fixing the Problems 1. Authorization 2. Insecure Direct Object Reference

    3. Access to another User’s Account Information a. Leaking Information

  41. Current User in Controller

  42. Pundit https://github.com/varvet/pundit

  43. Write Tests

  44. UUID 1. 32 hexadecimal (base 16) digits, plus hyphens 2.

    f81d4fae-7dec-11d0-a765-00a0c91e6bf6 3. One way hashing, deterministically generated

  45. Privacy • Data Classification Policy ◦ Public, Internal, Confidential •

    Redacting sensitive information

  46. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

  47. 5. Fail Securely Explicitly - OWASP, Security By Design Principles

  48. How did Daenerys get 3 Dragons? Daenerys’s Active Session Buying

    DGC $100 Process Buy Error Processing Payment Processes Error as Successful request Server Winter Exchange Bank API

  49. Where’s the problem?

  50. A Closer Look at #process_payment

  51. Fixing the Problem 1. Truthy Value 2. Taking Daenerys’ DGC

    out of Winter Exchange

  52. Explicit Error Handling

  53. Explicit Error Handling

  54. Explicit Error Handling

  55. Recap

  56. “A substantial dose of patience, creativity, and real technical expertise.”

    - Michal Zalewski, The Tangled Web

  57. Questions as your guide: What are we working on? What

    can go wrong? - Adam Shostack

  58. There are many solutions to a problem!

  59. Prevention Focused Solutions 1. Restrict cookie flags 2. Sanitize html

    3. Patch 3rd party libraries 4. Write tests 5. Have second factor auth 6. Data confidentiality plan 7. UUIDs

  60. Detection Focused Solutions 1. CVE scanners 2. Redacting sensitive information

    3. Bug Bounty 4. Alerting and monitoring

  61. Security Principles 1. Don’t Trust the Client 2. Don’t Trust

    Services 3rd Parties 3. Defense in Depth Secure by Default 4. Least Privilege 5. Fail Securely Explicitly

  62. Learn More • Coinbase Security Blog: https://blog.coinbase.com/tagged/security • Cryptograve yard:

    https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886

  63. Resources • Cryptograve yard: https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to

    Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Kirill Gorshkov: https://blog.smartdec.net/bug-vs-vulnerability-d6d4dc4068bd • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886

  64. Image Resources • Dragon Glass Coin by Lisa Engler: https://dribbble.com/lisaengler

    • Ruby on Rails logo: https://commons.wikimedia.org/wiki/File:Ruby_on_Rails_logo.svg • Game of Thrones Logo: https://commons.wikimedia.org/wiki/File:Game_of_Thrones_2011_logo.svg • Warning Sign: https://pixabay.com/vectors/warning-sign-30915/ • Daenerys’s image: https://3diphonewallpaper.com/daenerys-targaryen-game-of-thrones-iphone-wallpaper-9527/ • Cookie: http://www.publicdomainfiles.com/show_file.php?id=13968371414517 • Salus Logo: https://github.com/coinbase/salus • Brakeman Logo: https://github.com/presidentbeef/brakeman • Bundler Audit Logo: https://github.com/rubysec/bundler-audit • Jean Patch photo: https://www.flickr.com/photos/woolgenie/22805676928 • Duo logo and image: https://brandfolder.com/duo/public-brand-assets • Yubico logo and image: https://www.yubico.com/press/images/ • Google Authenticator Logo: https://en.wikipedia.org/wiki/Google_Authenticator • Jon Snow: https://images.app.goo.gl/prM2x1bFJiBdWWM27 • Bitmoji App
  65. None