Deep Dive into Application Security For Rails Engineers

Transcript

1. Deep Dive into Application Security

2. CONFIDENTIAL About Me • Application Security Engineer at Coinbase ◦

   Focus: coinbase.com • A little on Coinbase

3. CONFIDENTIAL Talk Overview 1. Application Security Overview 2. Security Reviewing

   an Application a. Application + Feature Set b. What can go wrong? c. 5 Security Principles d. Fixing the Problems 3. Recap

4. Application Security

5. Helps with defining services that operate safely so bad things

   don’t happen to them.

6. Prevent and detect any action used in an unauthorized manner.

7. “A substantial dose of patience, creativity, and real technical expertise.”

   - Michal Zalewski, The Tangled Web

8. Security Reviewing an Application

9. What Application will we review?

10. Built With • Backend: ◦ Rails ◦ Activerecord ◦ APIs

    (3rd party) • Frontend: ◦ Bootstrap (3rd party) ◦ Javascript
11. None

12. Winter Exchange Daenerys Account Winter Exchange winterexchange.com Buy DGC Buy

    DGC Send DGC Send DGC Send to: 34dig85

13. Dragon Glass Coin (DGC)

14. What are we working on? Server Winter Exchange

15. What are we working on? Server Winter Exchange Browser Daenerys’s

    Session GET/POST/PUT/DELETE Establish User Session GET Account Info POST Buy POST Send

16. What are we working on? Server Winter Exchange POST Buy

    POST Send DGC API Bank API

17. Server Winter Exchange Browser Daenerys’s Session GET/POST/PUT/DELETE Establish User Session

    GET Account Info POST Buy POST Send POST Buy POST Send DGC API Bank API What are we working on?

18. Winter Exchange’s Feature Set • A platform to buy and

    send Dragon Glass Coin (DGC) • Holds the users’ DGC • User can send DGC to anyone with an address • Stores users’ Data • User can buy DGC with USD

19. What can go wrong? - Adam Shostack

20. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

21. 1. Don’t Trust the Client - OWASP, Security By Design

    Principles

22. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

23. Could the Session be Stolen?

24. Possible Steps to Steal this Session 1. Find a cross

    site scripting (XSS) vulnerability 2. Write quick html/javascript 3. Phish the user somehow to use the html/javascript 4. Steal cookie

25. Do We have a XSS on Winter Exchange? https://github.com/coinbase/salus

26. 2. Don’t Trust Services 3rd Parties - OWASP, Security By

    Design Principles

27. What can we do with a stolen session?

28. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

29. Winter Exchange Where is Daenerys’s DGC going? Daenerys’s Account Unknown

    Address

30. Fixing the Problems 1. Leaked the Session 2. Cross Site

    Scripting Vulnerability in Bootstrap 3. Taking Daenerys’ DGC out of Winter Exchange

31. https://github.com/twitter/secure_headers

32. Vulnerability Scanner https://github.com/rubysec/bundler-audit https://github.com/presidentbeef/brakeman https://github.com/coinbase/salus

33. Patch Your Vulnerabilities

34. Second Factor Authentication

35. 3. Defense in Depth Secure by Default - OWASP, Security

    By Design Principles

36. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

37. 4. Least Privilege - OWASP, Security By Design Principles

38. What if Daenerys can get someone else’s account information? Daenerys

    Account Winter Exchange winterexchange.com/user/3 • Aegon Targaryen • Personal Address: ◦ Tower of Joy • Drivers License • DGC Address

39. Daenerys Gets Any User’s Account Information

40. Fixing the Problems 1. Authorization 2. Insecure Direct Object Reference

    3. Access to another User’s Account Information a. Leaking Information

41. Current User in Controller

42. Pundit https://github.com/varvet/pundit

43. Write Tests

44. UUID 1. 32 hexadecimal (base 16) digits, plus hyphens 2.

    f81d4fae-7dec-11d0-a765-00a0c91e6bf6 3. One way hashing, deterministically generated

45. Privacy • Data Classification Policy ◦ Public, Internal, Confidential •

    Redacting sensitive information

46. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries

47. 5. Fail Securely Explicitly - OWASP, Security By Design Principles

48. How did Daenerys get 3 Dragons? Daenerys’s Active Session Buying

    DGC $100 Process Buy Error Processing Payment Processes Error as Successful request Server Winter Exchange Bank API

49. Where’s the problem?

50. A Closer Look at #process_payment

51. Fixing the Problem 1. Truthy Value 2. Taking Daenerys’ DGC

    out of Winter Exchange

52. Explicit Error Handling

53. Explicit Error Handling

54. Explicit Error Handling

55. Recap

56. “A substantial dose of patience, creativity, and real technical expertise.”

    - Michal Zalewski, The Tangled Web

57. Questions as your guide: What are we working on? What

    can go wrong? - Adam Shostack

58. There are many solutions to a problem!

59. Prevention Focused Solutions 1. Restrict cookie flags 2. Sanitize html

    3. Patch 3rd party libraries 4. Write tests 5. Have second factor auth 6. Data confidentiality plan 7. UUIDs

60. Detection Focused Solutions 1. CVE scanners 2. Redacting sensitive information

    3. Bug Bounty 4. Alerting and monitoring

61. Security Principles 1. Don’t Trust the Client 2. Don’t Trust

    Services 3rd Parties 3. Defense in Depth Secure by Default 4. Least Privilege 5. Fail Securely Explicitly

62. Learn More • Coinbase Security Blog: https://blog.coinbase.com/tagged/security • Cryptograve yard:

    https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886

63. Resources • Cryptograve yard: https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to

    Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Kirill Gorshkov: https://blog.smartdec.net/bug-vs-vulnerability-d6d4dc4068bd • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886

64. Image Resources • Dragon Glass Coin by Lisa Engler: https://dribbble.com/lisaengler

    • Ruby on Rails logo: https://commons.wikimedia.org/wiki/File:Ruby_on_Rails_logo.svg • Game of Thrones Logo: https://commons.wikimedia.org/wiki/File:Game_of_Thrones_2011_logo.svg • Warning Sign: https://pixabay.com/vectors/warning-sign-30915/ • Daenerys’s image: https://3diphonewallpaper.com/daenerys-targaryen-game-of-thrones-iphone-wallpaper-9527/ • Cookie: http://www.publicdomainfiles.com/show_file.php?id=13968371414517 • Salus Logo: https://github.com/coinbase/salus • Brakeman Logo: https://github.com/presidentbeef/brakeman • Bundler Audit Logo: https://github.com/rubysec/bundler-audit • Jean Patch photo: https://www.flickr.com/photos/woolgenie/22805676928 • Duo logo and image: https://brandfolder.com/duo/public-brand-assets • Yubico logo and image: https://www.yubico.com/press/images/ • Google Authenticator Logo: https://en.wikipedia.org/wiki/Google_Authenticator • Jon Snow: https://images.app.goo.gl/prM2x1bFJiBdWWM27 • Bitmoji App
65. None