Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deep Dive into Application Security For Rails Engineers

Deep Dive into Application Security For Rails Engineers

E25b10f84e99fd7cd844c4352db1eb66?s=128

zassmin

May 01, 2019
Tweet

Transcript

  1. Deep Dive into Application Security

  2. CONFIDENTIAL About Me • Application Security Engineer at Coinbase ◦

    Focus: coinbase.com • A little on Coinbase
  3. CONFIDENTIAL Talk Overview 1. Application Security Overview 2. Security Reviewing

    an Application a. Application + Feature Set b. What can go wrong? c. 5 Security Principles d. Fixing the Problems 3. Recap
  4. Application Security

  5. Helps with defining services that operate safely so bad things

    don’t happen to them.
  6. Prevent and detect any action used in an unauthorized manner.

  7. “A substantial dose of patience, creativity, and real technical expertise.”

    - Michal Zalewski, The Tangled Web
  8. Security Reviewing an Application

  9. What Application will we review?

  10. Built With • Backend: ◦ Rails ◦ Activerecord ◦ APIs

    (3rd party) • Frontend: ◦ Bootstrap (3rd party) ◦ Javascript
  11. None
  12. Winter Exchange Daenerys Account Winter Exchange winterexchange.com Buy DGC Buy

    DGC Send DGC Send DGC Send to: 34dig85
  13. Dragon Glass Coin (DGC)

  14. What are we working on? Server Winter Exchange

  15. What are we working on? Server Winter Exchange Browser Daenerys’s

    Session GET/POST/PUT/DELETE Establish User Session GET Account Info POST Buy POST Send
  16. What are we working on? Server Winter Exchange POST Buy

    POST Send DGC API Bank API
  17. Server Winter Exchange Browser Daenerys’s Session GET/POST/PUT/DELETE Establish User Session

    GET Account Info POST Buy POST Send POST Buy POST Send DGC API Bank API What are we working on?
  18. Winter Exchange’s Feature Set • A platform to buy and

    send Dragon Glass Coin (DGC) • Holds the users’ DGC • User can send DGC to anyone with an address • Stores users’ Data • User can buy DGC with USD
  19. What can go wrong? - Adam Shostack

  20. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  21. 1. Don’t Trust the Client - OWASP, Security By Design

    Principles
  22. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  23. Could the Session be Stolen?

  24. Possible Steps to Steal this Session 1. Find a cross

    site scripting (XSS) vulnerability 2. Write quick html/javascript 3. Phish the user somehow to use the html/javascript 4. Steal cookie
  25. Do We have a XSS on Winter Exchange? https://github.com/coinbase/salus

  26. 2. Don’t Trust Services 3rd Parties - OWASP, Security By

    Design Principles
  27. What can we do with a stolen session?

  28. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  29. Winter Exchange Where is Daenerys’s DGC going? Daenerys’s Account Unknown

    Address
  30. Fixing the Problems 1. Leaked the Session 2. Cross Site

    Scripting Vulnerability in Bootstrap 3. Taking Daenerys’ DGC out of Winter Exchange
  31. https://github.com/twitter/secure_headers

  32. Vulnerability Scanner https://github.com/rubysec/bundler-audit https://github.com/presidentbeef/brakeman https://github.com/coinbase/salus

  33. Patch Your Vulnerabilities

  34. Second Factor Authentication

  35. 3. Defense in Depth Secure by Default - OWASP, Security

    By Design Principles
  36. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  37. 4. Least Privilege - OWASP, Security By Design Principles

  38. What if Daenerys can get someone else’s account information? Daenerys

    Account Winter Exchange winterexchange.com/user/3 • Aegon Targaryen • Personal Address: ◦ Tower of Joy • Drivers License • DGC Address
  39. Daenerys Gets Any User’s Account Information

  40. Fixing the Problems 1. Authorization 2. Insecure Direct Object Reference

    3. Access to another User’s Account Information a. Leaking Information
  41. Current User in Controller

  42. Pundit https://github.com/varvet/pundit

  43. Write Tests

  44. UUID 1. 32 hexadecimal (base 16) digits, plus hyphens 2.

    f81d4fae-7dec-11d0-a765-00a0c91e6bf6 3. One way hashing, deterministically generated
  45. Privacy • Data Classification Policy ◦ Public, Internal, Confidential •

    Redacting sensitive information
  46. GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  47. 5. Fail Securely Explicitly - OWASP, Security By Design Principles

  48. How did Daenerys get 3 Dragons? Daenerys’s Active Session Buying

    DGC $100 Process Buy Error Processing Payment Processes Error as Successful request Server Winter Exchange Bank API
  49. Where’s the problem?

  50. A Closer Look at #process_payment

  51. Fixing the Problem 1. Truthy Value 2. Taking Daenerys’ DGC

    out of Winter Exchange
  52. Explicit Error Handling

  53. Explicit Error Handling

  54. Explicit Error Handling

  55. Recap

  56. “A substantial dose of patience, creativity, and real technical expertise.”

    - Michal Zalewski, The Tangled Web
  57. Questions as your guide: What are we working on? What

    can go wrong? - Adam Shostack
  58. There are many solutions to a problem!

  59. Prevention Focused Solutions 1. Restrict cookie flags 2. Sanitize html

    3. Patch 3rd party libraries 4. Write tests 5. Have second factor auth 6. Data confidentiality plan 7. UUIDs
  60. Detection Focused Solutions 1. CVE scanners 2. Redacting sensitive information

    3. Bug Bounty 4. Alerting and monitoring
  61. Security Principles 1. Don’t Trust the Client 2. Don’t Trust

    Services 3rd Parties 3. Defense in Depth Secure by Default 4. Least Privilege 5. Fail Securely Explicitly
  62. Learn More • Coinbase Security Blog: https://blog.coinbase.com/tagged/security • Cryptograve yard:

    https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
  63. Resources • Cryptograve yard: https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to

    Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Kirill Gorshkov: https://blog.smartdec.net/bug-vs-vulnerability-d6d4dc4068bd • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
  64. Image Resources • Dragon Glass Coin by Lisa Engler: https://dribbble.com/lisaengler

    • Ruby on Rails logo: https://commons.wikimedia.org/wiki/File:Ruby_on_Rails_logo.svg • Game of Thrones Logo: https://commons.wikimedia.org/wiki/File:Game_of_Thrones_2011_logo.svg • Warning Sign: https://pixabay.com/vectors/warning-sign-30915/ • Daenerys’s image: https://3diphonewallpaper.com/daenerys-targaryen-game-of-thrones-iphone-wallpaper-9527/ • Cookie: http://www.publicdomainfiles.com/show_file.php?id=13968371414517 • Salus Logo: https://github.com/coinbase/salus • Brakeman Logo: https://github.com/presidentbeef/brakeman • Bundler Audit Logo: https://github.com/rubysec/bundler-audit • Jean Patch photo: https://www.flickr.com/photos/woolgenie/22805676928 • Duo logo and image: https://brandfolder.com/duo/public-brand-assets • Yubico logo and image: https://www.yubico.com/press/images/ • Google Authenticator Logo: https://en.wikipedia.org/wiki/Google_Authenticator • Jon Snow: https://images.app.goo.gl/prM2x1bFJiBdWWM27 • Bitmoji App
  65. None