Big security for big data

638 views
516 views

Published on

Some basic security controls you can (and should) implement in your web apps. Specifically this covers:
1 - Beyond SQL injection
2 - Cross-site Scripting
3 - Access Control

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
638
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Big security for big data

  1. 1. Big Security for Big Data 1 Big Security for Big Data Ari Elias-Bachrach Defensium llc March 2014
  2. 2. Big Security for Big Data 2 About Me Ari Elias-Bachrach ● Application Security nerd, OWASP fanboy ● Help Development understand security ● Help security understand development ● Often get calls from developers that start with “help!”
  3. 3. Big Security for Big Data 3 Your Data Is Important
  4. 4. Big Security for Big Data 4 This Talk Will Cover Some Important Security Controls Beyond SQL Injection Cross-Site Scripting Access Control <script> //code... </script>
  5. 5. Big Security for Big Data 5 For Years People Have Been Warned About SQL Injection String id = Request.QueryString("SomeID") string sql = "SELECT Product FROM myTable WHERE id = '" + id + "'"; 5'; drop table myTable; # SELECT Product FROM myTable WHERE id = '5'; drop table myTable; #'
  6. 6. Big Security for Big Data 6 The Solution Is To Use Prepared Statements String id = Request.QueryString("SomeID") string sql = "SELECT Product FROM myTable WHERE id = ?"; Statement = connection.prepareStatement(sql) Statement.setString(1, id)
  7. 7. Big Security for Big Data 7 Many New RDBMS' Do Not Use SQL Mongo does not use SQL, so it's not vulnerable to SQL Injection.... right?
  8. 8. Big Security for Big Data 8 Many New RDBMS' Do Not Use SQL The fundamental problem that led to SQL injection is the lack of separation between commands and variables Variables Command Text Instructions Not parsed Parsed
  9. 9. Big Security for Big Data 9 Mongo Can Still be Vulnerable With PHP $collection->find(array( "username" => $_GET['username'], "passwd" => $_GET['passwd'] )); username=user&passwd[$ne]=foo
  10. 10. Big Security for Big Data 10 Mongo Can Still be Vulnerable With PHP $collection->find(array( "username" => user, "passwd" => array("$ne" => foo) )); username=user&passwd[$ne]=foo
  11. 11. Big Security for Big Data 11 Separate Variables and Commands Return to the fundamental rule: Separate Variables and Commands Strong typing can be one way to do this $collection->find(array( "username" => (string)$_GET['username'], "passwd" => (string)$_GET['passwd'] ));
  12. 12. Big Security for Big Data 12 Separate Variables and Commands Whatever system you may be working on in the future, remember this law: Separate Variables and Commands
  13. 13. Big Security for Big Data 13 Separate Variables and Commands --http://us.php.net/manual/en/mongodb.execute.php
  14. 14. Big Security for Big Data 14 Separate Variables and Commands
  15. 15. Big Security for Big Data 15 Cross-Site Scripting (XSS) Occurs When An Attacker Can Execute Code on Your User's Systems Attacker can make your users execute arbitrary code as if it was sent from your website Client side attack <script> //code... </script>
  16. 16. Big Security for Big Data 16 Cross-Site Scripting (XSS) Occurs When An Attacker Can Execute Code on Your User's Systems Bob Hi Bob Hi Request.QueryString("name")
  17. 17. Big Security for Big Data 17 Cross-Site Scripting (XSS) Occurs When An Attacker Can Execute Code on Your User's Systems name=<script>...</script> Hi <script>...</script> Http://server/page.jsp?name=<script>...</script> This code is now executed in the domain of the website that “sent” it, and it can access that page's DOM
  18. 18. Big Security for Big Data 18 Cross-Site Scripting (XSS) Occurs When An Attacker Can Execute Code on Your User's Systems So What? ● Change page contents ● Steal Cookies ● Redirect to another page ● Change form actions
  19. 19. Big Security for Big Data 19 The Solution is To Properly Encode All Untrusted Outputs < &lt; > &gt; & &amp; ' ' “ &quot; / /
  20. 20. Big Security for Big Data 20 The Solution is To Properly Encode All Untrusted Outputs <body> Hi &lt;script&gt;alert(document. cookie);&lt;/script&gt; </body></html> http://server/page.asp?name=<script>alert(document.cookie)</script>
  21. 21. Big Security for Big Data 21 Encoding is Context Dependent <a href=”x” attribute=UNTRUSTED DATA> < &lt; ' ' > &gt; “ &quot; & &amp; / / Can you execute code here without using the six characters encoded as part of HTML encoding? foo onmouseover=alert(document.cookie)
  22. 22. Big Security for Big Data 22 Encoding is Context Dependent Different contexts call for different encoding rules » <div>here</div> HTML context » <tag attr=”here”> Attribute context » <script>x='here'</script> JavaScript context » <span style="property : here CSS context » <a href=”http://here”> URL context
  23. 23. Big Security for Big Data 23 Encoding is Context Dependent Different contexts call for different encoding rules » <div>here</div> HTML context » <tag attr=”here”> Attribute context » <script>x='here'</script> JavaScript context » <span style="property : here CSS context » <a href=”http://here”> URL context http://tinyurl.com/xss-prevent
  24. 24. Big Security for Big Data 24 A Good Encoding Library Can Save us A Lot of Time Java: Java Encoders Project ESAPI .net: Microsoft Web Protection Library PHP: Reform Ruby: On By Default
  25. 25. Big Security for Big Data 25 Access Control Problems Usually Stem From Permissions Creep Every time a user needs to do something else, they ask for (and get) more permissions
  26. 26. Big Security for Big Data 26 Use Role Based Access Control To Prevent Permission Creep Bob Group 1 Group 2
  27. 27. Big Security for Big Data 27 Use Role Based Access Control To Prevent Permission Creep Bob Group 1 Group 2
  28. 28. Big Security for Big Data 28 Conclusion Beyond SQL Injection Cross-Site Scripting Role Based Access Control <script> //code... </script>
  29. 29. Big Security for Big Data 29 Big Security for Big Data Ari Elias-Bachrach ari@defensium.com Defensium llc @angelofsecurity http://www.defensium.com

×