Securing your Rails application

876 views

Published on

This presentation highlights tools you can use to secure your rails application

Published in: Internet, Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
876
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
25
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Securing your Rails application

  1. 1. Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#› Securing Your Rails Application Christophe Lucas Mandiant, a FireEye Company
  2. 2. Copyright (c) 2014, FireEye, Inc. All rights reserved. Heartbleed
  3. 3. Copyright (c) 2014, FireEye, Inc. All rights reserved. OpenSSL CVE-2014-0160 vulnerability • Allows attacker to read unencrypted traffic ! • Steal keys, usernames, passwords ! • Programming mistake
  4. 4. Copyright (c) 2014, FireEye, Inc. All rights reserved. New OpenSSL release to fix 6 bugs • SSL/TLS MITM vulnerability (CVE-2014-0224) • DTLS recursion flaw (CVE-2014-0221) • DTLS invalid fragment vulnerability (CVE-2014-0195) • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) • Anonymous ECDH denial of service (CVE-2014-3470)
  5. 5. Copyright (c) 2014, FireEye, Inc. All rights reserved. OpenSSL? • Open source implementation of the TLS protocols, written in C ! • SSL: Secure Socket layer • TLS: Transport Layer Security ! • The ’S’ in HTTPS
  6. 6. Copyright (c) 2014, FireEye, Inc. All rights reserved. Transport Layer Security • developed by Netscape • 1995: SSL 2.0 • 1996: SSL 3.0 • 1999: TLS 1.0, RFC 2246 • 2006: TLS 1.1, RFC 4346 • 2008: TLS 1.2, RFC 5246
  7. 7. Copyright (c) 2014, FireEye, Inc. All rights reserved. TLS handshake Client Server Client Hello TLS version, cypher Server Hello TLS version, cypher Public Key and certificate Validate certificate Client Finished Encrypted with PK Server Finished Encrypted TLS Record Protocol
  8. 8. Copyright (c) 2014, FireEye, Inc. All rights reserved. HTTP Secure
  9. 9. Copyright (c) 2014, FireEye, Inc. All rights reserved. How is my SSL? • https://www.howsmyssl.com • Version • Ephemeral key support • Session ticket support • TLS compression • Cypher suites
  10. 10. Copyright (c) 2014, FireEye, Inc. All rights reserved. Secure Hash Algorithm • 1993 SHA-0 • 1995 SHA-1, published by • 2001 SHA-2, published by • 2014 SHA-3 (Draft), published by
  11. 11. Copyright (c) 2014, FireEye, Inc. All rights reserved. Use SSL/TLS Credits: http://www.nsa.gov
  12. 12. Copyright (c) 2014, FireEye, Inc. All rights reserved. Being Boring: A Survival Guide to Ruby Cryptography Crypto API ! A bunch of crazy code written by amateurs Ruby OpenSSL Credits: Tony Acieri - Rubyconf 2013 Not boring
  13. 13. Copyright (c) 2014, FireEye, Inc. All rights reserved. Being Boring: A Survival Guide to Ruby Cryptography Crypto API Crypto library written by cryptographers Boring Credits: Tony Acieri - Rubyconf 2013
  14. 14. Copyright (c) 2014, FireEye, Inc. All rights reserved. OpenSSL Ruby NaCl ! https://github.com/cryptosphere/rbnacl
  15. 15. Copyright (c) 2014, FireEye, Inc. All rights reserved. Vulnerabilities • Transport • Rendering ! => secure the HTTP header
  16. 16. Copyright (c) 2014, FireEye, Inc. All rights reserved. Secure session • config/environments/production.rb config.force_ssl = true ! • Only send session cookie over secure connection ! • Adds secure attribute to Set-Cookie
  17. 17. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  18. 18. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  19. 19. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  20. 20. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  21. 21. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  22. 22. Copyright (c) 2014, FireEye, Inc. All rights reserved. Session Hijacking (MITM) Browser http:// https://Attacker
  23. 23. Copyright (c) 2014, FireEye, Inc. All rights reserved. Session Hijacking Browser http:// https://Attacker
  24. 24. Copyright (c) 2014, FireEye, Inc. All rights reserved. Session Hijacking Browser http:// https://Attacker
  25. 25. Copyright (c) 2014, FireEye, Inc. All rights reserved. Prevent Attack • Use HTTP Strict Transport Security (HSTS) ! • Ensure that the browser only visits the HTTPS version of the website Strict-Transport-Security: max-age=15768000 ; includeSubDomains ! • no more redirect, eliminates the first insecure roundtrip
  26. 26. Copyright (c) 2014, FireEye, Inc. All rights reserved. Transport • TLS: Transport Layer Security • Secure Cookies • HSTS: HTTP Strict Transport Security
  27. 27. Copyright (c) 2014, FireEye, Inc. All rights reserved. Protect Cookie Set-Cookie the_secure_cookie; Secure <script>alert(document.cookie);</script> ! HTTP only: ! Set-Cookie the_cookie; Secure; HttpOnly; ! Session cookies are HttpOnly by default
  28. 28. Copyright (c) 2014, FireEye, Inc. All rights reserved. Content Security Policy Whitelist content ! Content-Security-Policy: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
  29. 29. Copyright (c) 2014, FireEye, Inc. All rights reserved. Audit your CSP ! Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
  30. 30. Copyright (c) 2014, FireEye, Inc. All rights reserved. Frame Option (XFO) Prevent clickjacking ! X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https:// example.com/
  31. 31. Copyright (c) 2014, FireEye, Inc. All rights reserved. XSS protection Cross site scripting filter: ! X-XSS-Protection: 1; mode=block
  32. 32. Copyright (c) 2014, FireEye, Inc. All rights reserved. Prevent content sniffing Prevent attacks based on MIME-type confusion: ! X-Content-Type-Options: nosniff
  33. 33. Copyright (c) 2014, FireEye, Inc. All rights reserved. Rendering • HttpOnly Cookies • Content Security Policy • Frame Options • XSS protection • Content Type Options
  34. 34. Copyright (c) 2014, FireEye, Inc. All rights reserved. secure_headers gem • https://github.com/twitter/secureheaders • Content Security Policy (CSP) • HTTP Strict Transport Security (HSTS) • X-Frame-Options (XFO) • XSS Protection • MIME type sniffing protection
  35. 35. Copyright (c) 2014, FireEye, Inc. All rights reserved. Brakeman gem Static analyzer for vulnerabilities > brakeman +-------------------+---------+ | Scanned/Reported | Total | +-------------------+---------+ | Controllers | 17 | | Models | 11 | | Templates | 72 | | Errors | 0 | | Security Warnings | 21 (12) | +-------------------+---------+ ! +----------------------------+-------+ | Warning Type | Total | +----------------------------+-------+ | Cross Site Scripting | 4 | | Cross-Site Request Forgery | 1 | | Denial of Service | 2 | | File Access | 1 | | Format Validation | 1 | | Mass Assignment | 5 | | Remote Code Execution | 4 | | SQL Injection | 2 | | Session Setting | 1 | +----------------------------+-------+
  36. 36. Copyright (c) 2014, FireEye, Inc. All rights reserved. codesake-dawn gem static code scanner > dawn --rails . 13:37:54 [*] dawn v1.1.3 is starting up 13:37:54 [$] dawn: scanning . 13:37:54 [$] dawn: rails v4.1.1 detected 13:37:54 [$] dawn: applying all security checks 13:37:54 [$] dawn: 173 security checks applied - 0 security checks skipped 13:37:54 [$] dawn: 2 vulnerabilities found 13:37:54 [!] dawn: Owasp Ror CheatSheet: Session management check failed 13:37:54 [$] dawn: Severity: info 13:37:54 [$] dawn: Priority: unknown 13:37:54 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session. 13:37:54 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your code session_store. Add "Application.config.session_store :active_record_store" to your session_store.rb file. 13:37:54 [$] dawn: Evidence: 13:37:54 [$] dawn: In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack. 13:37:54 [$] dawn: {:filename=>"./config/initializers/session_store.rb", :matches=>[]}
  37. 37. Copyright (c) 2014, FireEye, Inc. All rights reserved. gauntlt gem • Build attacks with cucumber scripts > gauntlt !
  38. 38. Copyright (c) 2014, FireEye, Inc. All rights reserved. Rugged DevOps ! InfoSec + Dev +Ops = Rugged DevOps ! http://ruggeddevops.org ! https://www.ruggedsoftware.org !
  39. 39. Copyright (c) 2014, FireEye, Inc. All rights reserved. Code Monitoring tools • https://codeclimate.com • https://gemcanary.com • https://gemnasium.com
  40. 40. Copyright (c) 2014, FireEye, Inc. All rights reserved. Resources • http://guides.rubyonrails.org/security.html • https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet • https://www.ssllabs.com • https://github.com/cryptosphere/rbnacl • https://github.com/twitter/secureheaders • http://brakemanscanner.org • https://github.com/codesake/codesake-dawn • http://gauntlt.org
  41. 41. Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#› Questions? christophe.lucas@mandiant.com @krof

×