Alison Gianotto, profile picture
Uploaded byAlison Gianotto
2,340 views

LonestarPHP 2014 Security Keynote

This document discusses security concepts and risks. It begins by defining what security is not, such as something that can be bolted on or outsourced. It then covers security principles like defense in depth, and risks to confidentiality, integrity and availability. Specific attacks like SQL injection and XSS are mentioned. Throughout, it emphasizes that all companies face risks and stresses the importance of prioritizing security as even small businesses can be targets.

Embed presentation

Downloaded 19 times
Alison Gianotto @snipeyhead
Alison Gianotto (aka “snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  and  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   2  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
WHAT SECURITY ISN’T 1 Bolted on 2 Compliance 3 A Single Person 4 Outsourced 3   You  don’t  add  it  on  at  the  end.     You  can  be  compliant  and  not   secure.  Just  ask  Target.   Security  is  everyone’s  responsibility.   Throwing  money  at  this  problem   won’t  work.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
WHAT SECURITY ISN’T 5 An Appliance 6 Silver Bullet 7 Straightforward 4   Firewalls  and  IDS  are  part  of  the   soluUon,  but  not  the  end.   There  is  no  one  thing.  Defence  in   depth  maJers.  Sort  of.     SomeUmes  implemenUng  security   tools  increases  your  aJack  surface.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   8 Done Security  is  where  you  start,  not   where  you  finish.  
WHAT RISK ISN’T 1 Stifling 2 Boring 3 Avoidable 5   Managing  risk  doesn’t  have  to   hinder  innovaUon   Our  job  is  finding  creaUve  soluUons   to  problems.  This  is  one  more  tool.   Risk  isn’t  inherently  bad.  Not   understanding  your  risk  is.     Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   4 One Size Acceptable  risk  to  your  company   may  not  be  the  same  as  someone   else’s.    
IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK. 6  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Srsly.
DEFENSE IN DEPTH PROMISES 7  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • MiUgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreUcally  exhausUng  aJacker  resources.     Except...
DEFENSE IN DEPTH PROBLEMS 8  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Leads  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiUzed  now.    Botnets  for  $2/hour.  
CIA Confidentiality, Integrity & Availability
CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 10  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
CONFIDENTIALITY EXAMPLES 11  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Passwords.  (boo!)   • Data  encrypUon  (at  rest  and   in  transmission.)   • Two-­‐factor  authenUcaUon/ biometrics.  (Yay!)   • Corporate  VPN   • IP  WhitelisUng   • SSH  keys  
CONFIDENTIALITY RISKS 12  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • No  brute-­‐force  detecUon   • No  velng  of  how  third-­‐ party  vendors  use/store   customer  data   • InformaUon  leakage  from   login  messages  (Uming   aJacks,  etc.)   • SQL  injecUon     • Privilege  escalaUon  leading   to  admin  access     • Passwords  shared  across   websites   • Improper  disposal/ destrucUon  of  personal   data   • Lost/stolen  devices    
INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 13  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
INTEGRITY RISKS 14  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Data  loss  due  to  hardware   failure  (server  crash!)   • So<ware  bug  that   unintenUonally  deletes/ modifies  data   • Data  alteraUon  via   authorized  persons  (human   error)   • Data  alteraUon  via   unauthorized  persons   (hackers)   • No  backups  or  no  way  to   verify  the  integrity  of  the   backups  you  have   • Third-­‐party  vendor  with   inadequate  security  
AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 15  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
AVAILABILITY RISKS 16  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • DDoS  aJacks   • Third-­‐party  service  failures   • Hardware  failures   • So<ware  bugs   • Untested  so<ware  patches   • Natural  disasters   • Man-­‐made  disasters  
THINK YOU’RE TOO SMALL TO BOTHER WITH? 17  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Think again.
WHY HACK? 18  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • To  steal/sell  idenUUes,  credit   card  numbers,  corporate   secrets,  military  secrets   • Fun,  Excitement  and/or   Notoriety   • PoliUcal  (“HackUvism”)   • Revenge   • Blackhat  SEO   • ExtorUon/Ransomware  
COMMON ATTACKS 19  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Reflected  XSS   • Persistent  XSS   • CSRF   • SQL  InjecUon   • Remote  file  inclusion     • Local  file  inclusion/directory   traversal   • HosUng  malware   • Defacement  for  SEO   (pharma,  etc)   • Privilege  escalaUon    
WHY MEEEEEEEEEEEE?? 20  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Users  re-­‐use  passwords   across  websites   • Watering  hole  aJack   • Low-­‐hanging  fruit   • Assumed  fewer  defenses   • To  gain  more  informaUon  on   users  to  execute  spear-­‐ phishing  aJacks   • Because  you  are  vulnerable.   Period.  
IN 2013, 61% OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012. 21  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
1 2 43 REFLECTED XSS SOCIAL     ENGINEERING   XSS   SESSION   HIJACK   PWNED   22  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY. 23  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 24  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012. 25  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700%
OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 26  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 27  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
BREACHGrowth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 28  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   232   552   0   100   200   300   400   500   600   2011   2013   Iden99es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
190,000 464,000 570,000 2011   2012   2013   ATTACKS 29   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
APPSEC STRATEGY PICK  TWO   30   COMPLETELY  BONED  COMPLETELY  BONED   COMPLETELY  BONED   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
CREATING A RISK MATRIX 31  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Type   • Third-­‐Party   • Dataflow  diagram  ID   • DescripUon   • Triggering  AcUon   • Consequence  of  Service   Failure   • Risk  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiUgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix    
29 THINGS YOU CAN START DOING TODAY. 32  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Dooo eeeeeet.
33  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   1.  Start  every  project  risk-­‐first.   2.  Start  using  a  risk  matrix  for  every  major  project  or   product.   3.  Build  a  clear  inventory  of  surface  areas  and  their  value.   Get  stakeholders  involved.   4.  Make  sure  you  understand  what  happens  when  third-­‐ party  services  fail  or  behave  unexpectedly.       29 THINGS TO DO TODAY
34  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   5.  Trust  your  gut.  If  something  doesn’t  look  right,  it  probably   isn’t.   6.  Keep  your  systems  as  simple  as  possible.  Document  them.   7.  Favor  self-­‐documenUng  systems  so  that  code,  systems  and   docs  don't  fall  out  of  sync.   8.  Increased  transparency  reduces  risk  across  departments.   Consider  devops.     29 THINGS TO DO TODAY
35  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   9.  Don't  abstract  code/systems  if  you  don’t  have  to.   Premature  opUmizaUon  is  the  devil.  Build  light  and   refactor  as  needed.   10.   Get  to  know  your  users’  behavior.  Use  tools  like  Google   AnalyUcs  and  heat-­‐mapping  to  understand  what  users  do   on  your  site.  Be  suspicious  if  it  changes  for  no  apparent   reason.   29 THINGS TO DO TODAY
36  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   11.   Automate  EVERYTHING  (Chef,  Vagrant,  Ansible,  Salt,   Fabric,  etc.)   12.   Log  (almost!)  EVERYTHING.  Know  where  your  logs  are.   Use  a  central  logging  server  if  at  all  possible.     13.   Always  employ  the  principles  of  “least  privilege.”   14.   Give  preference  to  vendors  that  integrate  with  your  AD/     OD/LDAP.   29 THINGS TO DO TODAY
37  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   15.   Create  a  reliable  data  backup  plan  and  TEST  IT.  (MORE   THAN  ONCE.)   16.   Create  a  Business  ConUnuity  Plan.   17.   Create  an  Incident  Response  Plan.  Test  it.   18.   Create  a  Disaster  Recovery  Plan.  TEST  IT.  (Seriously.)   19.   Get  your  team  to  parUcipate  in  at  least  one  CTF  every   year.     29 THINGS TO DO TODAY
29 THINGS TO DO TODAY 38  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   20.   Strip  specific  messaging  from  login  forms.   21.   Use  solid  password+salUng  like  bcrypt.   22.   Implement  brute-­‐force  prevenUon  for  all  login  systems.   23.   Encrypt  everything,  where  feasible.   24.   Only  collect  the  data  that  you  absolutely  need.   25.   Implement  two-­‐factor  authenUcaUon.  It’s  easier  than  you   think.  
29 THINGS TO DO TODAY 39  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   26.   Supress  debugging  and  server  informaUon  (PHP  versions,   Apache  versions)   27.   Leverage  framework  CSRF  protecUon  and  data   saniUzaUon/validaUon.   28.   Perform  regular  penetraUon  tests  and  vulnerability   assessments   29.   Become  a  passionate  security  ambassador  for  your  users   and  co-­‐workers.      
CAPTURE ALL THE FLAGS! 40  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   •  NotSoSecure  CTF:  hJp://cx.notsosecure.com   •  Security  Shepherd:  hJps://www.owasp.org/index.php/ OWASP_Security_Shepherd   •  hJp://hax.tor.hu/   •  hJps://pwn0.com/   •  hJp://www.smashthestack.org/   •  hJp://www.hellboundhackers.org/   •  hJp://www.overthewire.org/wargames/   •  hJp://counterhack.net/Counter_Hack/Challenges.html   •  hJp://www.hackthissite.org/   •  hJp://exploit-­‐exercises.com/   •  hJp://vulnhub.com/  
Alison Gianotto (aka “snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   41  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  

More Related Content

PDF
BugBounty Roadmap with Mohammed Adam
byMohammed Adam
 
PPTX
An Introduction To IT Security And Privacy In Libraries & Anywhere
byBlake Carver
 
PPTX
An Introduction To IT Security And Privacy In Libraries
byBlake Carver
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PPTX
An Introduction To IT Security And Privacy for Librarians and Libraries
byBlake Carver
 
PDF
MacIT 2014 - Essential Security & Risk Fundamentals
byAlison Gianotto
 
PDF
P Hundamental Security Coding Secure With Php Lamp
byphptechtalk
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
BugBounty Roadmap with Mohammed Adam
byMohammed Adam
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
byBlake Carver
 
An Introduction To IT Security And Privacy In Libraries
byBlake Carver
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
An Introduction To IT Security And Privacy for Librarians and Libraries
byBlake Carver
 
MacIT 2014 - Essential Security & Risk Fundamentals
byAlison Gianotto
 
P Hundamental Security Coding Secure With Php Lamp
byphptechtalk
 
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 

What's hot

PPTX
Threat Hunting with Splunk
bySplunk
 
PDF
Threat Hunting with Splunk Hands-on
bySplunk
 
PDF
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
bySecurity Weekly
 
PDF
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
PPTX
GreyNoise - Lowering Signal To Noise
byAndrew Morris
 
PPTX
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
byEC-Council
 
PDF
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
byEC-Council
 
PDF
What you need to know about OSINT
byJerod Brennen
 
PPTX
Defcon Crypto Village - OPSEC Concerns in Using Crypto
byJohn Bambenek
 
PDF
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
byRootedCON
 
PDF
Wi-Fi Hotspot Attacks
byGreg Foss
 
PDF
Threat Intelligence Field of Dreams
byGreg Foss
 
PDF
Via forensics thotcon-2013-mobile-security-with-santoku-linux
byviaForensics
 
PDF
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
bySecurity Weekly
 
PPTX
vodQA(Pune) 2018 - QAing the security way
byvodQA
 
PDF
QAing the security way!
byAmit Gundiyal
 
PPT
Give Me Three Things: Anti-Virus Bypass Made Easy
bySecurity Weekly
 
PDF
The Internet of Insecure Things: 10 Most Wanted List
bySecurity Weekly
 
PDF
A journey into Application Security
byChristian Martorella
 
PPTX
Owasp for testing_mobile_apps_opd
byPawel Rzepa
 
Threat Hunting with Splunk
bySplunk
 
Threat Hunting with Splunk Hands-on
bySplunk
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
bySecurity Weekly
 
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
GreyNoise - Lowering Signal To Noise
byAndrew Morris
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
byEC-Council
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
byEC-Council
 
What you need to know about OSINT
byJerod Brennen
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
byJohn Bambenek
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
byRootedCON
 
Wi-Fi Hotspot Attacks
byGreg Foss
 
Threat Intelligence Field of Dreams
byGreg Foss
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
byviaForensics
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
bySecurity Weekly
 
vodQA(Pune) 2018 - QAing the security way
byvodQA
 
QAing the security way!
byAmit Gundiyal
 
Give Me Three Things: Anti-Virus Bypass Made Easy
bySecurity Weekly
 
The Internet of Insecure Things: 10 Most Wanted List
bySecurity Weekly
 
A journey into Application Security
byChristian Martorella
 
Owasp for testing_mobile_apps_opd
byPawel Rzepa
 

Similar to LonestarPHP 2014 Security Keynote

PDF
Secure coding guidelines
byZakaria SMAHI
 
PPT
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
byKaukau9
 
PDF
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
PPTX
Corp Web Risks and Concerns
byPINT Inc
 
PPTX
Open Source Security
bySander Temme
 
PPT
Security Compliance Web Application Risk Management
byMarco Morana
 
PPTX
OWASP_Training.pptx
byPradip Bhattarai
 
PDF
Hacking sites for fun and profit
byDavid Stockton
 
ODP
Security In PHP Applications
byAditya Mooley
 
PPTX
Security is not a feature
byElizabeth Smith
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
PPT
DEVSECOPS_the_beginning.ppt
byschwarz10
 
PPTX
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PDF
OWASP TOP 10 by Team xbios
byVi Vek
 
PDF
Alert logic anatomy owasp infographic
byCMR WORLD TECH
 
PDF
Code securely
byMaksym Hopei
 
PPTX
Don't blink creating secure software
bylogsentinel
 
PPTX
Hardening Enterprise Apache
byguestd9aa5
 
PPTX
Php security common 2011
by10n Software, LLC
 
Secure coding guidelines
byZakaria SMAHI
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
byKaukau9
 
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
Corp Web Risks and Concerns
byPINT Inc
 
Open Source Security
bySander Temme
 
Security Compliance Web Application Risk Management
byMarco Morana
 
OWASP_Training.pptx
byPradip Bhattarai
 
Hacking sites for fun and profit
byDavid Stockton
 
Security In PHP Applications
byAditya Mooley
 
Security is not a feature
byElizabeth Smith
 
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
DEVSECOPS_the_beginning.ppt
byschwarz10
 
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
Owasp top 10 2017
byibrahimumer2
 
OWASP TOP 10 by Team xbios
byVi Vek
 
Alert logic anatomy owasp infographic
byCMR WORLD TECH
 
Code securely
byMaksym Hopei
 
Don't blink creating secure software
bylogsentinel
 
Hardening Enterprise Apache
byguestd9aa5
 
Php security common 2011
by10n Software, LLC
 

More from Alison Gianotto

PDF
Getting users to care about security
byAlison Gianotto
 
PDF
Security Primer
byAlison Gianotto
 
PDF
Laravel 5.2 Gates, AuthServiceProvider and Policies
byAlison Gianotto
 
PDF
dotScale 2014
byAlison Gianotto
 
PDF
Security Bootcamp for Startups and Small Businesses
byAlison Gianotto
 
PDF
Failing well: Managing Risk in High Performance Applications
byAlison Gianotto
 
ZIP
Twitter 101: 140 characters. Don't be a douche.
byAlison Gianotto
 
PDF
DNS 101 for Non-Techs
byAlison Gianotto
 
PDF
Facebook Timeline for Pages
byAlison Gianotto
 
Getting users to care about security
byAlison Gianotto
 
Security Primer
byAlison Gianotto
 
Laravel 5.2 Gates, AuthServiceProvider and Policies
byAlison Gianotto
 
dotScale 2014
byAlison Gianotto
 
Security Bootcamp for Startups and Small Businesses
byAlison Gianotto
 
Failing well: Managing Risk in High Performance Applications
byAlison Gianotto
 
Twitter 101: 140 characters. Don't be a douche.
byAlison Gianotto
 
DNS 101 for Non-Techs
byAlison Gianotto
 
Facebook Timeline for Pages
byAlison Gianotto
 

Recently uploaded

PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
December Patch Tuesday
byIvanti
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
December Patch Tuesday
byIvanti
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
AI Technology important knowledge ......
byutkarshj2007
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 

LonestarPHP 2014 Security Keynote

  • 1.
  • 2.
    Alison Gianotto (aka“snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  and  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   2  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 3.
    WHAT SECURITY ISN’T 1Bolted on 2 Compliance 3 A Single Person 4 Outsourced 3   You  don’t  add  it  on  at  the  end.     You  can  be  compliant  and  not   secure.  Just  ask  Target.   Security  is  everyone’s  responsibility.   Throwing  money  at  this  problem   won’t  work.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 4.
    WHAT SECURITY ISN’T 5An Appliance 6 Silver Bullet 7 Straightforward 4   Firewalls  and  IDS  are  part  of  the   soluUon,  but  not  the  end.   There  is  no  one  thing.  Defence  in   depth  maJers.  Sort  of.     SomeUmes  implemenUng  security   tools  increases  your  aJack  surface.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   8 Done Security  is  where  you  start,  not   where  you  finish.  
  • 5.
    WHAT RISK ISN’T 1Stifling 2 Boring 3 Avoidable 5   Managing  risk  doesn’t  have  to   hinder  innovaUon   Our  job  is  finding  creaUve  soluUons   to  problems.  This  is  one  more  tool.   Risk  isn’t  inherently  bad.  Not   understanding  your  risk  is.     Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   4 One Size Acceptable  risk  to  your  company   may  not  be  the  same  as  someone   else’s.    
  • 6.
    IT IS IMPOSSIBLETO ANTICIPATE EVERY RISK. 6  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Srsly.
  • 7.
    DEFENSE IN DEPTHPROMISES 7  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • MiUgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreUcally  exhausUng  aJacker  resources.     Except...
  • 8.
    DEFENSE IN DEPTHPROBLEMS 8  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Leads  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiUzed  now.    Botnets  for  $2/hour.  
  • 9.
  • 10.
    CONFIDENTIALITY IS ASET OF RULES THAT LIMITS ACCESS TO INFORMATION 10  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 11.
    CONFIDENTIALITY EXAMPLES 11  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Passwords.  (boo!)   • Data  encrypUon  (at  rest  and   in  transmission.)   • Two-­‐factor  authenUcaUon/ biometrics.  (Yay!)   • Corporate  VPN   • IP  WhitelisUng   • SSH  keys  
  • 12.
    CONFIDENTIALITY RISKS 12  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • No  brute-­‐force  detecUon   • No  velng  of  how  third-­‐ party  vendors  use/store   customer  data   • InformaUon  leakage  from   login  messages  (Uming   aJacks,  etc.)   • SQL  injecUon     • Privilege  escalaUon  leading   to  admin  access     • Passwords  shared  across   websites   • Improper  disposal/ destrucUon  of  personal   data   • Lost/stolen  devices    
  • 13.
    INTEGRITY IS THEASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 13  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 14.
    INTEGRITY RISKS 14  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Data  loss  due  to  hardware   failure  (server  crash!)   • So<ware  bug  that   unintenUonally  deletes/ modifies  data   • Data  alteraUon  via   authorized  persons  (human   error)   • Data  alteraUon  via   unauthorized  persons   (hackers)   • No  backups  or  no  way  to   verify  the  integrity  of  the   backups  you  have   • Third-­‐party  vendor  with   inadequate  security  
  • 15.
    AVAILABILITY IS AGUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 15  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 16.
    AVAILABILITY RISKS 16  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • DDoS  aJacks   • Third-­‐party  service  failures   • Hardware  failures   • So<ware  bugs   • Untested  so<ware  patches   • Natural  disasters   • Man-­‐made  disasters  
  • 17.
    THINK YOU’RE TOOSMALL TO BOTHER WITH? 17  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Think again.
  • 18.
    WHY HACK? 18  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • To  steal/sell  idenUUes,  credit   card  numbers,  corporate   secrets,  military  secrets   • Fun,  Excitement  and/or   Notoriety   • PoliUcal  (“HackUvism”)   • Revenge   • Blackhat  SEO   • ExtorUon/Ransomware  
  • 19.
    COMMON ATTACKS 19  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Reflected  XSS   • Persistent  XSS   • CSRF   • SQL  InjecUon   • Remote  file  inclusion     • Local  file  inclusion/directory   traversal   • HosUng  malware   • Defacement  for  SEO   (pharma,  etc)   • Privilege  escalaUon    
  • 20.
    WHY MEEEEEEEEEEEE?? 20  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Users  re-­‐use  passwords   across  websites   • Watering  hole  aJack   • Low-­‐hanging  fruit   • Assumed  fewer  defenses   • To  gain  more  informaUon  on   users  to  execute  spear-­‐ phishing  aJacks   • Because  you  are  vulnerable.   Period.  
  • 21.
    IN 2013, 61%OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012. 21  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 22.
    1 2 43 REFLECTEDXSS SOCIAL     ENGINEERING   XSS   SESSION   HIJACK   PWNED   22  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 23.
    77% OF LEGITIMATEWEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY. 23  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 24.
    MEGA BREACHES: RESULTINGIN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 24  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 25.
    THERE WERE EIGHTIN 2013, COMPARED WITH ONLY ONE IN 2012. 25  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700%
  • 26.
    OCT 2013: ADOBE EXPOSEDCUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 26  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 27.
    DEC 2013: TARGET EXPOSEDCUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 27  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 28.
    BREACHGrowth •  credit  card info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 28  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   232   552   0   100   200   300   400   500   600   2011   2013   Iden99es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 29.
    190,000 464,000 570,000 2011   2012   2013   ATTACKS 29   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 30.
    APPSEC STRATEGY PICK  TWO   30   COMPLETELY  BONED  COMPLETELY  BONED   COMPLETELY  BONED   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 31.
    CREATING A RISKMATRIX 31  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Type   • Third-­‐Party   • Dataflow  diagram  ID   • DescripUon   • Triggering  AcUon   • Consequence  of  Service   Failure   • Risk  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiUgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix    
  • 32.
    29 THINGS YOUCAN START DOING TODAY. 32  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Dooo eeeeeet.
  • 33.
    33  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   1.  Start  every  project  risk-­‐first.   2.  Start  using  a  risk  matrix  for  every  major  project  or   product.   3.  Build  a  clear  inventory  of  surface  areas  and  their  value.   Get  stakeholders  involved.   4.  Make  sure  you  understand  what  happens  when  third-­‐ party  services  fail  or  behave  unexpectedly.       29 THINGS TO DO TODAY
  • 34.
    34  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   5.  Trust  your  gut.  If  something  doesn’t  look  right,  it  probably   isn’t.   6.  Keep  your  systems  as  simple  as  possible.  Document  them.   7.  Favor  self-­‐documenUng  systems  so  that  code,  systems  and   docs  don't  fall  out  of  sync.   8.  Increased  transparency  reduces  risk  across  departments.   Consider  devops.     29 THINGS TO DO TODAY
  • 35.
    35  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   9.  Don't  abstract  code/systems  if  you  don’t  have  to.   Premature  opUmizaUon  is  the  devil.  Build  light  and   refactor  as  needed.   10.   Get  to  know  your  users’  behavior.  Use  tools  like  Google   AnalyUcs  and  heat-­‐mapping  to  understand  what  users  do   on  your  site.  Be  suspicious  if  it  changes  for  no  apparent   reason.   29 THINGS TO DO TODAY
  • 36.
    36  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   11.   Automate  EVERYTHING  (Chef,  Vagrant,  Ansible,  Salt,   Fabric,  etc.)   12.   Log  (almost!)  EVERYTHING.  Know  where  your  logs  are.   Use  a  central  logging  server  if  at  all  possible.     13.   Always  employ  the  principles  of  “least  privilege.”   14.   Give  preference  to  vendors  that  integrate  with  your  AD/     OD/LDAP.   29 THINGS TO DO TODAY
  • 37.
    37  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   15.   Create  a  reliable  data  backup  plan  and  TEST  IT.  (MORE   THAN  ONCE.)   16.   Create  a  Business  ConUnuity  Plan.   17.   Create  an  Incident  Response  Plan.  Test  it.   18.   Create  a  Disaster  Recovery  Plan.  TEST  IT.  (Seriously.)   19.   Get  your  team  to  parUcipate  in  at  least  one  CTF  every   year.     29 THINGS TO DO TODAY
  • 38.
    29 THINGS TODO TODAY 38  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   20.   Strip  specific  messaging  from  login  forms.   21.   Use  solid  password+salUng  like  bcrypt.   22.   Implement  brute-­‐force  prevenUon  for  all  login  systems.   23.   Encrypt  everything,  where  feasible.   24.   Only  collect  the  data  that  you  absolutely  need.   25.   Implement  two-­‐factor  authenUcaUon.  It’s  easier  than  you   think.  
  • 39.
    29 THINGS TODO TODAY 39  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   26.   Supress  debugging  and  server  informaUon  (PHP  versions,   Apache  versions)   27.   Leverage  framework  CSRF  protecUon  and  data   saniUzaUon/validaUon.   28.   Perform  regular  penetraUon  tests  and  vulnerability   assessments   29.   Become  a  passionate  security  ambassador  for  your  users   and  co-­‐workers.      
  • 40.
    CAPTURE ALL THEFLAGS! 40  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   •  NotSoSecure  CTF:  hJp://cx.notsosecure.com   •  Security  Shepherd:  hJps://www.owasp.org/index.php/ OWASP_Security_Shepherd   •  hJp://hax.tor.hu/   •  hJps://pwn0.com/   •  hJp://www.smashthestack.org/   •  hJp://www.hellboundhackers.org/   •  hJp://www.overthewire.org/wargames/   •  hJp://counterhack.net/Counter_Hack/Challenges.html   •  hJp://www.hackthissite.org/   •  hJp://exploit-­‐exercises.com/   •  hJp://vulnhub.com/  
  • 41.
    Alison Gianotto (aka“snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   41  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14