Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amsterdam 2016

222 views

Published on

Very often companies implement security measurements in procedures that are already in use without reconsidering the procedure as a whole. This often brings to very complex and unsafe procedures as well as huge security costs. In this talk we'll analyze how to shift mentality and how to make security an added value instead of a cost.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amsterdam 2016

  1. 1. If security is hard, you are doing it wrong Fabio Alessandro Locati AMSTERDAM 11-12 MAY 2016
  2. 2. Big corporations
  3. 3. Real Case - Situation ● A subsidiary IT system is breached (5-10 June 2014) ● The parent company commissions a security audit on the breached system (4 July) ● The audit report comes back (13 August): – It identifies that an SQL injection bug in the application is the only cause of the attack – It suggests few updates to softwares ● The parent company imposes the updates to all subidiaries (15 August)
  4. 4. Real Case - Corrective actions ● Update OpenSSL to 1.0.1g+ due to CVE 2014-0160 (Heartbleed) ● Update PHP to 5.5.12+ due to CVE 2014-0185 (privilege escalation) ● Update the Kernel to 3.13.6+ due to CVEs 2014-2523 & 2014-0100 (DoS) ● We had OpenSSL 1.0.1e-16.15.el6, the bug was fixed in 1.0.1e-16.7.el6 ● We had PHP 5.3.3-37.el6, the bug was only present on 5.5+ ● We had the Kernel 2.6.32-497.el6, the bug was fixed in 2.6.32-279.el6
  5. 5. Real Case - Considerations ● Pointless to close the stable door after the horse has bolted ● Security is a word, but it's meaning is a whole world – Ask yourself what are you trying to achieve – Ask yourself the value of what you are protecting (for you and for others) – No money can buy a secure system ● There is no silver bullet in security
  6. 6. Built in vs Bolt on
  7. 7. Real Case - Situation ● SaaS company ● 50+ AWS EC2 instances “classic” ● Partner asks PCI-DSS compliance within 3 months
  8. 8. Real Case - “Solution” ● Lock down all servers ● Creation of procedures for updates of the SaaS platform that included: – Regressions tests – Security tests ● PCI-DSS certification
  9. 9. Real Case - Problems ● Not able to perform ordinary maintenance ● No automated test were ready when they reached PCI-DSS compliance ● Medium problem solving time from 30' to 8 hours (1600%) ● Medium time between releases from 2 days to 4.5 weeks (1575%)
  10. 10. Real Case - Considerations ● Always think about security before you start your next project ● Do not “drop in” security in a software/infrastructure ● Do not rush to add security ● Use configuration management system ● Design infrastructures that are safe(r) from ground up
  11. 11. Trust but check
  12. 12. Real Case - Situation @app.route("/login", methods=["GET", "POST"]) def login(): form = LoginForm() if form.validate_on_submit(): user = User.query.get(form.email.data) if user: if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)
  13. 13. Real Case - Problem if form.validate_on_submit(): user = User.query.get(form.email.data) if user: - if bcrypt.check_password_hash(user.password, form.password.data): + # if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)
  14. 14. Real Case - Considerations ● Use a Code Version System ● Implement a code-review system ● Implement an auto-deployment pipeline ● Put lots of tests in the pipeline
  15. 15. Containers
  16. 16. Real Case - Situation ● January 2015: The company X has deployed Docker in production ● February 2016: all applications use Docker (total: 327 different images) ● 1 March 2016: – OpenSSL releases 1.0.1s containing: ● 1 high security fix ● 5 low security fixes – OpenSSL communicates that 1.0.1r (released on 28 January 2016) contained also: ● 1 high security fix ● 1 moderate security fix
  17. 17. Real Case - Situation ● Operating Systems: – 62 RHEL 7 – 53 CentOS 6 – 47 CentOS 7 – 44 RHEL 6 – 24 Ubuntu 15.10 – 21 Ubuntu 14.04 – 19 Debian 8 – 14 Fedora 22 – 11 BusyBox 1.23 – 11 Ubuntu 15.04 – 9 Busybox 1.24 – 8 Fedora 23 – 4 Debian 7
  18. 18. Real Case - Considerations ● Limit the number of images you base your systems on ● Only take future-proof images from trusted sources ● Keep track of what you deployed ● Don't forget the underline infrastructure ● Containers do not contain (Dan Walsh)
  19. 19. People
  20. 20. Real Case - Considerations ● People are unreliable ● Asking more means obtaining less ● People will always* try to take shortcuts ● People are cheap ● People are curious
  21. 21. Final considerations ● Security is a mindset ● Security is a word, but it's meaning is a whole world (CIA model) ● Pointless to close the stable door after the horse has bolted ● Think about security before you start your next project ● Keep your environments clean ● Don't forget the underline infrastructure ● People are often the weakest link of the chain
  22. 22. Thanks! Fabio Alessandro Locati Mail: me@fale.io GPG key: 0xB2DC9C1B All pictures belong to their respective authors AMSTERDAM 9-12 MAY 2016

×