SlideShare a Scribd company logo

Enterprise Cloud Security - Concepts Mash-up

Download as PPTX, PDF
Dileep Kalidindi
Dileep Kalidindi

Enterprise Cloud Security - Concepts Mash-up

Technology
1 of 39
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1 DILEEP KALIDINDI 23rd June 2015 Securing Enterprise & Cloud Applications Concept Mashup #Cryptography #CloudSecurity #SecureCoding #PenentrationTesting
About Me ..!!  Dileep Varma Kalidindi  Senior Engineer @Responsys (since Apr’14), Circles Team.  Fascination: Problem Solving , Distributed & BigData churning systems.  Past: 8+yrs with VeriSign, Informatica Labs, NTT Data.
 As an Aam Admi (Not Jhadu wala app) - ? Had your (Digital) assets ever been hacked ? ? How many phishing/malware emails do you have in your Gmail inbox ?  As a Cloud Product Engineer ? Application Security - What scares hell out of you. ? Can you host Responsys Customer Credit cards information on some Oracle Cloud X product. ? Did you ever do a HotFix to fix a Security vulnerability in your code ? Do we have an explicit Secure coding check list & Security testing as part of Release deliverables  Absolute Security is a myth !! What do you think ?
 HeartBleed Bug at SSL/TLS – view data over HTTPS Open SSL 1.1 Encryption flaw – missing validation on a variable (length)  Data breach on Target, HomeDepot - POS system – 56m Creditcard details & 53m emails  APPLE ROT’s – Man in the middle attack through SSL encryption flaw – celebrity pictures exposed.  Drupal Boogey man – SQL Injection attack  Facebook scams – 8,50,000 – cost in 2014 > 12.5 B$  3rd party apps- Drop box passwords leaked, Snapchat images leaked  Stuxnet, FLAME Secure world – Reality – Top 2014 flaws
Agenda  Cyber Threats and Impact  Crypto Concepts  Cloud - Data security considerations  Java Security Landscape  Secure Coding practices  Pen Testing  DEMO
Attack landscape – basic identification  Attacks – Secrecy (Stealing), Integrity (Phishing), Availability (DoS) & APT’s (persistent)  Attack vectors – path by which an attack takes places Kernal/Design flaws – Buffer overflow (Stack/heap) – Insufficient Input validation (Injection) – Misconfiguration – Symlinks – File Descriptors – Race conditions – Incorrect permissions – Social engineering.  Operational Impact Denial of Service – host/network/distributed, Installed Malware (Remote code), Web/Root/User compromise  Informational Impact Distort – Disrupt – Destruct – Disclosure & Discovery  Target Systems OS (Kernal/user/Driver), Network, Application (Server, DB, Email, Web & Client)
Cryptography – Back to basics & concepts 5 April 2016 7
Cryptography - Basics & Concepts  Security Goals • Data Integrity, Authentication, Non repudiation, Confidentiality & Trust • Deals with making communications and storage secure.  Encryption / Decryption • Encryption: clear-text message to cipher-text • Decryption: Cypher-text to clear-text  Types of encryption algorithms • Symmetric Key. • Asymmetric Key.
Cryptography - Hashes  Infeasible to reverse – 1 way encryption  Variable-length input string to a short fixed-length binary sequence.  Efficient – easy to compute, Infeasible to craft collisions  Used for storage of passwords  Algos– MD 5 128 bits (Broken), SHA1 160b & SHA – 256 & 512  Attacks – Dictionary / Rainbow attacks – Hash collision  Mitigation – Use random salts, SHA-256,2 factor auth
Symmetric Crypto - Overview  Symmetric – Same key used for encryption and decryption  Need a mechanism to exchange the shared key securely.  Key must be secret and safely stored.  For Storage and secure transmission  Key ciphers are efficient  Inexpensive in Strength, encryption/decryption  Algos – DES, 3 DES, AES, RC4  Attack – Cryptanalysis & Key compromise  Mitigation – secure key store
Asymmetric Crypto - Overview  Public key is published to all & Private key is a secret (to be stored)  Encrypt with one key & decrypt with other  Infeasible to compute private key from public key  Smaller keys are efficient Longer keys have higher crypto strength  Secure Communications – Key exchange during session establishment – SSL, PGP & SSH  Mechanisms – Digital Signatures & Certificates
Digital Signatures - Overview  Hashing & Asymmetric crypto  Data is cleartext but Signature is hashed  Alog – RSA/SHA-x, DSA  Applications – PGP Signed emails, - SSL Certs
Digital Certificates- Signatures + Chain of trust  Builds on Digital signature & PKI  Certificate - Digitally signed public key - Is Public & valid for a time - Certifie that pulic key identifies subject - Affixed with CA signature  Chain of trust with CA’s – VeriSign, Symantec
Data security considerations for Cloud 5 April 2016 14
Cloud data security - Issues  Data security is crucial for enterprises and protection is vital for reputation.  Cloud Computing adoption – major deterrent is Data Security Concern. • Data moves out of enterprise boundaries • Trust on cloud providers • Shared infrastructure.  Benefits are compelling if comprehensive and non-intrusive data security.  Top Cloud data security issues - Gartner  Xen Hypervisor virtualization bug  Breach notification and data residency  Encryption key management & resiliency of encryption system.
Cloud data security – Who is responsible  Encryption of data (sent to Cloud) is always a good practice  Different level of providers for overall security  Shared infrastructure can make a Security breach higher.  API’s allow many admin functions – weakness in API can be catastrophic.  Encryption layers:  Higher level encryption can protect but hard (& in efficient)  Still who has the keys ? – provider  Disks encrypted by provider – he can see the content  File systems encrypted by provider – he can see file content !!
Manage your cloud  1-way hashes :  Store passwords in db with 1-way hashes with salt for Apps hosted by you (in cloud).  Symmetric Crypto:  Secure way to store uploaded data, sensitive personal information in databases, VM images, emails etc.  Encrypt sensitive data stores in database, search indexes in the apps provided by you.  Asymmetric crypto:  Use HTTPS for all confidential exchanges  Sign emails especially for input emails that trigger workflow action.  Implement Certificate-based client authentication properly.
Cloud data security - trends  Hardware Security Modules (HSM)  Cryptographic black box – input data comes out transformed (crypto)  Secure & tamper – resistent storage for high – value keys  Cloud Encryption gateways  Fully homomorphic encryption (Advanced research)
Java Security Landscape 5 April 2016 19
Security Overview - Java  Java platform at core Type safety, Auto GC, Secure class loading & Verification.  Basic principles Implementation independence, interoperability & Algo extensibility.  Robust Bytecode verification and class loading.  API’s to integrate Security into Java application code, Cryptography, PKI (Public key infra), Authentication, Secure comm & Access control
Security model - evolution  JDK 1.0 – allowed trusted (in JVM) & untrusted Remote code in Sandbox (Applets)  JDK 1.1 – allowed trusted remotecode in JVM  Java 2 Platform Security Model
Security model  JVM View:
Security model – policy stages
 Secure Class loading  PKI – Public Key Cryptography –Secure exchange of information keys, certificates, public key encryption, and trusted Certification Authorities (CAs) PKI tools – keytool, jarsigner  Secure Communication – SSL / TLS, SASL, GSS-API & Kerbos Other concepts:
Secure Coding Practices 5 April 2016 25
Secure Coding – safeguard from Injection  Avoid Injection attacks –  SQL Injection – Injecting SQL snippets into un-sanitized form fields.  Regex Injection – Sanitize Regular expressions (in search fields)  Log Injection – Do not log un-sanitized inputs Coding errors are major cause of software vulnerabilities - 64% percent of 2500 in National Vulnerability database Comprehensive list @ CERT Standards Lets drive by code
Secure Coding – avoid Cross site scripting  XSS – injection of client side malicious script into Web pages through web requests or un- validated dynamic content.  Mozilla XSS-Me Demo  Reflected (non-persistent) vs Persistent XSS attacks – Demo (http://testasp.vulnweb.com/search.asp ) • Injected through data in HTTP query params or form submissions • Non validated user supplied input in Response can cause this. • When user script input is stored in server it becomes Persistent attack. (Search user preferences)  XSS Prevention Model  Use HTTPOnly flag on session cookie (to avoid access by any java script)  Content security policy on browser side
Secure Coding – avoid Cross site scripting
Security Coding practices - Java  Prevent Denial of Service (Dos attacks)  Avoid serving expensive requests (repeated large files download)  Set limits for Entity expansions and attributes (with XML) - XMLConstants.FEATURE_SECURE_PROCESSING  Release all resources in all cases (finally block, or use try-with)  Best practices for Input Validation & Data Sanitization  Do not trust contents of hidden form fields – Sanitize them !!  Perform String modifications before validations – (Avoid XSS) – Java example  Object orientation security practices  Compare Class not Class names  Source code analysis tools – BugScout, Pitbull SCC
Pen Testing 5 April 2016 30
Penetration Testing  Method to evaluate security of our web application – active analysis for vulnerabilities  Hack your own application – before someone does !!  Testing Phases – SetUp, Passive Phase & Active phase  Attack Environment (SetUp)  Set-up a Simulator (With Firewalls, LB’s, Proxies and Production Config for appServers).  Try to penentrate as a stranger without any privileges on resources.  What do we need ?  Reconnaissance about the app  Right tools (Plugins, Exploit frameworks, Crawlers)  System to Hack & Mindset to Crack !!
Pen Testing – Passive  Reconnaissance – Know your target  Determine application types & versions  Refer to latest vulnerabilities with OSVDB / NVD  Observe regular application behaviour – RI  Advanced google searching Aka Google hacking https://pentest-tools.com/reconnaissance/google-hacking  Application mapping - https://pentest-tools.com  Active Phase – attack plan  Business logic  Authentication, Authorization & Session Management  Data Validation & Denial of Service
Pen Testing – Tools  Fuzzing – Automated or semi-automated way to provide invalid, unexpected or random data to inputs of a computer program. Required technique to find out SQL Injection, DDos & XSS Scripting attacks.  Tools:  Exploit Frameworks - Metaspolit  Web Proxy – BURP, Paros, Webscarab  Fuzzing – WS Fuzzer  Brute force – Brutus  Password cracking- John the ripper  Scanner – W3AF and Zap.
4/5/2016 34 References
Links & References • https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html#asserting_a_subset_of_privil eges • https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderArch • https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java • https://pentest-tools.com • http://techbus.safaribooksonline.com/book/programming/java/0201787911 •
4/5/2016 Confidential36 Q & A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.37 Thank you
APPENDIX

Recommended

Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your Organization
Charles Lim
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Amazon Web Services
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Importance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonImportance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @Towson
Adam Levithan
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
robbuddingh
 

Recommended

Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your Organization
Charles Lim
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Amazon Web Services
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Importance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonImportance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @Towson
Adam Levithan
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
robbuddingh
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
White Paper: Protecting Your Cloud
White Paper: Protecting Your CloudWhite Paper: Protecting Your Cloud
White Paper: Protecting Your Cloud
thinkASG
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
Cloud Breach – Preparation and Response
Cloud Breach – Preparation and ResponseCloud Breach – Preparation and Response
Cloud Breach – Preparation and Response
Priyanka Aash
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
Priyanka Aash
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Joseph Holbrook, Chief Learning Officer (CLO)
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
Shamun Mahmud
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
Adrian Sanabria
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
Adeo Security
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
SAP Security
SAP SecuritySAP Security
SAP Security
Conferencias FIST
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Amazon Web Services
 

More Related Content

What's hot

Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
Priyanka Aash
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
Shamun Mahmud
 

What's hot (20)

Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
White Paper: Protecting Your Cloud
White Paper: Protecting Your CloudWhite Paper: Protecting Your Cloud
White Paper: Protecting Your Cloud
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Cloud Breach – Preparation and Response
Cloud Breach – Preparation and ResponseCloud Breach – Preparation and Response
Cloud Breach – Preparation and Response
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
SAP Security
SAP SecuritySAP Security
SAP Security
 

Similar to Enterprise Cloud Security - Concepts Mash-up

Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Evident.io
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
Joel Oleson
 

Similar to Enterprise Cloud Security - Concepts Mash-up (20)

Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Making Security Approachable for Developers and Operators
Making Security Approachable for Developers and OperatorsMaking Security Approachable for Developers and Operators
Making Security Approachable for Developers and Operators
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Encryption in the Cloud
Encryption in the CloudEncryption in the Cloud
Encryption in the Cloud
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Top 10 cloud security tools to adopt in 2024.pdf
Top 10 cloud security tools to adopt in 2024.pdfTop 10 cloud security tools to adopt in 2024.pdf
Top 10 cloud security tools to adopt in 2024.pdf
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
개발자가 알아야 할 보안
개발자가 알아야 할 보안개발자가 알아야 할 보안
개발자가 알아야 할 보안
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Enterprise Cloud Security - Concepts Mash-up

  • 1. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1 DILEEP KALIDINDI 23rd June 2015 Securing Enterprise & Cloud Applications Concept Mashup #Cryptography #CloudSecurity #SecureCoding #PenentrationTesting
  • 2. About Me ..!!  Dileep Varma Kalidindi  Senior Engineer @Responsys (since Apr’14), Circles Team.  Fascination: Problem Solving , Distributed & BigData churning systems.  Past: 8+yrs with VeriSign, Informatica Labs, NTT Data.
  • 3.  As an Aam Admi (Not Jhadu wala app) - ? Had your (Digital) assets ever been hacked ? ? How many phishing/malware emails do you have in your Gmail inbox ?  As a Cloud Product Engineer ? Application Security - What scares hell out of you. ? Can you host Responsys Customer Credit cards information on some Oracle Cloud X product. ? Did you ever do a HotFix to fix a Security vulnerability in your code ? Do we have an explicit Secure coding check list & Security testing as part of Release deliverables  Absolute Security is a myth !! What do you think ?
  • 4.  HeartBleed Bug at SSL/TLS – view data over HTTPS Open SSL 1.1 Encryption flaw – missing validation on a variable (length)  Data breach on Target, HomeDepot - POS system – 56m Creditcard details & 53m emails  APPLE ROT’s – Man in the middle attack through SSL encryption flaw – celebrity pictures exposed.  Drupal Boogey man – SQL Injection attack  Facebook scams – 8,50,000 – cost in 2014 > 12.5 B$  3rd party apps- Drop box passwords leaked, Snapchat images leaked  Stuxnet, FLAME Secure world – Reality – Top 2014 flaws
  • 5. Agenda  Cyber Threats and Impact  Crypto Concepts  Cloud - Data security considerations  Java Security Landscape  Secure Coding practices  Pen Testing  DEMO
  • 6. Attack landscape – basic identification  Attacks – Secrecy (Stealing), Integrity (Phishing), Availability (DoS) & APT’s (persistent)  Attack vectors – path by which an attack takes places Kernal/Design flaws – Buffer overflow (Stack/heap) – Insufficient Input validation (Injection) – Misconfiguration – Symlinks – File Descriptors – Race conditions – Incorrect permissions – Social engineering.  Operational Impact Denial of Service – host/network/distributed, Installed Malware (Remote code), Web/Root/User compromise  Informational Impact Distort – Disrupt – Destruct – Disclosure & Discovery  Target Systems OS (Kernal/user/Driver), Network, Application (Server, DB, Email, Web & Client)
  • 7. Cryptography – Back to basics & concepts 5 April 2016 7
  • 8. Cryptography - Basics & Concepts  Security Goals • Data Integrity, Authentication, Non repudiation, Confidentiality & Trust • Deals with making communications and storage secure.  Encryption / Decryption • Encryption: clear-text message to cipher-text • Decryption: Cypher-text to clear-text  Types of encryption algorithms • Symmetric Key. • Asymmetric Key.
  • 9. Cryptography - Hashes  Infeasible to reverse – 1 way encryption  Variable-length input string to a short fixed-length binary sequence.  Efficient – easy to compute, Infeasible to craft collisions  Used for storage of passwords  Algos– MD 5 128 bits (Broken), SHA1 160b & SHA – 256 & 512  Attacks – Dictionary / Rainbow attacks – Hash collision  Mitigation – Use random salts, SHA-256,2 factor auth
  • 10. Symmetric Crypto - Overview  Symmetric – Same key used for encryption and decryption  Need a mechanism to exchange the shared key securely.  Key must be secret and safely stored.  For Storage and secure transmission  Key ciphers are efficient  Inexpensive in Strength, encryption/decryption  Algos – DES, 3 DES, AES, RC4  Attack – Cryptanalysis & Key compromise  Mitigation – secure key store
  • 11. Asymmetric Crypto - Overview  Public key is published to all & Private key is a secret (to be stored)  Encrypt with one key & decrypt with other  Infeasible to compute private key from public key  Smaller keys are efficient Longer keys have higher crypto strength  Secure Communications – Key exchange during session establishment – SSL, PGP & SSH  Mechanisms – Digital Signatures & Certificates
  • 12. Digital Signatures - Overview  Hashing & Asymmetric crypto  Data is cleartext but Signature is hashed  Alog – RSA/SHA-x, DSA  Applications – PGP Signed emails, - SSL Certs
  • 13. Digital Certificates- Signatures + Chain of trust  Builds on Digital signature & PKI  Certificate - Digitally signed public key - Is Public & valid for a time - Certifie that pulic key identifies subject - Affixed with CA signature  Chain of trust with CA’s – VeriSign, Symantec
  • 14. Data security considerations for Cloud 5 April 2016 14
  • 15. Cloud data security - Issues  Data security is crucial for enterprises and protection is vital for reputation.  Cloud Computing adoption – major deterrent is Data Security Concern. • Data moves out of enterprise boundaries • Trust on cloud providers • Shared infrastructure.  Benefits are compelling if comprehensive and non-intrusive data security.  Top Cloud data security issues - Gartner  Xen Hypervisor virtualization bug  Breach notification and data residency  Encryption key management & resiliency of encryption system.
  • 16. Cloud data security – Who is responsible  Encryption of data (sent to Cloud) is always a good practice  Different level of providers for overall security  Shared infrastructure can make a Security breach higher.  API’s allow many admin functions – weakness in API can be catastrophic.  Encryption layers:  Higher level encryption can protect but hard (& in efficient)  Still who has the keys ? – provider  Disks encrypted by provider – he can see the content  File systems encrypted by provider – he can see file content !!
  • 17. Manage your cloud  1-way hashes :  Store passwords in db with 1-way hashes with salt for Apps hosted by you (in cloud).  Symmetric Crypto:  Secure way to store uploaded data, sensitive personal information in databases, VM images, emails etc.  Encrypt sensitive data stores in database, search indexes in the apps provided by you.  Asymmetric crypto:  Use HTTPS for all confidential exchanges  Sign emails especially for input emails that trigger workflow action.  Implement Certificate-based client authentication properly.
  • 18. Cloud data security - trends  Hardware Security Modules (HSM)  Cryptographic black box – input data comes out transformed (crypto)  Secure & tamper – resistent storage for high – value keys  Cloud Encryption gateways  Fully homomorphic encryption (Advanced research)
  • 19. Java Security Landscape 5 April 2016 19
  • 20. Security Overview - Java  Java platform at core Type safety, Auto GC, Secure class loading & Verification.  Basic principles Implementation independence, interoperability & Algo extensibility.  Robust Bytecode verification and class loading.  API’s to integrate Security into Java application code, Cryptography, PKI (Public key infra), Authentication, Secure comm & Access control
  • 21. Security model - evolution  JDK 1.0 – allowed trusted (in JVM) & untrusted Remote code in Sandbox (Applets)  JDK 1.1 – allowed trusted remotecode in JVM  Java 2 Platform Security Model
  • 23. Security model – policy stages
  • 24.  Secure Class loading  PKI – Public Key Cryptography –Secure exchange of information keys, certificates, public key encryption, and trusted Certification Authorities (CAs) PKI tools – keytool, jarsigner  Secure Communication – SSL / TLS, SASL, GSS-API & Kerbos Other concepts:
  • 25. Secure Coding Practices 5 April 2016 25
  • 26. Secure Coding – safeguard from Injection  Avoid Injection attacks –  SQL Injection – Injecting SQL snippets into un-sanitized form fields.  Regex Injection – Sanitize Regular expressions (in search fields)  Log Injection – Do not log un-sanitized inputs Coding errors are major cause of software vulnerabilities - 64% percent of 2500 in National Vulnerability database Comprehensive list @ CERT Standards Lets drive by code
  • 27. Secure Coding – avoid Cross site scripting  XSS – injection of client side malicious script into Web pages through web requests or un- validated dynamic content.  Mozilla XSS-Me Demo  Reflected (non-persistent) vs Persistent XSS attacks – Demo (http://testasp.vulnweb.com/search.asp ) • Injected through data in HTTP query params or form submissions • Non validated user supplied input in Response can cause this. • When user script input is stored in server it becomes Persistent attack. (Search user preferences)  XSS Prevention Model  Use HTTPOnly flag on session cookie (to avoid access by any java script)  Content security policy on browser side
  • 28. Secure Coding – avoid Cross site scripting
  • 29. Security Coding practices - Java  Prevent Denial of Service (Dos attacks)  Avoid serving expensive requests (repeated large files download)  Set limits for Entity expansions and attributes (with XML) - XMLConstants.FEATURE_SECURE_PROCESSING  Release all resources in all cases (finally block, or use try-with)  Best practices for Input Validation & Data Sanitization  Do not trust contents of hidden form fields – Sanitize them !!  Perform String modifications before validations – (Avoid XSS) – Java example  Object orientation security practices  Compare Class not Class names  Source code analysis tools – BugScout, Pitbull SCC
  • 31. Penetration Testing  Method to evaluate security of our web application – active analysis for vulnerabilities  Hack your own application – before someone does !!  Testing Phases – SetUp, Passive Phase & Active phase  Attack Environment (SetUp)  Set-up a Simulator (With Firewalls, LB’s, Proxies and Production Config for appServers).  Try to penentrate as a stranger without any privileges on resources.  What do we need ?  Reconnaissance about the app  Right tools (Plugins, Exploit frameworks, Crawlers)  System to Hack & Mindset to Crack !!
  • 32. Pen Testing – Passive  Reconnaissance – Know your target  Determine application types & versions  Refer to latest vulnerabilities with OSVDB / NVD  Observe regular application behaviour – RI  Advanced google searching Aka Google hacking https://pentest-tools.com/reconnaissance/google-hacking  Application mapping - https://pentest-tools.com  Active Phase – attack plan  Business logic  Authentication, Authorization & Session Management  Data Validation & Denial of Service
  • 33. Pen Testing – Tools  Fuzzing – Automated or semi-automated way to provide invalid, unexpected or random data to inputs of a computer program. Required technique to find out SQL Injection, DDos & XSS Scripting attacks.  Tools:  Exploit Frameworks - Metaspolit  Web Proxy – BURP, Paros, Webscarab  Fuzzing – WS Fuzzer  Brute force – Brutus  Password cracking- John the ripper  Scanner – W3AF and Zap.
  • 35. Links & References • https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html#asserting_a_subset_of_privil eges • https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderArch • https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java • https://pentest-tools.com • http://techbus.safaribooksonline.com/book/programming/java/0201787911 •
  • 37. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.37 Thank you
  • 38.