2. About Me ..!!
Dileep Varma Kalidindi
Senior Engineer @Responsys (since Apr’14), Circles Team.
Fascination: Problem Solving , Distributed & BigData churning systems.
Past: 8+yrs with VeriSign, Informatica Labs, NTT Data.
3. As an Aam Admi (Not Jhadu wala app) -
? Had your (Digital) assets ever been hacked ?
? How many phishing/malware emails do you have in your Gmail inbox ?
As a Cloud Product Engineer
? Application Security - What scares hell out of you.
? Can you host Responsys Customer Credit cards information on some Oracle Cloud X product.
? Did you ever do a HotFix to fix a Security vulnerability in your code
? Do we have an explicit Secure coding check list & Security testing as part of Release deliverables
Absolute Security is a myth !!
What do you think ?
4. HeartBleed Bug at SSL/TLS – view data over HTTPS
Open SSL 1.1 Encryption flaw – missing validation on a variable (length)
Data breach on Target, HomeDepot - POS system – 56m Creditcard details & 53m emails
APPLE ROT’s – Man in the middle attack through SSL encryption flaw – celebrity pictures exposed.
Drupal Boogey man – SQL Injection attack
Facebook scams – 8,50,000 – cost in 2014 > 12.5 B$
3rd party apps- Drop box passwords leaked, Snapchat images leaked
Stuxnet, FLAME
Secure world – Reality – Top 2014 flaws
8. Cryptography - Basics & Concepts
Security Goals
• Data Integrity, Authentication, Non repudiation, Confidentiality & Trust
• Deals with making communications and storage secure.
Encryption / Decryption
• Encryption: clear-text message to cipher-text
• Decryption: Cypher-text to clear-text
Types of encryption algorithms
• Symmetric Key.
• Asymmetric Key.
9. Cryptography - Hashes
Infeasible to reverse – 1 way encryption
Variable-length input string to a short fixed-length binary sequence.
Efficient – easy to compute, Infeasible to craft collisions
Used for storage of passwords
Algos– MD 5 128 bits (Broken),
SHA1 160b & SHA – 256 & 512
Attacks – Dictionary / Rainbow attacks – Hash collision
Mitigation – Use random salts, SHA-256,2 factor auth
10. Symmetric Crypto - Overview
Symmetric – Same key used for encryption and decryption
Need a mechanism to exchange the shared key securely.
Key must be secret and safely stored.
For Storage and secure transmission
Key ciphers are efficient
Inexpensive in Strength, encryption/decryption
Algos – DES, 3 DES, AES, RC4
Attack – Cryptanalysis & Key compromise
Mitigation – secure key store
11. Asymmetric Crypto - Overview
Public key is published to all & Private key is a secret (to be stored)
Encrypt with one key & decrypt with other
Infeasible to compute private key from public key
Smaller keys are efficient
Longer keys have higher crypto strength
Secure Communications – Key exchange during session establishment – SSL, PGP & SSH
Mechanisms – Digital Signatures & Certificates
12. Digital Signatures - Overview
Hashing & Asymmetric crypto
Data is cleartext but Signature is hashed
Alog – RSA/SHA-x, DSA
Applications – PGP Signed emails,
- SSL Certs
13. Digital Certificates- Signatures + Chain of trust
Builds on Digital signature & PKI
Certificate - Digitally signed public key
- Is Public & valid for a time
- Certifie that pulic key identifies subject
- Affixed with CA signature
Chain of trust with CA’s – VeriSign, Symantec
15. Cloud data security - Issues
Data security is crucial for enterprises and protection is vital for reputation.
Cloud Computing adoption – major deterrent is Data Security Concern.
• Data moves out of enterprise boundaries
• Trust on cloud providers
• Shared infrastructure.
Benefits are compelling if comprehensive and non-intrusive data security.
Top Cloud data security issues - Gartner
Xen Hypervisor virtualization bug
Breach notification and data residency
Encryption key management & resiliency of encryption system.
16. Cloud data security – Who is responsible
Encryption of data (sent to Cloud) is always a good practice
Different level of providers for overall security
Shared infrastructure can make a Security breach higher.
API’s allow many admin functions – weakness in API can be catastrophic.
Encryption layers:
Higher level encryption can protect but hard (& in efficient)
Still who has the keys ? – provider
Disks encrypted by provider – he can see the content
File systems encrypted by provider – he can see file content !!
17. Manage your cloud
1-way hashes :
Store passwords in db with 1-way hashes with salt for Apps hosted by you (in cloud).
Symmetric Crypto:
Secure way to store uploaded data, sensitive personal information in databases, VM images,
emails etc.
Encrypt sensitive data stores in database, search indexes in the apps provided by you.
Asymmetric crypto:
Use HTTPS for all confidential exchanges
Sign emails especially for input emails that trigger workflow action.
Implement Certificate-based client authentication properly.
18. Cloud data security - trends
Hardware Security Modules (HSM)
Cryptographic black box – input data comes out transformed (crypto)
Secure & tamper – resistent storage for high – value keys
Cloud Encryption gateways
Fully homomorphic encryption (Advanced research)
26. Secure Coding – safeguard from Injection
Avoid Injection attacks –
SQL Injection – Injecting SQL snippets into un-sanitized form fields.
Regex Injection – Sanitize Regular expressions (in search fields)
Log Injection – Do not log un-sanitized inputs
Coding errors are major cause of software vulnerabilities
- 64% percent of 2500 in National Vulnerability database
Comprehensive
list @ CERT
Standards
Lets drive by code
27. Secure Coding – avoid Cross site scripting
XSS – injection of client side malicious script into Web pages through web requests or un-
validated dynamic content.
Mozilla XSS-Me Demo
Reflected (non-persistent) vs Persistent XSS attacks – Demo (http://testasp.vulnweb.com/search.asp )
• Injected through data in HTTP query params or form submissions
• Non validated user supplied input in Response can cause this.
• When user script input is stored in server it becomes Persistent attack. (Search user preferences)
XSS Prevention Model
Use HTTPOnly flag on session cookie (to avoid access by any java script)
Content security policy on browser side
29. Security Coding practices - Java
Prevent Denial of Service (Dos attacks)
Avoid serving expensive requests (repeated large files download)
Set limits for Entity expansions and attributes (with XML) - XMLConstants.FEATURE_SECURE_PROCESSING
Release all resources in all cases (finally block, or use try-with)
Best practices for Input Validation & Data Sanitization
Do not trust contents of hidden form fields – Sanitize them !!
Perform String modifications before validations – (Avoid XSS) – Java example
Object orientation security practices
Compare Class not Class names
Source code analysis tools – BugScout, Pitbull SCC
31. Penetration Testing
Method to evaluate security of our web application – active analysis for vulnerabilities
Hack your own application – before someone does !!
Testing Phases – SetUp, Passive Phase & Active phase
Attack Environment (SetUp)
Set-up a Simulator (With Firewalls, LB’s, Proxies and Production Config for appServers).
Try to penentrate as a stranger without any privileges on resources.
What do we need ?
Reconnaissance about the app
Right tools (Plugins, Exploit frameworks, Crawlers)
System to Hack & Mindset to Crack !!
32. Pen Testing – Passive
Reconnaissance – Know your target
Determine application types & versions
Refer to latest vulnerabilities with OSVDB / NVD
Observe regular application behaviour – RI
Advanced google searching Aka Google hacking https://pentest-tools.com/reconnaissance/google-hacking
Application mapping - https://pentest-tools.com
Active Phase – attack plan
Business logic
Authentication, Authorization & Session Management
Data Validation & Denial of Service
33. Pen Testing – Tools
Fuzzing – Automated or semi-automated way to provide invalid, unexpected or random data to
inputs of a computer program.
Required technique to find out SQL Injection, DDos & XSS Scripting attacks.
Tools:
Exploit Frameworks - Metaspolit
Web Proxy – BURP, Paros, Webscarab
Fuzzing – WS Fuzzer
Brute force – Brutus
Password cracking- John the ripper
Scanner – W3AF and Zap.