SlideShare a Scribd company logo

Well-Intentioned Paper Tigers - Misconceptions and Knowledge Gaps in Security

Download as ODP, PDF
N
Nash van Gool

As developers, we learn far too little about security. What’s worse, what we do learn is usually focused on the what and how, rather than the why of things. This leads to a number of security issues caused by developers acting with the best of intentions, but either not completely hitting the mark or sometimes doing more harm than good. In this talk I seek to address this issue, fill in some gaps, and give some examples on where misunderstandings can lead to problems. Expect answers to questions like “can salts be sequential,” “how do I safely accept encrypted inputs from my users” and “how do I properly do password resets?”

Technology
1 of 20
1 Well-intentioned paper tigers Misconceptions and knowledge gaps in security
2 About me ● Backend developer ● Security enthusiast ● Food lover ● @vangool_it
3 Why is security so hard? ● Enormous field ● Unclear definition ● Moving target ● Unexpected angles ● Human factor ● Lack of education
4 Secrets ● Plaintext secrets ● Secrets in source control ● Public secrets
5 Passwords
6 Password policies ● Too complicated ● Limiting length ● Not allowing password managers ● Unlimited length ● Character restrictions
7 Password hashing ● Algorithms ● Salts ● Rehashing
8 Password resets ● Security questions ● Token generation ● Database lookups ● Token comparisons ● Token lifetime
9 Authentication and authorization
10 Access controls ● Referer checking ● IP-based access controls ● Secret URLs ● Insecure direct object references
11 User Impersonation ● Visible passwords ● Forged tokens ● Login as user
12 Server security
13 Leaking information ● Error messages ● Publicly accessible log files ● Software versions ● Path/file traversal ● Source control directories
14 File uploads ● Extension checking ● Metadata checking ● File validity checking ● Validation in general
15 Limiting access ● Running everything as the same user ● Not having a separate web server user ● The docker group ● Mounting the docker socket in containers
16 Cryptography
17 Weak implementations ● Custom cryptography ● Weak algorithms ● Easily broken keys or IVs ● Key reuse ● Lack of signing
18 Leaking information ● Leaking cryptographic keys ● Meaningful error messages (padding oracles!) ● Timing attacks ● ...
19 Security through obscurity
20 Thank you Any questions?

Recommended

Mack Hardy: Five practical things you can do to secure your online self. Poli...
Mack Hardy: Five practical things you can do to secure your online self. Poli...Mack Hardy: Five practical things you can do to secure your online self. Poli...
Mack Hardy: Five practical things you can do to secure your online self. Poli...NetSquared Vancouver
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...apidays
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website securityDrew Gorton
 
Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsExove
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersArunkumar Kupppuswamy
 

Recommended

Mack Hardy: Five practical things you can do to secure your online self. Poli...
Mack Hardy: Five practical things you can do to secure your online self. Poli...Mack Hardy: Five practical things you can do to secure your online self. Poli...
Mack Hardy: Five practical things you can do to secure your online self. Poli...NetSquared Vancouver
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...
apidays LIVE London 2021 - Securing PII at runtime by Rob Dickinson, Resurfac...apidays
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website securityDrew Gorton
 
Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsExove
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersArunkumar Kupppuswamy
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Ohm2013 'defeating trojans' slides
Ohm2013 'defeating trojans' slidesOhm2013 'defeating trojans' slides
Ohm2013 'defeating trojans' slidesRob Meijer
 
Security - Drupal Decision Makers training
Security - Drupal Decision Makers trainingSecurity - Drupal Decision Makers training
Security - Drupal Decision Makers trainingscorlosquet
 
Passwords
PasswordsPasswords
PasswordsKevin OBrien
 
Manage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceManage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceEng Teong Cheah
 
Data Driven Public Services - Stuart Harrison
Data Driven Public Services - Stuart HarrisonData Driven Public Services - Stuart Harrison
Data Driven Public Services - Stuart HarrisonFutureGov
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Security bigdata
Security bigdataSecurity bigdata
Security bigdataJitendra Chauhan
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentPGConf APAC
 
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentPgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentAshnikbiz
 
Hallwaze security snapshot
Hallwaze security snapshotHallwaze security snapshot
Hallwaze security snapshothallwaze_1
 
Securing your WordPress powered Website
Securing your WordPress powered WebsiteSecuring your WordPress powered Website
Securing your WordPress powered WebsitePratik Jagdishwala
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 

More Related Content

Similar to Well-Intentioned Paper Tigers - Misconceptions and Knowledge Gaps in Security

Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Ohm2013 'defeating trojans' slides
Ohm2013 'defeating trojans' slidesOhm2013 'defeating trojans' slides
Ohm2013 'defeating trojans' slidesRob Meijer
 
Security - Drupal Decision Makers training
Security - Drupal Decision Makers trainingSecurity - Drupal Decision Makers training
Security - Drupal Decision Makers trainingscorlosquet
 
Manage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceManage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceEng Teong Cheah
 
Data Driven Public Services - Stuart Harrison
Data Driven Public Services - Stuart HarrisonData Driven Public Services - Stuart Harrison
Data Driven Public Services - Stuart HarrisonFutureGov
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentPGConf APAC
 
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentPgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentAshnikbiz
 
Hallwaze security snapshot
Hallwaze security snapshotHallwaze security snapshot
Hallwaze security snapshothallwaze_1
 
Securing your WordPress powered Website
Securing your WordPress powered WebsiteSecuring your WordPress powered Website
Securing your WordPress powered WebsitePratik Jagdishwala
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 

Similar to Well-Intentioned Paper Tigers - Misconceptions and Knowledge Gaps in Security (16)

Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Ohm2013 'defeating trojans' slides
Ohm2013 'defeating trojans' slidesOhm2013 'defeating trojans' slides
Ohm2013 'defeating trojans' slides
 
Security - Drupal Decision Makers training
Security - Drupal Decision Makers trainingSecurity - Drupal Decision Makers training
Security - Drupal Decision Makers training
 
Passwords
PasswordsPasswords
Passwords
 
Manage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceManage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and Compliance
 
Data Driven Public Services - Stuart Harrison
Data Driven Public Services - Stuart HarrisonData Driven Public Services - Stuart Harrison
Data Driven Public Services - Stuart Harrison
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password Management
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
Security bigdata
Security bigdataSecurity bigdata
Security bigdata
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres Deployment
 
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentPgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
 
Hallwaze security snapshot
Hallwaze security snapshotHallwaze security snapshot
Hallwaze security snapshot
 
Securing your WordPress powered Website
Securing your WordPress powered WebsiteSecuring your WordPress powered Website
Securing your WordPress powered Website
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 

Recently uploaded

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?Paolo Missier
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jNeo4j
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 

Recently uploaded (20)

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 

Well-Intentioned Paper Tigers - Misconceptions and Knowledge Gaps in Security

Editor's Notes

  1. Examples of unexpected angles: - SPECTRE/Meltdown - Heartbleed - Cryptographic side channel attacks
  2. Secrets in environment variables / dev secrets in .env file (or plaintext in config, nobody cares) Examples of public secrets: accessible config files, accessible SSH keys, leaks
  3. Everybody’s favorite kind of secret!
  4. NIST recommendations: minimum of 8 characters, maximum of at least 64, allow all characters, no other requirements on complexity Library recommendation: zxcvbn
  5. Secure algos: SHA-512, bcrypt, PBKDF2 Hashing security does not mean secure for passwords Rehashing: hash the old hashes Salts: can be sequential, need to be unpredictable – leaking one salt can leak other sequential salts, so just do random salts
  6. Paypal does security questions Token generation: CSPRNG – UUID is meant to be unique, not random Timing attacks on naive string comparisons Short lifetime on tokens
  7. Who am I vs What am I allowed to do
  8. Better: voters, Symfony firewall Check access on every request DO NOT TRUST USER INPUT IP: X-Forwarded-For Referer is also just a header
  9. Better: stay authenticated as original user, but make impersonation part of authorization Example: document authoring – permission check uses impersonated user, ownership is still original user
  10. All of these can give valuable information It’s not security through obscurity to hide potentially sensitive details
  11. Let’s write arbitrary user input to disk! In the web root! Yay! Drop validation altogether, prevent code execution in uploads directory entirely Better yet, separate server/container with files and only static content serving
  12. User sharing on shared hosting is problematic Regular users need access and possibilities web servers do not Docker group and docker socket are root-equivalent
  13. Easy to do, hard to do right
  14. NEVER ROLL YOUR OWN – it’s hard as balls, and easy to mess up Weak algorithms: like RC4 (WEP) Easily broken keys or IVs: 0 is a common IV Keys are not unlimited use Signing: integrity vs protection
  15. Padding oracles allow arbitrary decrypts/encrypts without knowing the key at any point Other attacks take many shapes – minimal information leakage can compromise entire systems
  16. What it is: relying on obscurity What it is not: hiding information to enhance security