Successfully reported this slideshow.
Your SlideShare is downloading. ×

Secure programming

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 40 Ad

More Related Content

Slideshows for you (20)

Similar to Secure programming (20)

Advertisement

More from Solita Oy (20)

Recently uploaded (20)

Advertisement

Secure programming

  1. 1. Secure ProgrammingTallinn 21.3. 2019 Antti.Virtanen@solita.fi Security Manager at Solita, hacker at Team ROT Twitter: @Anakondantti
  2. 2. Agenda • Why “secure” programming separately from just “programming”? • What makes a program “insecure”? • Why do we fail? • How do we fail? • What are the future trends for software security?
  3. 3. Shouldn’t we make all programs secure?
  4. 4. https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/publication/Turvallinen_tuotek ehitys_003_2018J.pdf “Your code must be well documented, modular, readable, testable and tested.” CERT-FI guide to secure product development UTOPIA
  5. 5. REALITY: OpenSSL(https://github.com/openssl/openssl/blob/master/ssl/ssl_cert.c)
  6. 6. a critical system?
  7. 7. What is critical? • IoT • Defense • Important domains for the society • Money • Factory automation • Health care • .. Mobile apps • (.. Can we actually say something is not critical?)
  8. 8. Critical system? (Solita criteria) • Personal data (GDPR PII) • Sensitive personal data (sexual orientation, religion.. Defined by law) • Money, credit cards, payments • Integrations to critical 3rd party systems • Classified information (ST IV / ST III or similar NATO standards) • Passwords, keys, certificates • IoT • Connected to internet? • Big amount of users?
  9. 9. Root causes of failure?
  10. 10. Spot to problems? Adapted from Falafel machine in HackTheBox.eu
  11. 11. Fail 1: Technology http://phpsadness.com/sad/47 https://www.whitehatsec.com/blog/magic-hashes/
  12. 12. Fail 2: Inadequate skills • Some “professionals” still do not understand SQL injections and such.. • Industry is changing constantly • IoT –companies may have been used to operating in a closed context where authentication and security do not matter.
  13. 13. DevOops
  14. 14. “nothing will prevent the attackers from sending the necessary commands directly to the device port bypassing its service provider. The standard interfaces often do not require any specific drivers. Authorization is not required either, which basically makes these insecure proprietary protocols an easy target – just sniff and replay.” https://securelist.com/malware-and-non-malware-ways-for-atm-jackpotting-extended-cut/74533/
  15. 15. Wired 20.2. 2019 https://www.wired.com/story/atm-hacking-winpot-jackpotting-game/ “often run outdated, even unsupported versions of Windows.”
  16. 16. Fail 3: Money • End users (Consumers) do not demand security. • Companies aren’t responsible for damages (GDPR?) • Doing this properly costs money!
  17. 17. Fail 4: Humans (end users)
  18. 18. How do we fail?
  19. 19. OWASP Top 10 https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf • A1:2017 - Injection • A2:2017 - Broken Authentication • A3:2017 - Sensitive Data Exposure • A4:2017 - XML External Entities (XXE) • A5:2017 - Broken Access Control • A6:2017 - Security Misconfiguration • A7:2017 - Cross-Site Scripting (XSS) • A8:2017 - Insecure Deserialization • A9:2017 - Using Components with Known Vulnerabilities • A10:2017 - Insufficient Logging & Monitoring
  20. 20. XXE Demo
  21. 21. Why did it work? (Unknown Unknowns)
  22. 22. Ignoring the power of vuln chaining • A lazy file upload is not that bad? Or is it? • XSS with sessionCookie:httpOnly=false is so much better than just XSS... hexdump –C pwned.php.png
  23. 23. Human Factors: Google Dorking Demo
  24. 24. Tomorrow Pic: FakeGRIMLOCK
  25. 25. 1: Bug Bounty evolution • Today: Elite BB hunters run custom scanners! • DNS, web app, cloud, OSINT and other scanning • Tomorrow: scanners as SaaS • Already happening • Next: monetizing crowdsourced PoC modules • Detectify is doing this already!
  26. 26. 2: Software gets better (in a way) • Developers are learning • Static Analysis Tools will remove most easy wins • ... However..
  27. 27. Complexity is an issue • Dev team responsible for integrations, networking, ops.. • Mobile endpoints • User expectations are growing
  28. 28. 3: Supply Chain Attacks
  29. 29. What could it look like.... (https://github.com/eslint/eslint-scope/issues/39)
  30. 30. 4: Fuzz testing! • Discover the unknown unknowns • Increasingly coming to new domains! • (This would be a good topic for a dissertation / master’s thesis. Or a startup.)
  31. 31. 5: DevSecOps – how do we get there? Picture from 2017 Gartner report: Integrating Security into the DevSecOps Toolchain
  32. 32. Recap
  33. 33. The near future • Programs continue to have vulnerabilities • .. Unknown Unknowns are a big danger to programmers • Bug Bounties and tools are evolving • ... Simple flaws might become rare • Supply Chain Attacks are a growing trend • Fuzz testing will become mainstream • The best defense is knowledge.
  34. 34. Aitäh
  35. 35. Reference material for further study
  36. 36. Recommended reading, also for developers...
  37. 37. Target apps for practice and workshops • OWASP Juice Shop is available as a Docker container. Highly recommend. • Also many other target apps: • Google Gryuere (https://google-gruyere.appspot.com/) • Damn Vulnerable Web App (http://www.dvwa.co.uk/) • alert(1) to win (https://alf.nu/alert1)
  38. 38. Sites for learning and hacking practice • TallinnSec! (https://www.tallinnsec.ee/) • OWASP (http://owasp.org/) • SANS.org (https://www.sans.org/) • Offensive Security (https://www.offensive-security.com/) • HackTheBox (https://hackthebox.eu) • Shellterlabs (https://shellterlabs.com/en/) • Vulnhub (https://www.vulnhub.com/) • Gamification is a big thing!

×