SlideShare a Scribd company logo

How to write secure code

Download as PPTX, PDF
Flaskdata.io
Flaskdata.io

Practical security - access control, least privilege, cryptography at work, security attacks and pen testing your system with MetaSploit. The enemy knows the system. Not security by obscurity

Software
1 of 59
Practical security A half-day seminar for programmers Copyright Danny Lieberman dl@software.co.il under Creative Commons Attribution License. http://creativecommons.org/licenses/by/2.0/ V5.0 10/7/2014
Prerequisites • Before the seminar you will need to read this article and understand the concepts described The NSA and Snowden: Securing the All-Seeing Eye http://cacm.acm.org/magazines/2014/5/174340- the-nsa-and-snowden/fulltext
Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
Access control • A security countermeasure for protecting data at rest – Necessary but not sufficient • For data in motion over an insecure channel we need stronger countermeasures – Encryption – One-time tokens • Based on authorization and authentication
Authorization - I • The process of authorization is distinct from that of authentication. – Authentication is the process of verifying that “You are who you say you are” – One-factor: Username/password – Authorization is the process of verifying that “You’re permitted to do what you’re trying to do". – Read this file only
Authorization - II • Hash functions are the basis for most methods of enforcing cryptographic data integrity – Variable length input – Fixed length output • Effectiveness determined by: – Determining the input from output should be computationally infeasible – Given input and output, generating input with same output should be computationally infeasible – Collision-free, same outputs with different inputs should be computationally infeasible • Examples – SHA-1, SHA-256 and MD5 • Example of password hashing coming up in 2 slides
Multi-factor authentication - I • Something a user has and something the user knows – Credit card plus a PIN – Password and a pseudorandom number from a security token • High-security systems – Screen height, weight, facial, retinal and fingerprint checks plus a PIN plus a day code
Multi-factor authentication - II • Google Authenticator - 2-factor software token generator for iOS, Android – Something user has and knows • Her smartphone. • One-time password (token) – Server and client code agree on algorithms and secret key: • Secret key is the seed value for hashing • Algorithm used to verify the password – Algorithms: • RFC 4226 - HMAC-based one-time password http://www.ietf.org/rfc/rfc4226.txt • RFC 6238 - Time-based one-time password http://tools.ietf.org/html/rfc6238
Multi-factor authentication - III • To generate the one-time password, client code needs secret key, counter and number of digits (which is 6 for Google Authenticator) • Counter is used as a “moving factor” to make the algorithm more robust. A “throttling parameter is also specified in RFC 4226
Multi-factor authentication - IV • RFC 6238 allows for any start date and time interval, but Google Authenticator requires the Unix epoch and a 30 second time interval. • This means we can get the current one-time-password using only the secret key.
Multi-factor authentication - V • How do we put it to use? • IsValid helps with clock skew by checking adjacent intervals for the password. • Improves user experience, because it doesn't require clocks to be perfectly aligned See http://www.codeproject.com/Articles/403355/Implementing-Two-Factor-Authentication-in-ASP-NET
Access control - Design vulnerabilities • As the name suggests – a software design will often have vulnerabilities because of assumptions – Ignoring the fate of temporary files storage is a bad design decision. – Temp files are very often written into directories with world read, write permissions for convenience • For example, log files.
Access control – Operational vulnerabilities • Rooted in how the source code interacts with the environment – Using FTP to transfer files – FTP users/anonymous FTP users may have access rights to GET or even worse PUT files on to your machine. – FTP is problematic • Most FTP uploads do not check the uploaded files for malware. • FTP credentials are passed in clear text • FTP servers are frequently forgotten by IT operations
Password policy & account handling - I • Baked into the design and implementation • Enforce operational security: – Follow Microsoft server guidelines • http://technet.microsoft.com/en-us/library/cc526440.aspx • http://technet.microsoft.com/en-us/security/jj720323.aspx • Strength, Expiry – Require strong passwords (AxCrl8N^) – Expiry policy (changes every 90 days) • SSO/federated login alternatives • Social login for customer-facing Web services
Password & account handling - II • So-called strong passwords and expiration policies that force people to change frequently are the main reason for: • Users recycling their corporate passwords on ecommerce and adult sites – Which are frequently hacked and then exploited as a back- channel to corporate networks • Post Its – It’s OK to write down a password, just treat it like cash! • Credentials sharing – January 24, 2008, Société Générale announced that a futures trader at the bank had fraudulently lost the bank €4.9BN
Password & account handling - III • Password management tools – Free open source • KeePass - http://keepass.info/ – Commercial closed source • Sticky Password Pro - http://www.stickypassword.com/ • Roboform - http://www.roboform.com/
Password and account handling - IV • Database connection strings – Credentials should not be the database root user – Should not be provided in clear text inside code • An attacker (or security auditor) can grep the code and pick up the credentials – Should reference a hashed parameter file outside the application path
Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
Principle of least privilege - I • A particular abstraction layer – Code, users, process, people • must be able to access only resources that are necessary for legitimate purpose. – A key security countermeasure for preventing data loss and malicious code exploits
Principle of least privilege - II • Users – User credentials employed in a backup script run by a job scheduler should not be able to install software
Principle of least privilege - III • Code – Code that provides UI functionality should never run as administrator (even if it is convenient…) • Malicious code doesn’t have to elevate privilege
Principle of least privilege - IV • Process and people – People with access to sensitive data and a subset of super user privileges should not be able to upgrade their own permissions – Two administrators need to execute and confirm permissions update of another administrator
Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
Cryptography at work • Confidentiality • Non-repudiation
Confidentiality • Confidentiality is the expectation that only authorized parties can view data – For data in motion or in rest that is accessible over an insecure channel, encryption is required • Encryption has a long history, dating back to ancient cultures. – 2 major classes: symmetric and asymmetric
Symmetric encryption • Symmetric encryption (or shared key) refers to algorithms where all authorized parties share the same key – Simplest and most efficient – Major weakness since partners have access to same shared secret. • May generate unique key for each relationship – In a group of shared key users • Key management becomes impossible • No means for verifying the sender of a message
AES - I • AES is based on a design principle known as a substitution-permutation network, – Combining both substitution and permutation – Fast in both software and hardware • AES is a variant of Rijndael – Fixed block size of 128 bits – A key size of 128, 192, or 256 bits.
AES - II
AES - III • Good support in all popular languages – Crypto++ A comprehensive C++ semi-public- domain implementation of encryption and hash algorithms. FIPS validated – .NET System.Security.Cryptography – Java Cryptography Extension – PHP mcrypt extension – JavaScript - https://code.google.com/p/crypto-js/ and https://github.com/digitalbazaar/forge
Applications of symmetric encryption • Protecting message confidentiality • Protecting API payloads
Protecting message confidentiality input = “Meet me at 21:00 for beer at JEMS, bring your friend Michal"; message(encrypt(input)); function encrypt(input) { key = "this is a secret key"; td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB); iv = mcrypt_create_iv(mcrypt_enc_get_iv_size(td), MCRYPT_RAND); mcrypt_generic_init(td, key, iv); return mcrypt_generic(td, input); } function decrypt(data)) { key = "this is a secret key"; td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB); iv = session.read(‘Client.iv’); return mcrypt_decrypt ( td , key , string data) }
Protecting API payloads- I Your site http://apiconsumer.com/ (I) API provider https://api.com (II) Response JSON Request POST https://api.com/edit/data/GUID
Protecting API payloads - II • Problem – Encryption doesn’t prevent client-side attacks: • URL hacking • Manipulation of payload data using “shims” • Unauthorized disclosure of payload
Protecting API payloads - III • Solution – Symmetric encryption critical payload fields such as GUID • Shared secret between API consumer and provider • The usual problems and solutions of key exchange and distribution
Asymmetric encryption • Public and private key pair for each party • Parties that communicate exchange public keys in advance – Message is encrypted by combining recipient public key and sender private key. • Message can only be decrypted using recipient private key • Simplifies key management – Doesn’t require exposing private keys – Implicitly verifies sender – Computationally intensive – Used to exchange a symmetric key for the duration of session
RSA encryption • Alice works at a hospital. She needs to send Bob from the insurance company a list of records for treatment reimbursement. • Alice gets Bob's public key from the insurance company Web page. • Alice sends the file to Bob encrypted with Bob's public key. • Bob uses his private key to unscramble it.
Alice and Bob From: Schneier: Applied Cryptography
RSA example
Cryptography at work • Confidentiality • Non-repudiation
Non-repudiation - I • The maker of a statement cannot successfully challenge the validity of the statement or contract. – In the digital realm, enforced with digital signatures – In physical realm, enforced with notaries and stamps
Non-repudiation - II •‫בת‬ ‫האבן‬ ‫חותמת‬2,500 ‫השם‬ ‫ועליה‬ ‫שנה‬``‫תמח‬`` ‫עפר‬ ‫בשכבת‬ ‫נמצאה‬ ‫ידי‬ ‫על‬ ‫המתקיימת‬ ‫בחפירה‬ ‫מזר‬ ‫אילת‬ ‫הארכיאולוגית‬ ‫העיר‬ ‫לחומות‬ ‫מחוץ‬ ‫לשער‬ ‫בסמוך‬ ‫העתיקה‬ ‫האשפות‬.
Creating RSA signature keys - I • Generate an RSA key pair containing a modulus N that is the product of two large primes, along with integers e and d such that e d ≡ 1 (mod φ(N)), where φ is the Euler phi-function. • The signer's public key consists of N and e, and the signer's secret key contains d. • To sign a message m, the signer computes σ ≡ md (mod N). To verify, the receiver checks that σe ≡ m (mod N).
Creating signatures - II • The message to be signed is first hashed to produce a short digest that is then signed: – Efficiency: • Hashing is faster than signing – Compatibility: • Hash can convert an arbitrary input into the proper format. • For example strings/integers – Integrity: • Without the hash function, the text "to be signed" may have to be split (separated) in blocks small enough for the signature scheme to act on them directly. • Receiver of signed blocks cannot recognize if all the blocks are present and in the right order.
Creating signatures - III
Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
Security attack types • Interception – Passive tapping • Interruption – DOS • Modification – Active tapping/packet insertion • Fabrication – Man in the middle attacks
Typical countermeasures • Interception/Modification – Passive tapping / active tapping • Physical security to prevent insertion of a tap in wiring cabinet • Network segmentation • Encrypt communications, including authentication credentials. This prevents sniffed packets from being usable to an attacker. SSL and IPSec (Internet Protocol Security) are examples of encryption solutions. • Interruption – DDOS • Firewall, IPS/IDS and special purpose network appliances that detect anomalous traffic and throttle it down • Apply patches to TCP/IP stack for example MS13-065: – https://technet.microsoft.com/en-us/library/security/ms13-065.aspx • Fabrication – Man in the middle attacks • Use encrypted session negotiation (Well known DICOM vulnerability) • Use encrypted communication channels. • Patch TCP/IP stack vulnerabilities, such as predictable packet sequences.
Kerckhoff’s principle • Kerckhoffs's principle – A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. • Independently formulated by Claude Shannon as "the enemy knows the system", • In contrast to "security through obscurity”
Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
PEN TESTING WITH METASPLOIT A short introduction
Installation • Download from www.metasploit.com for your platform • Prefer Linux 64 bit • Note that the distribution comes with it’s own RDBMS – PostgreSQL
The absolute basics • Pre-engagement – set goals • Intelligence gathering – What defenses are in place? – Expendable IP addresses • Threat modeling • Vulnerability analysis • Exploitation – Often brute force • Post-exploitation – What the systems do, what are user roles? – IP and other sensitive data
Concepts • Exploit • Payload – code delivered by MSF to target system – Reverse shell creates a connection from the target back to attacker as command prompt – Bind shell binds a command prompt to listener on target machine in order to execute commands • Shellcode – e.g. a Meterpreter shell after executing the payload • Module – exploit, auxiliary… • Listener
Fundamentals • Msfcli • Msfconsole – search – show exploits, auxiliary, show options – use scanner/smb/smb_version – use windows/smb/ms08_067_netapi • Databases – Using the Database • About Meterpreter – Meterpreter Basics
Information gathering • Port Scanning • Hunting For MSSQL – search mssql – use auxiliary/scanner/mssql/mssql_ping – set RHOSTS 10.211.55.1/24 – exploit • Brute force attack – Use scanner/mssql/mssql_login – Set PASS_FILE /pentest/exploits/….wordlist.txt
Vulnerability scanning • SMB Login Check • VNC Authentication
Fuzzing • Fuzz testing or fuzzing – Software testing technique, – Automated or semi-automated – Provide invalid, unexpected, or random data to the program input devices/sockets. – Process is then monitored • Program exceptions – Crashes, or failing built-in code assertions • Finding potential memory leaks.
Summary - Snowden • You’ve read the article and heard the material in this talk • What did NSA do wrong in your opinion? My kind thanks to Raymond Ludwin for his comments. Copyright Danny Lieberman dl@software.co.il under Creative Commons Attribution License. http://creativecommons.org/licenses/by/2.0/

Recommended

Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionSachintha Gunasena
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 

Recommended

Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionSachintha Gunasena
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
DDS Secure Intro
DDS Secure IntroDDS Secure Intro
DDS Secure IntroJohn Breitenbach
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)Sam Bowne
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
 
44CON Hacking Enterprises
44CON Hacking Enterprises44CON Hacking Enterprises
44CON Hacking Enterprisesin.security Ltd.
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...SecureAuth
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Chapter08
Chapter08Chapter08
Chapter08Muhammad Ahad
 

More Related Content

What's hot

5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)Sam Bowne
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...SecureAuth
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 

What's hot (20)

5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
DDS Secure Intro
DDS Secure IntroDDS Secure Intro
DDS Secure Intro
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonks
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
 
44CON Hacking Enterprises
44CON Hacking Enterprises44CON Hacking Enterprises
44CON Hacking Enterprises
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 

Similar to How to write secure code

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017Micro Focus
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas Destor
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Cyber security workshop talk.pptx
Cyber security workshop talk.pptxCyber security workshop talk.pptx
Cyber security workshop talk.pptxkamalakantas
 
Sql_DG_presentation.pptx
Sql_DG_presentation.pptxSql_DG_presentation.pptx
Sql_DG_presentation.pptxArunRangrej1
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iPrecisely
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteriasabin kafle
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersRishabh Gupta
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 

Similar to How to write secure code (20)

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Chapter08
Chapter08Chapter08
Chapter08
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Cyber security workshop talk.pptx
Cyber security workshop talk.pptxCyber security workshop talk.pptx
Cyber security workshop talk.pptx
 
Sql_DG_presentation.pptx
Sql_DG_presentation.pptxSql_DG_presentation.pptx
Sql_DG_presentation.pptx
 
Cryptography
CryptographyCryptography
Cryptography
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
final review PPT.pptx
final review PPT.pptxfinal review PPT.pptx
final review PPT.pptx
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteria
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 

More from Flaskdata.io

Flaskdata - Observability for clinical data
Flaskdata - Observability for clinical dataFlaskdata - Observability for clinical data
Flaskdata - Observability for clinical dataFlaskdata.io
 
The travel industry does real-time. Why doesn't clinical research?
The travel industry does real-time. Why doesn't clinical research?The travel industry does real-time. Why doesn't clinical research?
The travel industry does real-time. Why doesn't clinical research?Flaskdata.io
 
Flaskdata.io automated monitoring for clinical trials
Flaskdata.io automated monitoring for clinical trialsFlaskdata.io automated monitoring for clinical trials
Flaskdata.io automated monitoring for clinical trialsFlaskdata.io
 
The insights that will help your medtech clinical trial succeed
The insights that will help your medtech clinical trial succeedThe insights that will help your medtech clinical trial succeed
The insights that will help your medtech clinical trial succeedFlaskdata.io
 
2017 02-05 en-eu-data-security_v2
2017 02-05 en-eu-data-security_v22017 02-05 en-eu-data-security_v2
2017 02-05 en-eu-data-security_v2Flaskdata.io
 
Quick user guide to the Clear Clinica Cloud EDC system
Quick user guide to the Clear Clinica Cloud EDC systemQuick user guide to the Clear Clinica Cloud EDC system
Quick user guide to the Clear Clinica Cloud EDC systemFlaskdata.io
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Pathcare: Patient-issue oriented healthcare
Pathcare: Patient-issue oriented healthcarePathcare: Patient-issue oriented healthcare
Pathcare: Patient-issue oriented healthcareFlaskdata.io
 
Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Flaskdata.io
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devicesFlaskdata.io
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
 
Data Security For SMB - Fly first class on a budget
Data Security For SMB - Fly first class on a budgetData Security For SMB - Fly first class on a budget
Data Security For SMB - Fly first class on a budgetFlaskdata.io
 
Data Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachData Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachFlaskdata.io
 
Homeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkHomeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkFlaskdata.io
 
Selling Data Security Technology
Selling Data Security TechnologySelling Data Security Technology
Selling Data Security TechnologyFlaskdata.io
 
Writing An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stickWriting An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stickFlaskdata.io
 

More from Flaskdata.io (19)

Flaskdata - Observability for clinical data
Flaskdata - Observability for clinical dataFlaskdata - Observability for clinical data
Flaskdata - Observability for clinical data
 
The travel industry does real-time. Why doesn't clinical research?
The travel industry does real-time. Why doesn't clinical research?The travel industry does real-time. Why doesn't clinical research?
The travel industry does real-time. Why doesn't clinical research?
 
Flaskdata.io automated monitoring for clinical trials
Flaskdata.io automated monitoring for clinical trialsFlaskdata.io automated monitoring for clinical trials
Flaskdata.io automated monitoring for clinical trials
 
The insights that will help your medtech clinical trial succeed
The insights that will help your medtech clinical trial succeedThe insights that will help your medtech clinical trial succeed
The insights that will help your medtech clinical trial succeed
 
2017 02-05 en-eu-data-security_v2
2017 02-05 en-eu-data-security_v22017 02-05 en-eu-data-security_v2
2017 02-05 en-eu-data-security_v2
 
Quick user guide to the Clear Clinica Cloud EDC system
Quick user guide to the Clear Clinica Cloud EDC systemQuick user guide to the Clear Clinica Cloud EDC system
Quick user guide to the Clear Clinica Cloud EDC system
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Pathcare: Patient-issue oriented healthcare
Pathcare: Patient-issue oriented healthcarePathcare: Patient-issue oriented healthcare
Pathcare: Patient-issue oriented healthcare
 
The Tao of GRC
The Tao of GRCThe Tao of GRC
The Tao of GRC
 
Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
 
Grc tao.4
Grc tao.4Grc tao.4
Grc tao.4
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
 
Data Security For SMB - Fly first class on a budget
Data Security For SMB - Fly first class on a budgetData Security For SMB - Fly first class on a budget
Data Security For SMB - Fly first class on a budget
 
Data Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachData Security Metricsa Value Based Approach
Data Security Metricsa Value Based Approach
 
Homeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkHomeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest link
 
Selling Data Security Technology
Selling Data Security TechnologySelling Data Security Technology
Selling Data Security Technology
 
Writing An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stickWriting An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stick
 

Recently uploaded

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 

Recently uploaded (20)

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 

How to write secure code

  • 1. Practical security A half-day seminar for programmers Copyright Danny Lieberman dl@software.co.il under Creative Commons Attribution License. http://creativecommons.org/licenses/by/2.0/ V5.0 10/7/2014
  • 2. Prerequisites • Before the seminar you will need to read this article and understand the concepts described The NSA and Snowden: Securing the All-Seeing Eye http://cacm.acm.org/magazines/2014/5/174340- the-nsa-and-snowden/fulltext
  • 3. Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
  • 4. Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
  • 5. Access control • A security countermeasure for protecting data at rest – Necessary but not sufficient • For data in motion over an insecure channel we need stronger countermeasures – Encryption – One-time tokens • Based on authorization and authentication
  • 6. Authorization - I • The process of authorization is distinct from that of authentication. – Authentication is the process of verifying that “You are who you say you are” – One-factor: Username/password – Authorization is the process of verifying that “You’re permitted to do what you’re trying to do". – Read this file only
  • 7. Authorization - II • Hash functions are the basis for most methods of enforcing cryptographic data integrity – Variable length input – Fixed length output • Effectiveness determined by: – Determining the input from output should be computationally infeasible – Given input and output, generating input with same output should be computationally infeasible – Collision-free, same outputs with different inputs should be computationally infeasible • Examples – SHA-1, SHA-256 and MD5 • Example of password hashing coming up in 2 slides
  • 8. Multi-factor authentication - I • Something a user has and something the user knows – Credit card plus a PIN – Password and a pseudorandom number from a security token • High-security systems – Screen height, weight, facial, retinal and fingerprint checks plus a PIN plus a day code
  • 9. Multi-factor authentication - II • Google Authenticator - 2-factor software token generator for iOS, Android – Something user has and knows • Her smartphone. • One-time password (token) – Server and client code agree on algorithms and secret key: • Secret key is the seed value for hashing • Algorithm used to verify the password – Algorithms: • RFC 4226 - HMAC-based one-time password http://www.ietf.org/rfc/rfc4226.txt • RFC 6238 - Time-based one-time password http://tools.ietf.org/html/rfc6238
  • 10. Multi-factor authentication - III • To generate the one-time password, client code needs secret key, counter and number of digits (which is 6 for Google Authenticator) • Counter is used as a “moving factor” to make the algorithm more robust. A “throttling parameter is also specified in RFC 4226
  • 11. Multi-factor authentication - IV • RFC 6238 allows for any start date and time interval, but Google Authenticator requires the Unix epoch and a 30 second time interval. • This means we can get the current one-time-password using only the secret key.
  • 12. Multi-factor authentication - V • How do we put it to use? • IsValid helps with clock skew by checking adjacent intervals for the password. • Improves user experience, because it doesn't require clocks to be perfectly aligned See http://www.codeproject.com/Articles/403355/Implementing-Two-Factor-Authentication-in-ASP-NET
  • 13. Access control - Design vulnerabilities • As the name suggests – a software design will often have vulnerabilities because of assumptions – Ignoring the fate of temporary files storage is a bad design decision. – Temp files are very often written into directories with world read, write permissions for convenience • For example, log files.
  • 14. Access control – Operational vulnerabilities • Rooted in how the source code interacts with the environment – Using FTP to transfer files – FTP users/anonymous FTP users may have access rights to GET or even worse PUT files on to your machine. – FTP is problematic • Most FTP uploads do not check the uploaded files for malware. • FTP credentials are passed in clear text • FTP servers are frequently forgotten by IT operations
  • 15. Password policy & account handling - I • Baked into the design and implementation • Enforce operational security: – Follow Microsoft server guidelines • http://technet.microsoft.com/en-us/library/cc526440.aspx • http://technet.microsoft.com/en-us/security/jj720323.aspx • Strength, Expiry – Require strong passwords (AxCrl8N^) – Expiry policy (changes every 90 days) • SSO/federated login alternatives • Social login for customer-facing Web services
  • 16. Password & account handling - II • So-called strong passwords and expiration policies that force people to change frequently are the main reason for: • Users recycling their corporate passwords on ecommerce and adult sites – Which are frequently hacked and then exploited as a back- channel to corporate networks • Post Its – It’s OK to write down a password, just treat it like cash! • Credentials sharing – January 24, 2008, Société Générale announced that a futures trader at the bank had fraudulently lost the bank €4.9BN
  • 17. Password & account handling - III • Password management tools – Free open source • KeePass - http://keepass.info/ – Commercial closed source • Sticky Password Pro - http://www.stickypassword.com/ • Roboform - http://www.roboform.com/
  • 18. Password and account handling - IV • Database connection strings – Credentials should not be the database root user – Should not be provided in clear text inside code • An attacker (or security auditor) can grep the code and pick up the credentials – Should reference a hashed parameter file outside the application path
  • 19. Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
  • 20. Principle of least privilege - I • A particular abstraction layer – Code, users, process, people • must be able to access only resources that are necessary for legitimate purpose. – A key security countermeasure for preventing data loss and malicious code exploits
  • 21. Principle of least privilege - II • Users – User credentials employed in a backup script run by a job scheduler should not be able to install software
  • 22. Principle of least privilege - III • Code – Code that provides UI functionality should never run as administrator (even if it is convenient…) • Malicious code doesn’t have to elevate privilege
  • 23. Principle of least privilege - IV • Process and people – People with access to sensitive data and a subset of super user privileges should not be able to upgrade their own permissions – Two administrators need to execute and confirm permissions update of another administrator
  • 24. Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
  • 25. Cryptography at work • Confidentiality • Non-repudiation
  • 26. Confidentiality • Confidentiality is the expectation that only authorized parties can view data – For data in motion or in rest that is accessible over an insecure channel, encryption is required • Encryption has a long history, dating back to ancient cultures. – 2 major classes: symmetric and asymmetric
  • 27. Symmetric encryption • Symmetric encryption (or shared key) refers to algorithms where all authorized parties share the same key – Simplest and most efficient – Major weakness since partners have access to same shared secret. • May generate unique key for each relationship – In a group of shared key users • Key management becomes impossible • No means for verifying the sender of a message
  • 28. AES - I • AES is based on a design principle known as a substitution-permutation network, – Combining both substitution and permutation – Fast in both software and hardware • AES is a variant of Rijndael – Fixed block size of 128 bits – A key size of 128, 192, or 256 bits.
  • 30. AES - III • Good support in all popular languages – Crypto++ A comprehensive C++ semi-public- domain implementation of encryption and hash algorithms. FIPS validated – .NET System.Security.Cryptography – Java Cryptography Extension – PHP mcrypt extension – JavaScript - https://code.google.com/p/crypto-js/ and https://github.com/digitalbazaar/forge
  • 31. Applications of symmetric encryption • Protecting message confidentiality • Protecting API payloads
  • 32. Protecting message confidentiality input = “Meet me at 21:00 for beer at JEMS, bring your friend Michal"; message(encrypt(input)); function encrypt(input) { key = "this is a secret key"; td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB); iv = mcrypt_create_iv(mcrypt_enc_get_iv_size(td), MCRYPT_RAND); mcrypt_generic_init(td, key, iv); return mcrypt_generic(td, input); } function decrypt(data)) { key = "this is a secret key"; td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB); iv = session.read(‘Client.iv’); return mcrypt_decrypt ( td , key , string data) }
  • 33. Protecting API payloads- I Your site http://apiconsumer.com/ (I) API provider https://api.com (II) Response JSON Request POST https://api.com/edit/data/GUID
  • 34. Protecting API payloads - II • Problem – Encryption doesn’t prevent client-side attacks: • URL hacking • Manipulation of payload data using “shims” • Unauthorized disclosure of payload
  • 35. Protecting API payloads - III • Solution – Symmetric encryption critical payload fields such as GUID • Shared secret between API consumer and provider • The usual problems and solutions of key exchange and distribution
  • 36. Asymmetric encryption • Public and private key pair for each party • Parties that communicate exchange public keys in advance – Message is encrypted by combining recipient public key and sender private key. • Message can only be decrypted using recipient private key • Simplifies key management – Doesn’t require exposing private keys – Implicitly verifies sender – Computationally intensive – Used to exchange a symmetric key for the duration of session
  • 37. RSA encryption • Alice works at a hospital. She needs to send Bob from the insurance company a list of records for treatment reimbursement. • Alice gets Bob's public key from the insurance company Web page. • Alice sends the file to Bob encrypted with Bob's public key. • Bob uses his private key to unscramble it.
  • 38. Alice and Bob From: Schneier: Applied Cryptography
  • 40. Cryptography at work • Confidentiality • Non-repudiation
  • 41. Non-repudiation - I • The maker of a statement cannot successfully challenge the validity of the statement or contract. – In the digital realm, enforced with digital signatures – In physical realm, enforced with notaries and stamps
  • 42. Non-repudiation - II •‫בת‬ ‫האבן‬ ‫חותמת‬2,500 ‫השם‬ ‫ועליה‬ ‫שנה‬``‫תמח‬`` ‫עפר‬ ‫בשכבת‬ ‫נמצאה‬ ‫ידי‬ ‫על‬ ‫המתקיימת‬ ‫בחפירה‬ ‫מזר‬ ‫אילת‬ ‫הארכיאולוגית‬ ‫העיר‬ ‫לחומות‬ ‫מחוץ‬ ‫לשער‬ ‫בסמוך‬ ‫העתיקה‬ ‫האשפות‬.
  • 43. Creating RSA signature keys - I • Generate an RSA key pair containing a modulus N that is the product of two large primes, along with integers e and d such that e d ≡ 1 (mod φ(N)), where φ is the Euler phi-function. • The signer's public key consists of N and e, and the signer's secret key contains d. • To sign a message m, the signer computes σ ≡ md (mod N). To verify, the receiver checks that σe ≡ m (mod N).
  • 44. Creating signatures - II • The message to be signed is first hashed to produce a short digest that is then signed: – Efficiency: • Hashing is faster than signing – Compatibility: • Hash can convert an arbitrary input into the proper format. • For example strings/integers – Integrity: • Without the hash function, the text "to be signed" may have to be split (separated) in blocks small enough for the signature scheme to act on them directly. • Receiver of signed blocks cannot recognize if all the blocks are present and in the right order.
  • 46. Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
  • 47. Security attack types • Interception – Passive tapping • Interruption – DOS • Modification – Active tapping/packet insertion • Fabrication – Man in the middle attacks
  • 48. Typical countermeasures • Interception/Modification – Passive tapping / active tapping • Physical security to prevent insertion of a tap in wiring cabinet • Network segmentation • Encrypt communications, including authentication credentials. This prevents sniffed packets from being usable to an attacker. SSL and IPSec (Internet Protocol Security) are examples of encryption solutions. • Interruption – DDOS • Firewall, IPS/IDS and special purpose network appliances that detect anomalous traffic and throttle it down • Apply patches to TCP/IP stack for example MS13-065: – https://technet.microsoft.com/en-us/library/security/ms13-065.aspx • Fabrication – Man in the middle attacks • Use encrypted session negotiation (Well known DICOM vulnerability) • Use encrypted communication channels. • Patch TCP/IP stack vulnerabilities, such as predictable packet sequences.
  • 49. Kerckhoff’s principle • Kerckhoffs's principle – A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. • Independently formulated by Claude Shannon as "the enemy knows the system", • In contrast to "security through obscurity”
  • 50. Agenda • Access control • Least privilege enforcement • Cryptography at work • Security attacks • Pen testing with Metasploit
  • 51. PEN TESTING WITH METASPLOIT A short introduction
  • 52. Installation • Download from www.metasploit.com for your platform • Prefer Linux 64 bit • Note that the distribution comes with it’s own RDBMS – PostgreSQL
  • 53. The absolute basics • Pre-engagement – set goals • Intelligence gathering – What defenses are in place? – Expendable IP addresses • Threat modeling • Vulnerability analysis • Exploitation – Often brute force • Post-exploitation – What the systems do, what are user roles? – IP and other sensitive data
  • 54. Concepts • Exploit • Payload – code delivered by MSF to target system – Reverse shell creates a connection from the target back to attacker as command prompt – Bind shell binds a command prompt to listener on target machine in order to execute commands • Shellcode – e.g. a Meterpreter shell after executing the payload • Module – exploit, auxiliary… • Listener
  • 55. Fundamentals • Msfcli • Msfconsole – search – show exploits, auxiliary, show options – use scanner/smb/smb_version – use windows/smb/ms08_067_netapi • Databases – Using the Database • About Meterpreter – Meterpreter Basics
  • 56. Information gathering • Port Scanning • Hunting For MSSQL – search mssql – use auxiliary/scanner/mssql/mssql_ping – set RHOSTS 10.211.55.1/24 – exploit • Brute force attack – Use scanner/mssql/mssql_login – Set PASS_FILE /pentest/exploits/….wordlist.txt
  • 57. Vulnerability scanning • SMB Login Check • VNC Authentication
  • 58. Fuzzing • Fuzz testing or fuzzing – Software testing technique, – Automated or semi-automated – Provide invalid, unexpected, or random data to the program input devices/sockets. – Process is then monitored • Program exceptions – Crashes, or failing built-in code assertions • Finding potential memory leaks.
  • 59. Summary - Snowden • You’ve read the article and heard the material in this talk • What did NSA do wrong in your opinion? My kind thanks to Raymond Ludwin for his comments. Copyright Danny Lieberman dl@software.co.il under Creative Commons Attribution License. http://creativecommons.org/licenses/by/2.0/

Editor's Notes

  1. First, we convert the iteration number to a byte[], which can be hashed using the HMAC-SHA-1 hash method. The iteration number should be incremented on the client and server every time authentication succeeds. We use the managed HMAC-SHA-1 hashing method available from the System.Security.Cryptography.HMACSHA1 class. Next we compute the hash for the current value of the counter. The next part of the code extracts the binary value of a 4 byte integer, then shrinks it to the number of digits required. That's it. The entire algorithm in 25 lines. RFC 4226 Section 5.4 has a good example and description of what is happening,
  2. RFC 6238 defines the time based implementation of the one time password generation. Time based one time password generation builds on the counter based approach above. It is exactly the same, except it automatically defines the counter based on intervals of time since the Unix epoch (Jan 1, 1970, 00:00 UTC). Technically, the RFC allows for any start date and time interval, but Google Authenticator requires the Unix epoch and a 30 second time interval. What this means is that we can get the current one-time-password using only the secret key. Here is how:
  3. Block cipher mode - MCRYPT_MODE_ECB (electronic codebook) is suitable for random data, such as encrypting other keys. Since data there is short and random, the disadvantages of ECB have a favorable negative effect.