Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

From 0 to 0xdeadbeef - security mistakes that will haunt your startup

3,068 views

Published on

Every company has to deal with the topic of security. Depending on the product/service, security might be more or less important, but it doesn’t matter if the product is moving money or sending disappearing pictures, if the company grows, it will have to deal with security sooner or later.
Unfortunately, not all security mistakes are created equal.

This talk will go over some security mistakes are several orders of magnitude harder to fix later in the lifecycle of a company, helping people prioritize their decisions when trying to keep the fine balance between security and product.

Published in: Technology
  • Dating for everyone is here: ❶❶❶ http://bit.ly/369VOVb ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ♥♥♥ http://bit.ly/369VOVb ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Can you make this downloadable? SlideShare says I can't download it
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

From 0 to 0xdeadbeef - security mistakes that will haunt your startup

  1. 1. From 0 to 0xDEADBEEF: The security mistakes that will haunt your startup @diogomonica
  2. 2. Agenda List of mistakes that are painful to remediate ‣TLS ‣Web Security ‣Passwords ‣Infrastructure ‣Corporate Environment Not an exhaustive list
  3. 3. Target audience ‣Companies just starting up or in their initial growth phase ‣Every company will hit these issues at some point
  4. 4. Real Security Engineers Ship
  5. 5. TLS Mistakes
  6. 6. Not having TLS from day 1 ‣There is no reason to have HTTP endpoints •Most TLS performance issues are a myth ‣One HTTP link compromises the security of your whole application (sslstrip) https://github.com/diogomonica/py-cookieJsInjection
  7. 7. SSLv3 enabled ‣There are essentially no legitimate clients without TLS support •No, IE6 on SP2 is not a legitimate client ‣A lot of pressure from PCI Council to be strict about disabling SSLv3 [ insert favorite POODLE link here ]
  8. 8. Crappy certificates ‣Choose a good issuer •If you have an app you will be pinning to it ‣Make sure you are not using MD5 or SHA1 for the signature https://github.com/diogomonica/gocert
  9. 9. Lack of security headers ‣Even if you are 100% https, the first connection is still vulnerable •The HSTS header fixes that ‣Tons of important headers. Start every application by using Twitter’s Secure headers gem/list. https://github.com/twitter/secureheaders
  10. 10. Not keeping up to date w/ attacks https://www.ssllabs.com/ssltest/
  11. 11. Web Security Mistakes
  12. 12. Everything under the same domain ‣Use a completely different domain for all trusted activity •Example: trustedsite.com VS usercontentsite.com ‣Host all of your static files from a different domain •Scopes the TLS certificates you will have to give to CDNs ‣Host all javascript from yet another different domain •Allows you to set CSP policies on where Javascript is loaded
  13. 13. Cookie scoping as an afterthought ‣The site blog.diogomonica.com can set cookies with scope diogomonica.com •Cookie Stealing •Cookie Eviction •Session Fixation ‣Make sure you only use Secure and HttpOnly cookies http://bit.ly/18fet3L
  14. 14. Not enabling CSP in reporting mode ‣The objective is to eventually enable CSP in enforce mode •Helps track the addition of in-line and foreign Javascript •On that note: host all of your Javascript http://mzl.la/1B3GPZT
  15. 15. Internal admin dashboard as part of the same app ‣Applications usually start off by having admin dashboard built-in •Accessible from the Internet ‣If something is supposed to be internal, make sure you: •Make it internal only from day 1 •Deploy it on a different host/vm/container •Don’t use origin IP for authorization (Header injection issues)
  16. 16. Logging blacklists ‣Logging should work in a white-list model ‣Very easy to end up with PII or other sensitive information in logs •Good luck getting it out of hadoop •Good luck getting it out of Splunk •Good luck cleaning all of your backups
  17. 17. Password Mistakes
  18. 18. Checking-in secrets ‣Build a secret-distribution story early •People commit AWS credentials to github repositories all the time ‣Check for leaked keys daily (gitrob) https://github.com/michenriksen/gitrob
  19. 19. Sharing passwords around ‣Laptops get stolen/lost all the time •Full-disk encryption won’t save you against DMA Attacks •Laptop compromise means all credentials get leaked ‣Use centralized secret storage applications instead (e.g. Bitium, Onelogin) •Enable multi-factor authentication to access
  20. 20. Hashing passwords ‣Use bcrypt ‣Use bcrypt ‣Use bcrypt http://codahale.com/how-to-safely-store-a-password/
  21. 21. Infrastructure Mistakes
  22. 22. Not making your application deployment nimble ‣Run all your applications in containers* •Allows you to update the underlying Operating System easily ‣Use SELinux: helps with some classes of application-level vulnerabilities https://www.docker.com/ *I’m obviously very biased on this subject
  23. 23. Production access without 2FA ‣Create choke-points for production access •SSH access should require TOTP token through a Bastion host •Internal dashboard access should go through a 2FA SSO SSH Bastion Host Datacenter Front-end Server Back-end Server Corporate Network SSO Portal Internal Dashboard
  24. 24. Trust from the corporate network ‣Corporate network should have no trust relations with production (or minimal trust) SSH Bastion Host Datacenter Front-end Server Back-end Server Internet SSO Portal Internal Dashboard
  25. 25. No centralized logging ‣Create a new service/application check-list for with two items: •Enable centralized logging •Ensure NTP is being synced ‣Are you using AWS? Go enable Cloudtrail now! •Seriously, do it now, I’ll wait. http://aws.amazon.com/cloudtrail/
  26. 26. Not having root use as an alertable event ‣#people with the root password should be < #fingers in your hand ‣Log all uses of sudo -s ; sudo -i ; su - ; su root ; etc •These should not be common events http://knowyourmeme.com/memes/sad-panda
  27. 27. HTTP for your S2S communication ‣All S2S communication should be HTTPS Datacenter Front-end Server Back-end Server Application Server
  28. 28. Corporate Environment Mistakes
  29. 29. Not having a self- service check-list ‣Create a self-service security check-list with the following items: •Download, install and set Chrome as the default browser •Install the Adblock extension •Java must be disabled •Flash must be set as click to play •Full-disk encryption is mandatory •Enroll the laptop in Find my Mac •Passwords are generated and stored in 1Password
  30. 30. Summary ‣There are security issues that every company will eventually have to deal with ‣Some mistakes will be a lot more costly than others ‣Bring in someone in whose job is to worry about Security early on •Remember: real security engineers ship!
  31. 31. Q&A @diogomonica

×