Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hairy/Java Security @ Codemotion Berlin 2015

893 views

Published on

Using a jhipster app as a backbone for the presentation, François Le Droff & Romain Pelisse will do a partial, but still quite relevant security audit, including topics such as: * securing deployment and continous delivery ; * secrets managements ; * securing the JVM ; * and, of course, identity management & authorisation with SAML & oAuth2 All of this with the obvious agenda of making Java developers and architects aware of the security issues their application will be facing in production.

Published in: Technology
  • Be the first to comment

Hairy/Java Security @ Codemotion Berlin 2015

  1. 1. Hairy Security
  2. 2. @rpelisse Romain
  3. 3. @francoisledroff François
  4. 4. Security Audit ?
  5. 5. ContinuousSecurity SEC-U.R.-IT-Y ContinuousSecurity
  6. 6. Threat Modeling
  7. 7. Identifythethreats STRIDE •  SpoofingIdentity •  TamperingwithData •  Repudiation •  InformationDisclosure •  DenialofService •  ElevationofPrivilege
  8. 8. Assesstherisk DREAD •  DamagePotential •  Reproducibility •  Exploitability •  AffectedUsers •  Discoverability
  9. 9. Deep Dive through our sample use case
  10. 10. Our use case
  11. 11. jHipster https://jhipster.github.io/
  12. 12. Yo
  13. 13. SpringSecurity •  VariousAuthsupport –  OAuth1&OAuth2 –  SAML –  Kerberos –  etc •  Role •  HSTS •  XFrameOption/XSS •  CRSFProtection •  SecurityAuditor
  14. 14. Intranet "Theonlysecurecomputerisonewithnopower,lockedina room,withnouser.” http://www.arnoldit.com/articles/10intranetSecAug2002.htm
  15. 15. Firewall Securing? No!
  16. 16. ReverseProxyReverseProxyReverseProxy Thebigclean
  17. 17. Our Data
  18. 18. OurData? •! PII •! Internal •! Confidential •! Restricted Let’sEncrypt!
  19. 19. Encryptthefront-end https&SSL:goodbut… •! thekeys –! mustbe •! protected •! bigenough –! canbe •! broken •! Stolen •! picktherightalgo –! HeardofHeartbleed,bashorPOODLE? •! clients –! Trustworthy?
  20. 20. Encrypttheback-end •!SecureMongo –!Authentication –!RoleBasedAccessControl •! https://github.com/jhipster/generator-jhipster/issues/733 –!Audit •!SSLwithMongo
  21. 21. Encryptatrest • Applicationlevelencryption • Storageencryption
  22. 22. Auth Authentication & Authorization
  23. 23. Good?passwords http://xkcd.com/936/
  24. 24. https://twitter.com/francoisledroff/status/643365403545219072
  25. 25. One?password
  26. 26. 156?passwords
  27. 27. Onedog
  28. 28. Secrets?
  29. 29. Two-FactorAuthentication 100%ofsecuritybreaches impliedstolenpasswordsin2014 http://www.idtheftcenter.org/
  30. 30. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
  31. 31. 2FAtwofactorauth.org
  32. 32. OurSolution Avoidthepassword/identitybusiness: • Beasimpleserviceprovider • Integratewithatrusted&trustworthy identityprovider(IdP) – Enforcingtwo-factorauthentication
  33. 33. SAML • SAML – astandard • BrowserbasedSSO • http://www.ssocircle.com
  34. 34. SAML
  35. 35. SAML&JHipster • SpringSecuritySupport • NotinJHipster – Yet#695
  36. 36. Click?
  37. 37. +OAuth2 • OAuthv2 • AuthorizedataaccesstoanAPI • Createabondtotrustbetweenanapplication andaserviceprovider •  OAuth2threatmodel: –  http://tools.ietf.org/html/rfc6819
  38. 38. Otheroptions • OAuth1.0 • Radius • X509auth • Combinationsoftheabove – includingKerberos,SAML&OAuth2.0
  39. 39. Continuous Integration & Secret Management
  40. 40. SecretSegregation https://github.com/francoisledroff/devoxx2015/search?utf8=%E2%9C%93&q=secret https://www.google.ie/search?q=%22.git%22+intitle:%22Index+of%22&gws_rd=cr,ssl&ei=hTMRVfHtONbXapDogrgG
  41. 41. SecretSegregation https://twitter.com/capotribu/status/550079317368381441 http://www.devfactor.net/2014/12/30/2375-amazon-mistake/
  42. 42. ManagingSecrets https://twitter.com/jtimberman/status/568124542553423872
  43. 43. UX/Dev/QA/Ops dev QA prod stage Chef-server https RSAprivatekey Auth chef-client chef-client chef-client chef-client https RSAprivatekeyAuth •! Chefencrypteddatabags •! Encryptedfor •! adminusers •! whitelistednodes •! Managedbychef-vaultrubygem Chef-vault
  44. 44. Git UX/Dev/QA/Ops dev QA prod stage Chef-server https RSAprivatekey Auth chef-client chef-client chef-client chef-client https RSAprivatekeyAuth •! OrgSegregation •! ChefServerSecurity •! Elasticity https://wiki.jenkins-ci.org/display/JENKINS/chef-identity+plugin Chef-vault Nonprodorganization prodorganization
  45. 45. SecuringJenkins •!Authentication –!SAMLisanoption •!Cloudbees •!Automate –!Shortlive https://twitter.com/morlhon/status/554899543150850048
  46. 46. workstation Git github ArtifactRepository webjarrubygem ArtifactRepositoryArtifactRepository Chef-server nodes RSAkeyAuth ssh https githubgithub rubygemrubygemmaven redhatmaven RSAkeyAuth opscodeopscode npmnpm SecureDependencyManagement
  47. 47. In the Cloud ?
  48. 48. !"#$%&'(!"#$%&'(
  49. 49. Ready to be hacked?
  50. 50. TheHouseisonfire •! Smokedetectors –!HSM –!IDS •! FireDoors –!SELinux –!SecurityManager
  51. 51. Firefighters?
  52. 52. What to take away
  53. 53. Takeaway •  Securityisyourresponsibility •  Thinkaboutit,Threatmodel •  You’llneverbesafe – noryourdata – Encrypt! •  Manageyoursecrets •  Switch2FA/strongauthenticationon
  54. 54. Takeaway • UXisnotanexcuseforalackofsecurity • SecurityisnotanexcuseforabadUX • Don’tforgetcontinuousintegration • Treatyourserverslikecattle • Bereadytofirefight
  55. 55. @francoisledroff@ @rpelisse@ Questions?Really? Itwasclear,wasn’tit?

×