Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hairy/Java Security @ Codemotion Berlin 2015

904 views

Published on

Using a jhipster app as a backbone for the presentation, François Le Droff & Romain Pelisse will do a partial, but still quite relevant security audit, including topics such as: * securing deployment and continous delivery ; * secrets managements ; * securing the JVM ; * and, of course, identity management & authorisation with SAML & oAuth2 All of this with the obvious agenda of making Java developers and architects aware of the security issues their application will be facing in production.

Published in: Technology
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Hairy/Java Security @ Codemotion Berlin 2015

  1. 1. Hairy Security
  2. 2. @rpelisse Romain
  3. 3. @francoisledroff François
  4. 4. Security Audit ?
  5. 5. ContinuousSecurity SEC-U.R.-IT-Y ContinuousSecurity
  6. 6. Threat Modeling
  7. 7. Identifythethreats STRIDE •  SpoofingIdentity •  TamperingwithData •  Repudiation •  InformationDisclosure •  DenialofService •  ElevationofPrivilege
  8. 8. Assesstherisk DREAD •  DamagePotential •  Reproducibility •  Exploitability •  AffectedUsers •  Discoverability
  9. 9. Deep Dive through our sample use case
  10. 10. Our use case
  11. 11. jHipster https://jhipster.github.io/
  12. 12. Yo
  13. 13. SpringSecurity •  VariousAuthsupport –  OAuth1&OAuth2 –  SAML –  Kerberos –  etc •  Role •  HSTS •  XFrameOption/XSS •  CRSFProtection •  SecurityAuditor
  14. 14. Intranet "Theonlysecurecomputerisonewithnopower,lockedina room,withnouser.” http://www.arnoldit.com/articles/10intranetSecAug2002.htm
  15. 15. Firewall Securing? No!
  16. 16. ReverseProxyReverseProxyReverseProxy Thebigclean
  17. 17. Our Data
  18. 18. OurData? •! PII •! Internal •! Confidential •! Restricted Let’sEncrypt!
  19. 19. Encryptthefront-end https&SSL:goodbut… •! thekeys –! mustbe •! protected •! bigenough –! canbe •! broken •! Stolen •! picktherightalgo –! HeardofHeartbleed,bashorPOODLE? •! clients –! Trustworthy?
  20. 20. Encrypttheback-end •!SecureMongo –!Authentication –!RoleBasedAccessControl •! https://github.com/jhipster/generator-jhipster/issues/733 –!Audit •!SSLwithMongo
  21. 21. Encryptatrest • Applicationlevelencryption • Storageencryption
  22. 22. Auth Authentication & Authorization
  23. 23. Good?passwords http://xkcd.com/936/
  24. 24. https://twitter.com/francoisledroff/status/643365403545219072
  25. 25. One?password
  26. 26. 156?passwords
  27. 27. Onedog
  28. 28. Secrets?
  29. 29. Two-FactorAuthentication 100%ofsecuritybreaches impliedstolenpasswordsin2014 http://www.idtheftcenter.org/
  30. 30. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
  31. 31. 2FAtwofactorauth.org
  32. 32. OurSolution Avoidthepassword/identitybusiness: • Beasimpleserviceprovider • Integratewithatrusted&trustworthy identityprovider(IdP) – Enforcingtwo-factorauthentication
  33. 33. SAML • SAML – astandard • BrowserbasedSSO • http://www.ssocircle.com
  34. 34. SAML
  35. 35. SAML&JHipster • SpringSecuritySupport • NotinJHipster – Yet#695
  36. 36. Click?
  37. 37. +OAuth2 • OAuthv2 • AuthorizedataaccesstoanAPI • Createabondtotrustbetweenanapplication andaserviceprovider •  OAuth2threatmodel: –  http://tools.ietf.org/html/rfc6819
  38. 38. Otheroptions • OAuth1.0 • Radius • X509auth • Combinationsoftheabove – includingKerberos,SAML&OAuth2.0
  39. 39. Continuous Integration & Secret Management
  40. 40. SecretSegregation https://github.com/francoisledroff/devoxx2015/search?utf8=%E2%9C%93&q=secret https://www.google.ie/search?q=%22.git%22+intitle:%22Index+of%22&gws_rd=cr,ssl&ei=hTMRVfHtONbXapDogrgG
  41. 41. SecretSegregation https://twitter.com/capotribu/status/550079317368381441 http://www.devfactor.net/2014/12/30/2375-amazon-mistake/
  42. 42. ManagingSecrets https://twitter.com/jtimberman/status/568124542553423872
  43. 43. UX/Dev/QA/Ops dev QA prod stage Chef-server https RSAprivatekey Auth chef-client chef-client chef-client chef-client https RSAprivatekeyAuth •! Chefencrypteddatabags •! Encryptedfor •! adminusers •! whitelistednodes •! Managedbychef-vaultrubygem Chef-vault
  44. 44. Git UX/Dev/QA/Ops dev QA prod stage Chef-server https RSAprivatekey Auth chef-client chef-client chef-client chef-client https RSAprivatekeyAuth •! OrgSegregation •! ChefServerSecurity •! Elasticity https://wiki.jenkins-ci.org/display/JENKINS/chef-identity+plugin Chef-vault Nonprodorganization prodorganization
  45. 45. SecuringJenkins •!Authentication –!SAMLisanoption •!Cloudbees •!Automate –!Shortlive https://twitter.com/morlhon/status/554899543150850048
  46. 46. workstation Git github ArtifactRepository webjarrubygem ArtifactRepositoryArtifactRepository Chef-server nodes RSAkeyAuth ssh https githubgithub rubygemrubygemmaven redhatmaven RSAkeyAuth opscodeopscode npmnpm SecureDependencyManagement
  47. 47. In the Cloud ?
  48. 48. !"#$%&'(!"#$%&'(
  49. 49. Ready to be hacked?
  50. 50. TheHouseisonfire •! Smokedetectors –!HSM –!IDS •! FireDoors –!SELinux –!SecurityManager
  51. 51. Firefighters?
  52. 52. What to take away
  53. 53. Takeaway •  Securityisyourresponsibility •  Thinkaboutit,Threatmodel •  You’llneverbesafe – noryourdata – Encrypt! •  Manageyoursecrets •  Switch2FA/strongauthenticationon
  54. 54. Takeaway • UXisnotanexcuseforalackofsecurity • SecurityisnotanexcuseforabadUX • Don’tforgetcontinuousintegration • Treatyourserverslikecattle • Bereadytofirefight
  55. 55. @francoisledroff@ @rpelisse@ Questions?Really? Itwasclear,wasn’tit?

×