Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Is your ruby application secure? Montreal.rb - 2015-12-15

444 views

Published on

In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Ruby application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.

Published in: Technology
  • Be the first to comment

Is your ruby application secure? Montreal.rb - 2015-12-15

  1. 1. Is your Ruby application secure? Frédéric Harper @fharper http://immun.io Sr. Technical Evangelist @ IMMUNIO Montreal.rb – 2015-12-15 CreativeCommons:https://flic.kr/p/jtwBJU
  2. 2. is security important? Creative Commons: https://flic.kr/p/s8hvJo
  3. 3. do you have time? CreativeCommons:https://flic.kr/p/b7wRTX
  4. 4. do you have the expertise? Creative Commons: https://flic.kr/p/n7qDvJ
  5. 5. do you have the money? Creative Commons: https://flic.kr/p/rAG5dm
  6. 6. is your app that secure? CreativeCommons:https://flic.kr/p/bY6uU7
  7. 7. what about legacy apps? Creative Commons: https://flic.kr/p/7fFQug
  8. 8. it’s probably happening, now Creative Commons: https://flic.kr/p/acnkbU
  9. 9. ...
  10. 10. I succeed if… Creative Commons: https://flic.kr/p/ehZRGj
  11. 11. warning Creative Commons: https://flic.kr/p/oosB
  12. 12. mess with the best die like the rest
  13. 13. OWASP/railsgoat railsgoat
  14. 14. SQL injection vulnerabilities allow attackers to modify the structure of SQL queries in ways that allow for data exfiltration or manipulation of existing data. SQL Injection (SQLi)
  15. 15. Creative Commons: https://flic.kr/p/62a8aT no password required
  16. 16. Creative Commons: https://flic.kr/p/62a8aT proxy interception
  17. 17. Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on your pages in your customers' browsers. §  Hijack of legitimate user sessions §  Disclosure of sensitive information §  Access to privileged services and functionality §  Delivery of malware and browser exploits from our trusted domain Cross-Site Scripting
  18. 18. Creative Commons: https://flic.kr/p/62a8aT what’s your name?
  19. 19. Remote Command Execution vulnerabilities allow attackers to run arbitrary code on your servers. There are two classes of Remote Command Execution: 1.  Shell Command Execution 2.  Eval Execution. Remote Command Execution
  20. 20. •  Brute force •  Common username •  Cookie tampering •  CSRF tampering •  Excessive 4XX & 5XX •  HTTP method tampering •  HTTP response splitting •  Redirect •  Session farming •  Session hijack •  Stolen account •  Shellshock •  Suspicious Exception •  Suspicious HTTP header •  Unauthorized file access •  Username hijack …
  21. 21. follow the white rabbit
  22. 22. anything from users is unsafe Creative Commons: https://flic.kr/p/m2BKPn
  23. 23. # unsafe Project.where("login='#{params[:name]}' AND password='#{params[:password]}'").first # safe - array or hash w/ ActiveRecord Project.where("login = ? AND password = ?", name, password).first Project.where(login: name, password: password).first no strings attached
  24. 24. jeremyevans/sequel rom-rb/rom jgaskins/perpetuity Object Relational Mapper
  25. 25. # Clean up an HTML fragment & CSS in <style> elements or style attributes Sanitize.fragment(html, Sanitize::Config::RELAXED) html = '<b><script>alert(“Most terrible XSS ever”)</script></b>' Sanitize.fragment(html, Sanitize::Config::RELAXED) # => '<b>alert(“Most terrible XSS ever”)</b>’ html = '<b><a href="http://foo.com/">foo</a></b><img src="bar.jpg">' Sanitize.fragment(html) # => 'foo’ rgrove/sanitize whitelist
  26. 26. flavorjones/loofah rubyworks/htmlfilter other sanitization librairies
  27. 27. rubysec/bundler-audit using rubysec/ruby-advisory-db/ audit your gems
  28. 28. Creative Commons: https://flic.kr/p/62a8aT bundle-audit
  29. 29. other audit tools
  30. 30. Developers §  Use a cryptographically slow hash function (bcrypt & PBKDF2) to store password §  Avoid eval() & friends §  Stored procedures if possible §  Up-to-date frameworks & libraries Devops §  HTTPS §  Web Application Firewall (WAF) §  Intrusion prevention systems (IPS) §  Up-to-date platform & infrastructure truist… or not
  31. 31. learn how
  32. 32. inform yourself
  33. 33. OWASP XSS Cheat Sheet
  34. 34. Strengths •  Scales Well •  Find issues like buffer overflows, SQL Injection Flaws with high confidence Weaknesses •  Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. •  High numbers of false positives. •  Frequently can't find configuration issues, since they are not represented in the code. •  Difficulty analyzing code that can't be compiled (using librairies as an example). static code analysis
  35. 35. Creative Commons: https://flic.kr/p/62a8aT brakeman
  36. 36. thesp0nge/dawnscanner other static code analysis
  37. 37. Runtime application self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. RASP
  38. 38. Creative Commons: https://flic.kr/p/62a8aT immunio
  39. 39. to infinity... and beyond! Creative Commons: https://flic.kr/p/8Z1Cxm
  40. 40. thanks but no thanks
  41. 41. stop Creative Commons: https://flic.kr/p/gpVdD
  42. 42. I’m serious! CreativeCommons:https://flic.kr/p/9CG51N
  43. 43. plan for it Creative Commons: https://flic.kr/p/5bn2nD
  44. 44. now. Creative Commons: https://flic.kr/p/fA6vnM
  45. 45. nothing is 100% bulletproof Creative Commons: https://flic.kr/p/hpE97
  46. 46. IMMUNIO – Real-time web application security - https://www.immun.io/ OWASP Ruby on Rails Cheat Sheet - http://j.mp/1Osv95f Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/ XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW Brakeman - http://brakemanscanner.org/ CVE (Common Vulnerabilities and Exposures) Details Ruby on Rails - http://j.mp/1OsguHn Ruby Security - https://www.ruby-lang.org/en/security/ Rails SQL Injection - http://rails-sqli.org/ www
  47. 47. Frédéric Harper fharper@immun.io @fharper http://outofcomfortzone.net http://immun.io

×