Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Let's sleep better: programming techniques to face new security attacks in cloud


Published on

Published in: Technology
  • Be the first to comment

Let's sleep better: programming techniques to face new security attacks in cloud

  1. 1. @gpaterno Giuseppe “Gippa” Paternò Let's sleep better programming techniques to face new security attacks
  2. 2. @gpaterno DevOps
  3. 3. @gpaterno Bots are awesome! “Resistance is futile” NSA & GCHQ
  4. 4. @gpaterno So, what shall I do?
  5. 5. @gpaterno Input Validation
  6. 6. @gpaterno Use your framework! (examples in python)
  7. 7. @gpaterno Injection flaws
  8. 8. class Person(forms.Form): username = forms.CharField(max_length=50) name = forms.CharField(max_length=50) surname = forms.CharField(max_length=50) email = forms.EmailField(max_length=50, label=‘E-mail’) form = Person(request.POST) if form.is_valid(): request.session['name'] = form.cleaned_data['name'] request.session['surname'] = form.cleaned_data['surname']
  9. 9. @gpaterno Cross Site Scripting (XSS)
  10. 10. Bad from django.http import HttpResponse def say_hello(request): name = request.GET.get('name', 'world') return HttpResponse('<h1>Hello, %s!</h1>' % name) Good from django.shortcuts import render def say_hello(request): name = request.GET.get('name', 'world') return render(request, 'hello.html', {'name': name}) # template.html <h1>Hello, {{ name }}!</h1>
  11. 11. @gpaterno Insecure Direct Object Reference
  12. 12. Bad def dump_file(request): filename = request.GET["filename"] filename = os.path.join(BASE_PATH, filename) content = open(filename).read() Good path = posixpath.normpath(urllib.unquote(path)) for part in path.split('/'): if not part: continue drive, part = os.path.splitdrive(part) head, part = os.path.split(part) if part in (os.curdir, os.pardir): continue newpath = os.path.join(newpath, part).replace('', '/')
  13. 13. @gpaterno Cross Site Request Forgery (CSRF)
  14. 14. Middleware MIDDLEWARE_CLASSES = ( 'django.middleware.csrf.CsrfViewMiddleware', In Template form method="POST" action="{% url my_view %}"> {% csrf_token %} {{ form.as_p }} <button class="btn btn-primary" type="submit">Submit</button> </form>
  15. 15. @gpaterno Unvalidated redirects and forwards
  16. 16. @gpaterno … if you can’t use your framework … Escape User Input White List Stored Procedures Parametrised Queries
  17. 17. @gpaterno Authentication &
  18. 18. @gpaterno 10 millionsof victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009) 221 billions $lost every year due to identity theft (Aberdeen Group) 35 billioncorporate and government records compromised in 2010 (Aberdeen Group) 2 years
of a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004) 2 billions $damages reported in Italy in 2009 (Ricerca ABI)
  19. 19. @gpaterno Are you the next one?
  20. 20. @gpaterno Broken authentication
  21. 21. @gpaterno Missing function-level access control
  22. 22. @gpaterno Rely on a proven authentication backend!
  23. 23. @gpaterno Use a 2 Factor Authentication
  24. 24. @gpaterno Authorise every single request 
 (is he/she entitled to perform the request?)
  25. 25. @gpaterno Underlying platform
  26. 26. @gpaterno Security misconfiguration
  27. 27. @gpaterno Sensitive data exposure
  28. 28. @gpaterno Using software with known vulnerabilities (aka patching!)
  29. 29. @gpaterno Use automation tools (Puppet, Chef, Ansible, …)
  30. 30. @gpaterno … don’t be selfish: audit yourself :)
  31. 31. @gpaterno Remote APIs
  32. 32. @gpaterno Input Validation … just in case you forgot ;-)
  33. 33. @gpaterno Assign class/capabilities to API endpoint
  34. 34. app = Applications.objects.filter(uuid=app_id, secret=app_secret)[0] can_delete = app.can_delete can_write = app.can_write privacy = app.privacy
  35. 35. @gpaterno Restrict source IP/Network access
  36. 36. try: # IPv4 if ipaddress.ip_address(remote_address).version == 4: if ipaddress.IPv4Address(remote_address) in ipaddress.IPv4Network(app.ipv4_net): is_authorized = True # IPv6 else: if ipaddress.IPv6Address(remote_address) in ipaddress.IPv6Network(app.ipv6_net): is_authorized = True except: is_authorized = False
  37. 37. @gpaterno APIs request throttling (aka DDoS prevention)
  38. 38. from ratelimit.decorators import ratelimit @ratelimit(key='ip') def myview(request): # ... @ratelimit(key='ip', rate='100/h') def secondview(request): # ...
  39. 39. @gpaterno Do not expose information in URLs (Proxy are logging!!!)
  40. 40. @gpaterno Encrypt transport and payload
  41. 41. @gpaterno I hate it ….. but …. oauth2
  42. 42. @gpaterno Example: SecurePass APIs • RESTful APIs • mixture of POST (in request) and JSON (in response) • Channel encrypted with TLS high cypher • Endpoint identified by APP ID and APP Secret • Example: /api/v1/users/info API limits: • in capabilities, APP ID read-only or read-write • in network, APP ID can be limited to a given IPv4/IPv6 • in scope, APP APP ID is linked to only a specific realm/domain ID is linked to only a specific realm/ domain
  43. 43. @gpaterno For the braves: Mandatory Access Control • Isolate API endpoint processes from each other and other processes on a machine. • Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux • Objective: containment and escalation of API endpoint security breaches. • Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events.
  44. 44. @gpaterno Mobile Applications
  45. 45. @gpaterno Authenticate User (2FA must) Request Device ID to backend Keep track of device info (OS, name, …) Generate unique ID for the mobile Use Device ID for every request Update last device ID timestamp Re-challenge user auth if not used Allow device deletion (lost/stolen)
  46. 46. @gpaterno Continuous Security / Continuous Integration
  47. 47. @gpaterno Build Funcional tests Static security tests Create template Deploy template Automated VA
  48. 48. @gpaterno Static code analysers • • •
  49. 49. @gpaterno <vendor> </vendor> Cloud Identity Management Two Factor Authentication Web Single Sign-On Few minutes to integrate (free account available) Remote audit of the service Compliance check Easy to read report
  50. 50. @gpaterno “Giuseppe is paving the way for enterprises to embrace OpenStack. Telecom Italia is, nonetheless, among these enterprises.” Gianluca Pancaccini, CIO of Telecom Italia "Giuseppe has done a great job of creating an important source of information on OpenStack technology“ Jeff Cotten, CEO of RackSpace International “SUSE appreciate Giuseppe clear and concise explanation of OpenStack and it's architecture. This will be a valuable resource.” Ralf Flaxa, VP of Engineering SUSE Donate now:
  51. 51. @gpaterno Giuseppe Paternò @gpaterno