SlideShare a Scribd company logo
1 of 28
Don’t blink
or how to create secure software
Bozhidar Bozhanov, CEO @ LogSentinel
About me
• Senior software engineer and architect
• Founder & CEO @ LogSentinel
• Former IT and e-gov advisor to the deputy prime minister of Bulgaria
• https://techblog.bozho.net
• Top 50 stackoverflow user
• Twitter: @bozhobg
What is information security?
Source: cisoplatform.com
Where can things go wrong?
Front-end Back-end Infrastructure Human factor
Everywhere!
Purpose of attacks
Data breaches
Disruption
Other
• Breach payment information
• Breach personal data
• Breach messages (e.g. for political purposes)
• Damaging reputation
• Stopping a time-sensitive service (e.g. promo sales, elections)
• “Some men just want to watch the world burn”
• Bank transfers
• Extortion, personal motifs
• State-level espionage
Front-end vulnerabilities
XSS
MITM
CSRF
• Allowing attackers to insert javascript in other people’s browsers
• <div id="comment">Unescaped input
<script>alert(“hacked!")</script></div>
• Prevention: escape all output (and filter input)
• Attacker intercepting traffic to and from server
• Can happen on any resource & lead to replacing stuff on a page
• Prevention: force HTTPS, use up-to-date cipher suites
• Perform requests on behalf of authenticated users
• The user unknowingly submits forms
• Prevention: one-time tokens, check Origin header
Front-end vulnerability examples
British Airways
New South Wales
e-voting
ES FileExplorer
• Server with static resources compromised (modernizr.js)
• Script included in payment page
• Prevention: Limit 3rd party sources, checksums, OpSec, IPS
• External analytics (piwik) allowed for TLS downgrade attack
• Possible MITM to replace script and tamper votes in browser
• Prevention: Limit 3rd party sources
• Android app, exposing the file system via HTTP
• Endangering user devices through sloppy apps
• Prevention: don’t expose unauthenticated endpoints
Best practices
OWASP checklist
CSRF prevention
Minimize external
static resources
Regularly upgrade
dependencies
XSS protection
Escape all output
Regularly scan
static resources
Get notified on
known vulnerabilities
Always use HTTPS
Don’t store credentials
on the client side
Disable framing
…
Back-end vulnerabilities
Remote code
execution
SQL injections
Weak
authentication
• Allowing remote code execution
• Can allow attacker full control on entire machine/cluster
• Prevention: regularly upgrade dependencies, don’t run uploads
• Gives full database access to attackers to extract or delete data
• SELECT * FROM users WHERE id=1; DROP TABLE users;
• Prevention: prepared statements
• E.g. bad password storage, non-secure session cookies, etc.
• Allows attackers to impersonate users
• Prevention: review auth security, bcrypt, prevent brute force
Back-end vulnerability examples
“How I hacked 40
websites”
Bulgarian Council
of Ministers
Marriot data breach
• Viral blogpost about a RCE attack
• Uploads a .php file as an image and invokes it via its URL
• Prevention: restrict/rename uploads, check upload contents
• Investigating journalists discovered SQL injection
• Old, unsupported website with personal data of civil servants
• Prevention: prepared statement / input sanitization
• Attackers got millions of passports and visitor location history
• Unencrypted sensitive data
• Prevention: encrypt data per record, IPS
Back-end best practices
Use prepared statements
Assess your protocols
Encrypt sensitive data per
record; bcrypt passwords
Log cleverly
Force HTTPS
Check dependencies
for vulnerabilities
Regularly review
authentication mechanisms
Keep audit trail
Validate input on all layers
Encrypt internal
communication (in transit)
Don’t invent crypto stuff
…
Infrastructure vulnerabilities
Credential leaks
Misconfiguration
Unpatched
software
• Credentials of privileged users leak (=insider attack)
• Allows for full control over the entire infrastructure (incl. DNS)
• Prevention: MFA, IPS, white-listed source IPs, audit trail,
• Older security suites, unauthenticated access, etc.
• Allows for direct access, downgrade attacks and others
• Prevention: penetration tests, regular reviews
• Web servers, app servers, databases, OS’s
• Increases the risk of 0days affecting you
• Prevention: regular upgrades, get CVE notifications
Infrastructure vulnerability examples
Heartbleed
Brazilian bank
DNS hijack
Online check-in
system
• 0day vulnerability in OpenSSL
• All HTTPS guarantees are off, exposing any connection
• Prevention: automated patching, additional security layer
• DNS management credentials hacked
• All domains of the bank redirected to malicious sites
• Prevention: 2FA for all infrastructure parts, including DNS
• Misconfigured web server exposing static files
• Exposed access logs containing itinerary details as GET params
• Prevention: restrict directory access, no sensitive data in GET
Infrastructure best practices
Use MFA
Keep software up-to-date
Encrypt secrets in
configuration files
Disable old cipher suites
Configure network
security rules
Perform penetration tests
Use a Privileged Access
Management system
Use SIEM for
anomaly detection
Monitor traffic
Protect server logs
Don’t store production
credentials in the code repos
…
Human factor vulnerabilities
Spearphishing
General social
engineering
Lack of training
• Target fake email
• Allows for full control over the entire infrastructure (incl. DNS)
• Prevention: MFA, IPS, email scans, audit trail
• Revealing personal details that can be used to extract password
• Security questions, likely passwords, etc.
• Prevention: not using personal details for authentication
• Non-technical employees can be targeted more easily
• Regular trainings and drills should be performed
Human factor vulnerability examples
DNC hack
RSA SecurID
Yahoo breach
• Spearphishing email pretending to be Google
• Obtained Podesta’s password to get access to the emails
• Prevention: training non-security employees, auto-detect phishing
• Spearphishing obtained secret details about SecurID 2FA fobs
• Excel attachments with Flash 0day exploit
• Prevention: training, email attachment scans
• Spearphishing a semi-privileged employee
• Attackers gained access to all Yahoo customers data
• Prevention: training, email scans, per-record data encryption
Source: http://www.smbc-comics.com/comic/2012-02-20
Human factor best practices
All other best practices
Audit trail
Regular social
engineering drills
Limiting privileged access
Regular training of employees
MFA
Email scans
Split-key access to
critical systems
Background checks (for very
sensitive systems)
Mobile device
security policies
Automatic phishing detection
…
So that’s it?
Obviously, nobody can give all the
security knowledge in a 30 minute talk
“But we are certified!”
Good for you. ISO 27001, PCI-DSS, S-I(T)SP, etc. are a good start, but
they give you the guidelines, not the implementation.
And audits happen to omit many issues
A security mindset
Always ask “What can go
wrong?”
Stay up-to-date
Strive for simplicity. Simple
systems are more secure
Don’t assume someone else
has taken care of security
A security mindset
Can tools solve the problems?
Tools solve parts
of the problem
Knowing your tools is hard
Tools may introduce
more complexity
Look for the best tools, but
not be overreliant on them
Have a plan
Source: dilbert.com
Bad things happen.
Be prepared to react.
Don’t do this, don’t do that,
don’t allow X, don’t enable Y,
don’t forget to do this big list of things,
don’t assume you are secure,
don’t be complacent…
So, how to create secure software?
Don’t blink!
Thank you!

More Related Content

What's hot

Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practicesgufranresearcher
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Preventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesAndy Thompson
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 

What's hot (19)

Security Audit
Security AuditSecurity Audit
Security Audit
 
Insider Threat
Insider ThreatInsider Threat
Insider Threat
 
Need for cybersecurity
Need for cybersecurityNeed for cybersecurity
Need for cybersecurity
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty Hunting
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practices
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Carver-IT Security for Librarians
Carver-IT Security for LibrariansCarver-IT Security for Librarians
Carver-IT Security for Librarians
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Insider threat kill chain
Insider threat   kill chainInsider threat   kill chain
Insider threat kill chain
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Preventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best Practices
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentation
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 

Similar to Don't blink or how to create secure software

Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)Nawanan Theera-Ampornpunt
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Nawanan Theera-Ampornpunt
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesQuick Heal Technologies Ltd.
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Aaron Hnatiw
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 

Similar to Don't blink or how to create secure software (20)

Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
OWASP_Training.pptx
OWASP_Training.pptxOWASP_Training.pptx
OWASP_Training.pptx
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)
 
Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entities
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 

Don't blink or how to create secure software

  • 1. Don’t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel
  • 2. About me • Senior software engineer and architect • Founder & CEO @ LogSentinel • Former IT and e-gov advisor to the deputy prime minister of Bulgaria • https://techblog.bozho.net • Top 50 stackoverflow user • Twitter: @bozhobg
  • 3. What is information security? Source: cisoplatform.com
  • 4. Where can things go wrong? Front-end Back-end Infrastructure Human factor Everywhere!
  • 5. Purpose of attacks Data breaches Disruption Other • Breach payment information • Breach personal data • Breach messages (e.g. for political purposes) • Damaging reputation • Stopping a time-sensitive service (e.g. promo sales, elections) • “Some men just want to watch the world burn” • Bank transfers • Extortion, personal motifs • State-level espionage
  • 6. Front-end vulnerabilities XSS MITM CSRF • Allowing attackers to insert javascript in other people’s browsers • <div id="comment">Unescaped input <script>alert(“hacked!")</script></div> • Prevention: escape all output (and filter input) • Attacker intercepting traffic to and from server • Can happen on any resource & lead to replacing stuff on a page • Prevention: force HTTPS, use up-to-date cipher suites • Perform requests on behalf of authenticated users • The user unknowingly submits forms • Prevention: one-time tokens, check Origin header
  • 7. Front-end vulnerability examples British Airways New South Wales e-voting ES FileExplorer • Server with static resources compromised (modernizr.js) • Script included in payment page • Prevention: Limit 3rd party sources, checksums, OpSec, IPS • External analytics (piwik) allowed for TLS downgrade attack • Possible MITM to replace script and tamper votes in browser • Prevention: Limit 3rd party sources • Android app, exposing the file system via HTTP • Endangering user devices through sloppy apps • Prevention: don’t expose unauthenticated endpoints
  • 8. Best practices OWASP checklist CSRF prevention Minimize external static resources Regularly upgrade dependencies XSS protection Escape all output Regularly scan static resources Get notified on known vulnerabilities Always use HTTPS Don’t store credentials on the client side Disable framing …
  • 9. Back-end vulnerabilities Remote code execution SQL injections Weak authentication • Allowing remote code execution • Can allow attacker full control on entire machine/cluster • Prevention: regularly upgrade dependencies, don’t run uploads • Gives full database access to attackers to extract or delete data • SELECT * FROM users WHERE id=1; DROP TABLE users; • Prevention: prepared statements • E.g. bad password storage, non-secure session cookies, etc. • Allows attackers to impersonate users • Prevention: review auth security, bcrypt, prevent brute force
  • 10. Back-end vulnerability examples “How I hacked 40 websites” Bulgarian Council of Ministers Marriot data breach • Viral blogpost about a RCE attack • Uploads a .php file as an image and invokes it via its URL • Prevention: restrict/rename uploads, check upload contents • Investigating journalists discovered SQL injection • Old, unsupported website with personal data of civil servants • Prevention: prepared statement / input sanitization • Attackers got millions of passports and visitor location history • Unencrypted sensitive data • Prevention: encrypt data per record, IPS
  • 11. Back-end best practices Use prepared statements Assess your protocols Encrypt sensitive data per record; bcrypt passwords Log cleverly Force HTTPS Check dependencies for vulnerabilities Regularly review authentication mechanisms Keep audit trail Validate input on all layers Encrypt internal communication (in transit) Don’t invent crypto stuff …
  • 12. Infrastructure vulnerabilities Credential leaks Misconfiguration Unpatched software • Credentials of privileged users leak (=insider attack) • Allows for full control over the entire infrastructure (incl. DNS) • Prevention: MFA, IPS, white-listed source IPs, audit trail, • Older security suites, unauthenticated access, etc. • Allows for direct access, downgrade attacks and others • Prevention: penetration tests, regular reviews • Web servers, app servers, databases, OS’s • Increases the risk of 0days affecting you • Prevention: regular upgrades, get CVE notifications
  • 13. Infrastructure vulnerability examples Heartbleed Brazilian bank DNS hijack Online check-in system • 0day vulnerability in OpenSSL • All HTTPS guarantees are off, exposing any connection • Prevention: automated patching, additional security layer • DNS management credentials hacked • All domains of the bank redirected to malicious sites • Prevention: 2FA for all infrastructure parts, including DNS • Misconfigured web server exposing static files • Exposed access logs containing itinerary details as GET params • Prevention: restrict directory access, no sensitive data in GET
  • 14. Infrastructure best practices Use MFA Keep software up-to-date Encrypt secrets in configuration files Disable old cipher suites Configure network security rules Perform penetration tests Use a Privileged Access Management system Use SIEM for anomaly detection Monitor traffic Protect server logs Don’t store production credentials in the code repos …
  • 15. Human factor vulnerabilities Spearphishing General social engineering Lack of training • Target fake email • Allows for full control over the entire infrastructure (incl. DNS) • Prevention: MFA, IPS, email scans, audit trail • Revealing personal details that can be used to extract password • Security questions, likely passwords, etc. • Prevention: not using personal details for authentication • Non-technical employees can be targeted more easily • Regular trainings and drills should be performed
  • 16. Human factor vulnerability examples DNC hack RSA SecurID Yahoo breach • Spearphishing email pretending to be Google • Obtained Podesta’s password to get access to the emails • Prevention: training non-security employees, auto-detect phishing • Spearphishing obtained secret details about SecurID 2FA fobs • Excel attachments with Flash 0day exploit • Prevention: training, email attachment scans • Spearphishing a semi-privileged employee • Attackers gained access to all Yahoo customers data • Prevention: training, email scans, per-record data encryption
  • 18. Human factor best practices All other best practices Audit trail Regular social engineering drills Limiting privileged access Regular training of employees MFA Email scans Split-key access to critical systems Background checks (for very sensitive systems) Mobile device security policies Automatic phishing detection …
  • 19. So that’s it? Obviously, nobody can give all the security knowledge in a 30 minute talk
  • 20. “But we are certified!” Good for you. ISO 27001, PCI-DSS, S-I(T)SP, etc. are a good start, but they give you the guidelines, not the implementation. And audits happen to omit many issues
  • 21. A security mindset Always ask “What can go wrong?” Stay up-to-date Strive for simplicity. Simple systems are more secure Don’t assume someone else has taken care of security A security mindset
  • 22. Can tools solve the problems? Tools solve parts of the problem Knowing your tools is hard Tools may introduce more complexity Look for the best tools, but not be overreliant on them
  • 23. Have a plan Source: dilbert.com
  • 24. Bad things happen. Be prepared to react.
  • 25. Don’t do this, don’t do that, don’t allow X, don’t enable Y, don’t forget to do this big list of things, don’t assume you are secure, don’t be complacent…
  • 26. So, how to create secure software?