9. RECIPE FOR SECURE SOFTWARE
1. Design it properly. Do the right thing.
2. Do it right
1. Mistake in implementation = bug = security issue
3. Prepare for the unthinkable
(Bug bounties etc. are useful too, but out of scope here.)
10. DO THE RIGHT THING
1. Don’t roll your own.
1. Especially, don’t invent hash algorithms, RND or crypto!
2. Seriously. Failure imminent and certain.
2. Follow best practices.
3. Understand what you are doing.
1. Read the RFC. Understand your tools and libs.
17. THE SAME STORY ALL OVER!
› XSS, CSRF, SQL injection, XXE..
• Are all about input validation.
› Solution: white list allowed, deny everythingelse.
› There’s still 20% left
• You can fail session management certainly, but..
• Follow the advice: Don’t invent your own and you’ll be pretty safe.
20. The most satisfying feeling you can
get in the job is... The Pwn. Let's say
you find SQL injection. Blood is
rushing into your brain and that's
what we call The Pwn. Your brain
gets a really tight feeling, like your
head is going to explode any minute,.
Arnold“Iceman” Schwarzenegger, movie Pwningiron.
22. LET’S XSS !
› Reflected vs. Stored
› <script> doesn’t work?
• No problem, JS is everywhere..
› Can’t XMLHttpRequest?
• No prob, counter and fake
23. SQL INJECTION
› GRUYERE does not contain SQL injection..
› But .. It’s a good example of an injection
› SQL = Structured Query Language
• However, “query” is a bit of a misnomer..
What is this???
29. DEV OR OPS? OR #DEVSEC ?
› Who is responsible for that server?
› Do you need to care as a developer?
› Ultimately: What is the developer’s responsibility?
31. FAIL 1: THE BURDEN OF LEGACY
MD5 & C++ - “ELEGANT WEAPONS .. FOR A MORE CIVILIZED AGE”
› Native code is dangerous..
• ASLR & DEP make buffer overflows more difficult to exploit, but it still
happens.
› The lifespan of software can be surprisingly long..
• How to update and re-evaluate working software if nothing happens?
• Home-exercise: Sell this to team & customer. Involves risk and cost.
› New threats have emerged.
• What parts are affected?
32. Screeshot removed..
FAIL 2: SHORTCUTS AND ANARCHY
› Root cause: Heavy process, not understood / accepted by devs
• making developers miserable..
› The devs are innovative people..
http//unauthorized..
V 1.3 coolserver
AwesomeSoftware_Upgrade.exe
34. STORY 4: THE WEBHACK EVENT
› http://webhack.fi was a light-weight fun bug bounty hunt..
• The targets are not publicly accessible, but were production systems we
created for our customers.
› Hackers hacked..
› .. SQL injection -> dumped the whole database
› .. But our code was fine! WAT?
35. ONE DOES NOT SIMPLY INJECT
INTO..
› One issue turned out to be a 0-day in Spring libraries..
› Hnggh..
› The moral of the story is two-fold:
1. even if you do everything right, you can still fail
2. it’s not always so easy in real life..
› The gory details: https://github.com/solita/sqli-poc