Sf startup-security

7,958 views

Published on

1 Comment
1 Like
Statistics
Notes
  • This presentation was targeted as a crash course for start ups. This 10 minute presentation was given at SFNewTech event. http://areyousecure.eventbrite.com/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
7,958
On SlideShare
0
From Embeds
0
Number of Embeds
836
Actions
Shares
0
Downloads
18
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Sf startup-security

  1. 1. Securing YourApplicationsMichael Coatesmcoates@mozilla.com@_mwcThursday, May 30, 13
  2. 2. You are a targetThe attackers are talented and motivatedThursday, May 30, 13
  3. 3. Data Loss: Growing Problemhttp://datalossdb.org/statisticsThursday, May 30, 13
  4. 4. Data Loss & Breaches from Hackinghttp://datalossdb.org/statistics2013Verizon DBRThursday, May 30, 13
  5. 5. Data Loss: Outside Attackershttp://datalossdb.org/statistics2013Verizon DBRThursday, May 30, 13
  6. 6. Security The Basics• Understand the problem space & challenges• SSL isn’t as easy “https”• You can’t store passwords with just hashing• SQL Injection & Cross Site Scripting should be understoodby all developersThursday, May 30, 13
  7. 7. Where To Start?• Focus on Risk - not vulnerability “flavor of the day”• Reference top risks and customize• OWASP Top 10https://www.owasp.org/index.php/Top_10_2013-Top_101. Injection2. Broken Authentication & SessionManagement3. Cross Site Scripting (XSS)4. Insecure Direct Object References5. Security Misconfiguration6. Sensitive Data Exposure7. Missing Function Level Access Control8. Cross Site Request Forgery (CSRF)9. Using Components with KnownVulnerabilities10. Unvalidated Redirects and ForwardsThursday, May 30, 13
  8. 8. Password StorageThursday, May 30, 13
  9. 9. Password Storage Options• Plain text / Home grown obfuscation• md5• sha2 (256 / 512)• sha2 with generic salt• sha2 with per user salt• Bcrypt or PBKDF2https://www.owasp.org/index.php/Password_Storage_Cheat_SheetWeakestStrongestCurrently ConsideredAcceptableThursday, May 30, 13
  10. 10. SQL InjectionThursday, May 30, 13
  11. 11. SQL Injection Worries• Issue• SQL statements don’t properly handle user supplied data• Users change intent of SQL executed by DB• Risk• Data Compromise• Corruption of DataThursday, May 30, 13
  12. 12. Into the Details• IntentSelect * from users where lastname = ‘+ someVar +’;• Attacker enters:x’ or 1=1--• ResultSelect * from users where lastname = ‘+ x’ or 1=1-- +’;• SolutionParameterized QueriesThursday, May 30, 13
  13. 13. Cross Site ScriptingThursday, May 30, 13
  14. 14. <div class="featured"><form action="/en-US/firefox/users/login" method="post"id="login" class="featured-innerobject-lead"><div><input type="hidden"name="data[Login][referer]"XSS ExampleName:_____submitLogin: ___Pass: ____submit to evil sitejavascriptjavascript<install malware>(1) Attacker submits malicious code(2) Code is now part of webpage(3) Malicious site stealspasswords & installs malware(4) Attacker spreads malicious URLhttp://site.com/%3cscript%3edocument%2eThursday, May 30, 13
  15. 15. Tackling Cross Site Scripting• In Code• Output encoding• Context is important - see OWASP XSS Cheat Sheet• Working with browsers to eliminate XSS• Content Security Policyhttps://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheethttps://developer.mozilla.org/en-US/docs/Security/CSPThursday, May 30, 13
  16. 16. SSLThursday, May 30, 13
  17. 17. Insecure Session Management• Secure login over HTTPS• Password submitted encrypted• Immediate redirect to HTTP• Session ID sent cleartext <-- vulnerability pointRequestSessionID:5593…ResponseSSL#RequestResponseSetSessionID:5593…https://site.com/loginhttp://site.com/profileThursday, May 30, 13
  18. 18. Insecure Redirects• User requests HTTP page, response redirects HTTPS• 302 Response is HTTP <-- Vulnerability PointSSL#Get$http://mybank.com$302$Redirect$Location:$https://mybank.com$Get$https://mybank.com$200$Found$mybank.comThursday, May 30, 13
  19. 19. Secure Design for Communication• HTTP Strict Transport Security (HSTS)• Opt-in security control• Website instructs compatible browser to enable STS forsite• HSTS Forces (for enabled site):• All communication over HTTPS• No insecure HTTP requests sent from browser• No option for user to override untrusted certificatesThursday, May 30, 13
  20. 20. Strict Transport Security• Browser prevents HTTP requests to HSTS site• Any request to site is “upgraded” to HTTPS• No clear text HTTP traffic ever sent to HSTS site• Browser assumes HTTPS for HSTS sitesSSL#Get$$http://mybank.com$ Get$https://mybank.com$200$Found$HSTS#Thursday, May 30, 13
  21. 21. Building a SecurityCultureThursday, May 30, 13
  22. 22. Security Culture• Set guidelines that are usable• Ensure security is a priority, not a “tax”• Security can live in all stages:• Planning, Dev, QA, Deployment, Monitoringhttps://wiki.mozilla.org/WebAppSec/Secure_Coding_GuidelinesThursday, May 30, 13
  23. 23. Tools to Assist• Free• OWASP ZAP Proxy - owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project• Security Cheat Sheets - owasp.org/index.php/Cheat_Sheets• Learning Lab OWASP Webgoat - owasp.org/index.php/Category:OWASP_WebGoat_Project• Extensive OWASP guidelines - owasp.org• Professional Tools• Static / Dynamic Analysis• Security Architecture Reviews• Ongoing or point-in-time penetration testsThursday, May 30, 13
  24. 24. Take Aways• Security is a concern for your business• Tackle security fundamentals• Build a culture of security & leverage available resourcesThursday, May 30, 13
  25. 25. Thanks!mcoates@mozilla.com@_mwcThursday, May 30, 13

×