As delivered at That Conference 2017, how to build applications that are as hack proof as possible.
This presentation can now be downloaded by visiting https://www.thorprojects.com/connect/gifts/presentations/hack-proof-software-design-for-a-hostile-internet.
16. Forgery
• Cross-Site Request Forgery
(CSRF/XSRF)
• Example
• <img
src="http://bank.com/transfer.do?ac
ct=MARIA&amount=100000"
width="0" height="0" border="0">
• Mitigation
• Require session ID with request
• Use POST with CORS (restricted)
28. Symmetric
• One Key Encrypts and Decrypts
• Called Private/Secret Key
• Computationally Fast
• Problem: Exchanging the Secret
Key
CC BY-SA 4.0 – Alessandro Nassiri
29. Hash
• Large message converted to
smaller hash value
• Small change in source causes
large change in hash
• Add “secret” salt to accomplish
authentication
30. Asymmetric
• Pair of keys – one public and one
private
• Computationally expensive
31. Encrypt a Verifiable Message
1. Add salt (randomness)
2. Hash message
3. Encrypt message with private
key
32. Authenticate a Message
1. Get Public Key and Decrypt
2. Generate your hash of the
message
3. Compare your hash to the one
provided
34. Certificate Chain
1. Trusted a 3rd party
authenticates party B
2. 3rd Party issues certificate with
encrypted certificate of party
B enclosed
3. Party A knows party B by
matching host identifiers and
decrypting a message from
them with the public key
35. Transport Layer Security
(Simplified)
1. Initiate conversation with list
of ciphers
2. Server responds with ciphers
and certificate
3. Client confirms certificate,
generates session keys,
encrypts with server public
key, and sends
38. Don’t Share
• Don’t
• Transmit information you don’t have to
• Display errors to the user
• Let browsers control caching
• Do
• Provide least privileges
40. • http://www.owasp.org
• Information and resources about web application security
• Education about vulnerability / fault categories and protection
strategies
Footprints… Key milestones
Talk about the types, show a few techniques for solving, create awareness
If you’re an app dev – good summary/breadth/tools
If you’re a app security guy – Tools for discussing w/ developers
Simultaneous toilet flushing causing problems.
Or running aground… that’s why we have lighthouses… ways to keep us from running around.
i.e. if you’re not programming in C++, it’s probably not a problem.
By the way, does anyone know what an interrupt table is? (Very start of memory.)
Yogi Berra “You can observe a lot just by watching.”
Stored procedures don’t help if you end up doing dynamic SQL inside of them.
Note example from OWASP.org site (Open Web Application Security Project)
From Acunetix web site.
Mostly not a problem in .NET / Encoding on by default/ IIS 7+ will block
Require a session for calls… use to transition to Session Management
Require Session as a part of submitted information
POST HTTP Method
CORS = Cross-Origin Resource Sharing / Allows Javascript to make requests across domains.
Claims example… Drivers License. Including identity, method of verification, and additional attributes.
Transfer of responsibility = pass the buck. (Good thing here.)
Secrecy/Privacy
Authenticity/Non-Repudiation
Hieroglyphs show used in Egypt circa 1900 BC
Symmetric – Enigma (German encryption)
Public-Private- Computationally expensive – used to securely exchange keys for symmetric
Hash – One way – Passwords…
Picture is an enigma machine. World War II era encryption/cypher device
We captured U-505 June 4, 1944 and got the largest cache of intelligence recovered in WWII – including two Enigma machines.
Diamonds start as carbon and are heated and compressed to form diamonds… they have hidden signatures (flaws) in them. They are small but expensive…
Hashs like the weather… a butterfly flapping wings in Brazil causes tornado in Texas. A small change (or misobservation) can lead to a large change in results.
This is to START SSL – to trade the private key
In Transit – SSL… Use HTTP Strict Transport Security to force SSL
At Rest – We can’t force them to use hard drive encryption – too many machines disappear.