From Beer City Code Conference, Grand Rapids, MI - 2017
OWASP, SANS, Threat Modeling, Static Code Analysis, DevSkim, Burp Suite, WireShark, Fiddler, Agile, Use Cases, Code Review, Pull Request, Git, GitFlow, Red Team, Blue Team, Metasploit, NIST, TLS, Kali Linux,
6. CONTENT WARNING
WARNING: THE FOLLOWING CONTENT AND
OPINIONS EXPRESSED ARE THOSE OF THE AUTHOR
[BRUCEABERNETHY]
AND TO NOT REFLECT THOSE OF HISEMPLOYER
[MEIJER]
18. Threat Model
• Have a high-level design. Napkin to formal tool.
• Data is exposed in primarily three places
• At rest – wherever you store it
• In memory – when it is being used
• In transit – when it is moving
• Trust boundaries
threat
Modelling
tools
19. What’s not fun
• Doing the diagram by hand.
• Doing the analysis by hand.
• Easily missing something.
• Not having time.
24. DESIGNING a Secure
app
• Secure Coding “Level 0” is good coding.
• Much of malicious coding can appear at the
outset like simply really bad coding practices
• Also User Interface
• Well-meaning UI choices can be bad for security
28. OWASP Top 10
• Injection
• Cross-Site Scripting (XSS):
• Vulnerability that is created from insecure coding techniques, resulting in
improper input validation. Often used in conjunction with CSRF and/or SQL
injection.
• Insecure Direct Object References
• A direct object reference occurs when a developer exposes a reference to
an internal implementation object, such as a file, directory, or database
key. Without an access control check or other protection, attackers can
manipulate these references to access unauthorized data.
29.
30. Help while coding
• This is where the real fun happens
• Adding features
• Optimizing code
31. What’s not fun
• Reviewing 10,000 lines of code looking for patterns that might match
common vulnerabilities (OWASP, SANS, etc.)
• Finding out after coding an entire feature that it has a fundamental
security flaw and needs to be refactored or rewritten.
• Having the feature reach production and having to respond to a major
incident.
32. Tools
• What tools should you have in your backpack, to help you
along the way?
• "Anything that you might need, I've got inside for you.“
• Binoculars, sticky tape
• Bag of Holding
34. Debugging with proxies
• We are going to cover our
favorite proxies in just a
few minutes when we are
hacking our own code.
• Just remember that you
can/could/should be using
a proxy, where appropriate,
even early while you are
developing code …
35. Automated testing - security
test cases
• Use Cases
• But also “Abuse Cases”
• Testing the happy path
• But also think about the unhappy
path that “bad people” might
take – more suggestions on how
to do that coming soon too …
40. Know your Threats
• Script kiddies – hobby – opportunistic, not stealthy, known exploits
• Organized Crime – hold hostage, profit – possibly stealthy, often non-
targeted / broad, zero-day – may target for corporate espionage
• Disorganized Crime – petty theft, personal gain – amateur, known
• Activist – do damage, get press – mixed, disgruntled
• Nation-state – destabilize, do damage – more skilled than you,
targeted, precise, zero-day exploits
51. Security has a price – it’s
~$49.00
• Private / Encrypted E-mail
• Full-time VPN
• Yubikey MFA, key/cert secure storage
• Little Snitch, Mic/Camera Snitch
Editor's Notes
Video / music to start?
Thank you so much for coming out to this session – I know there are many choices – you’ve come the room where we are going to discuss “Fun with Application Security”
Let’s jump in
Everyone remembers their first time.
For me it was in Flanders Elementary school in the fall of 1978. After finishing some school subjects early in the year, I was able to spend a few hours a day in the library (self-study). At some point in the fall a number of boxes arrived, and inside was a brand new Commodore PET computer (with a fancy cassette tape drive to load one of the two “tapes” of programs that it came with). No one that I can remember knew why the computer was bought for the school (and put in the library) but they let me try it out, and even teach some of the teachers.
You couldn’t buy software for computers in these days – you had to write them. So like most people who get started in coding, I spent several months running other peoples code, reading other peoples code, learning BASIC, then modifying other peoples code – Space Invaders clone, Choose Your Own Adventure, and then trying to code myself (there was no copy and paste or Google or Stack Overflow at the time, so it was a lot of typing things in, and there really wasn’t an ability to “save” at the time, so I ended up leaving the computer on or retyping things … but the point it it was FUN
Stuff happens, yada, yada, and jump forward 10 years and I get my first real taste of things to come, and my first run in with security challenges.
I was doing summer research in Quantum Chemistry/Physics and implementing some rather complex matrix math equations in Fortran 77 – to make a long story short, they simulated certain molecules (like H20) and calculated changes in energy levels when you messed with the orbits of some of the electrons. To run some of the models we got time on a Cray YMP supercomputer in California and connected over the fledgling Internet (via 300 baud dial up). The point here is that it was a shared time situation where there were others using the same system at other times. Turns out some of these other people were getting into each others code and messing with it – high-brow hijinks (adding a third oxygen atom to the mix and trying to model a H30 molecule, etc.). So the “passwords” (that we were assigned) had to be changed and lost a good weeks worth of research.
So coding was still Fun, and now possibly even profitable, but security was really starting to make things less fun.
Jump forward another 30 years and it is getting ridiculous.
Every week there is a new security threat or five. They have gone crazy in reporting them and started naming them like Hurricanes. They even have logos now for things like Poodle, Shellshock, HeartBleed and more – with Freak Attacks and WannaCry that weaponized EternalBlue.
So early this year I decided to take a new position and role to focus 100% on these type of issues.
My goal now, and in the next hour or so, is explain some ways that you can look at the security challenges, take some precautions, use some powerful tools, and take back software development.
We need to “Make Software Development Fun Again”
And no, I’m not a Trump fan, but you have to admit they did a great job branding things with the witty saying and the hats … but let’s get started …
Disclaimer … Bruce Abernethy
I am a life long developer, certified Microsoft developer, Apple Developer and Google Android developer – with current web apps, web services, apps in both stores, and code running on devices. Security-wise I have a GIAC certification in secure coding for .NET and am working on a CEH.
I’ve had 5-6 different roles at Meijer – this year I made a switch and took on a brand new role at Meijer focused on Application Security – there is a big need for that, and I do want to bring the fun back …
Research tells us that the average person consumes about 34Gb of data a day – mostly video, pictures, games and digital content. In fact only 1/10 of 1% of this data is textual. So I wanted to have a good visual and exciting theme to tie all the themes in security together - something current and memorable that would fit with the themes of fun, and security and heroes protecting their apps from evil. Unfortunately it didn’t really come together with modern favorites.
A very different hero emerged that fit better into the main themes that I wanted to focus on
It’s my view that Dora grew up and has become a very successful Coder and has used her skills and experience to focus on Secure Software Development
If you know Dora, that will help – if you don’t – you’ll be fine.
Dora taught and annoyed a bunch of kids in the last almost 20 years. She went through a daily adventure, with her companion Boots the monkey, planed her way with “The Map” had tools and goodies in the backpack.
The antagonist in the series was Swiper the fox, who always tried to steal her stuff (see where we are going with security).
With a few other regulars on the show to make things interesting.
Our meta-app will be a tic tac toe game – TIC TAC TICO – we want it to be web-based but also a mobile app (iOS, Android?)
Security for most developers is a chore, literally. It is something you know you need to do, you don’t really want to do, but you have a feeling that if you don’t do it, that there will be consequences. What have we done as humans with chores? Tried to use technology to make them easier.
MS Threat Modeling Tool 2016 – free, Windows only.
Draw it out, include at rest, in memory, and in transit (along with protocols), runs a STRIDE rules engine
OWASP Incubator Project just usable, going beta soon, and a lot of promise. Cross platform desktop app built in Node and Angular with Electron. If they can get the rules engine working, this should replace Microsoft’s tool going forward.
The more you learn about security, the more you will determine that you really don’t know. It doesn’t mean you have to move to a cabin in the woods. It does mean that you can take basic precautions and feel a bit more secure.
Also raw error messages
No one with that username exists in the system …. Keep trying until you get a username
The password is wrong for that username … That username exists in the system, now just find the password.