Piotr Dyba, profile picture
Uploaded byPiotr Dyba
PPTX, PDF827 views

PyConPL 2017 - with python: security

The document is a presentation by Piotr Dyba at PyConPL 2017 discussing cybersecurity from a developer's perspective, emphasizing the importance of cybersecurity awareness in organizations. It covers topics such as threat modeling, common attack vectors, and automated security testing, highlighting the need for proactive security measures in web applications and Python programs. The presentation also outlines various security frameworks and tools for identifying and mitigating vulnerabilities.

Embed presentation

Downloaded 22 times
with python: security(): PyConPL 2017 1 @dybacompl with python: security() by Piotr Dyba
with python: security(): PyConPL 2017 2 @dybacompl Disclaimers Disclaimer 1: All that will be presented is my personal opinion. Disclaimer 2: Nobody is paying me for mentioning any of the open source or commercial products mentioned in this presentation. Disclaimer 3: Blue text or text in blue boxes during the presentation, those are hints for devopses which had to be cut out in order to fit in to 45min time slot. The presentation will focus on developers perspective.
with python: security(): PyConPL 2017 3 @dybacompl Agenda 1. whoami 2. Cyber Secuirty 3. why is cyber-security awareness in a company so important nowadays. 4. Threat modelling 5. Common attack vectors on web and on Python applications. 6. Automated security testing. 7. Pentesting and pentesters. 8. Who is a CISO 9. Interesting links 10. Q&A Afterwards face to face feedback is greatly appreciated.
with python: security(): PyConPL 2017 4 @dybacompl whoami Piotr Dyba
with python: security(): PyConPL 2017 5 @dybacompl whoami Poznań, Poland
with python: security(): PyConPL 2017 6 @dybacompl whoami Team leader & software engineer
with python: security(): PyConPL 2017 7 @dybacompl whoami 220 people, mostly women Pythoning, weekly !
with python: security(): PyConPL 2017 8 @dybacompl Cyber Secuirty Protection of: • computer systems • IoT devices • Smartphones from the theft or damage to their • hardware • software • Information • disruption of services. Cyber security starts from controlling physical access to the hardware through protecting against harm that may come via network access up to user incompetence. What it is ?
with python: security(): PyConPL 2017 9 @dybacompl why is cyber-security awareness in a company so important nowadays Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
with python: security(): PyConPL 2017 10 @dybacompl why is cyber-security awareness in a company so important nowadays
with python: security(): PyConPL 2017 11 @dybacompl why is cyber-security awareness in a company so important nowadays.x` F-Secure: Public Honeypots – attacks per day
with python: security(): PyConPL 2017 12 @dybacompl why is cyber-security awareness in a company so important nowadays. F-Secure: Public Honeypots username password Count 1 root root 1165236 2 admin admin 66522 3 user user 23994 4 test test 13302 5 pi raspberry 35938 6 support support 35331 7 ubnt ubnt 33170 8 oracle oracle 9294 9 guest guest 23524 10 git git 10829
with python: security(): PyConPL 2017 13 @dybacompl why is cyber-security awareness in a company so important nowadays.
with python: security(): PyConPL 2017 14 @dybacompl Threat modelling An approach for: 1. identify 2. quantify 3. addressing security risks. What it is ? https://mobilisationlab.org/wp-content/uploads/2015/08/batman-threat-model-1200.png
with python: security(): PyConPL 2017 15 @dybacompl Threat modelling An approach for: 1. identify 2. quantify 3. addressing security risks. What it is ? https://mobilisationlab.org/wp-content/uploads/2015/08/batman-threat-model-1200.png
with python: security(): PyConPL 2017 16 @dybacompl Threat modelling An approach for: 1. identify 2. quantify 3. addressing security risks. What it is ? https://mobilisationlab.org/wp-content/uploads/2015/08/batman-threat-model-1200.png
with python: security(): PyConPL 2017 17 @dybacompl Threat modelling An approach for: 1. identify 2. quantify 3. addressing security risks. What it is ? https://mobilisationlab.org/wp-content/uploads/2015/08/batman-threat-model-1200.png
with python: security(): PyConPL 2017 18 @dybacompl Threat modelling: identify Decompose the Application: 1. Identifying assets. 2. Use-cases to understand how the application is used 3. Identifying entry points 4. interactions with external entities 5. identifying trust levels – Access Control Lists – ACL’s Tips: 1. Reuse data flow diagrams or app’s UMLs 2. Reuse testing paths especially from Behavioural or Integrations tests
with python: security(): PyConPL 2017 19 @dybacompl Threat modelling: identify threats and quantify them Determine and rank threats. 1. Use STRIDE or Application Security Frame (ASF) or another framework that provides ways to collect information regarding: 1. auditing and logging audit – who did what (and why) logging – what is happening 2. authentication and authorization, authentication – is he/she who he/she claims to be - logging authorization - who is allowed to do what 3. configuration management, 4. data validation and protection in storage and transit 5. Exception management
with python: security(): PyConPL 2017 20 @dybacompl Threat modelling: identify threats and quantify them Determine and rank threats. 2. Identify threats both from the attacker and the defensive perspective Beginners tip: Use for example Common Vulnerability Scoring System (CVSS) for measuring and compering threats: Tip: Use and abuse cases can illustrate how existing protective measures could be bypassed, or where a lack of such protection exists.
with python: security(): PyConPL 2017 21 @dybacompl Threat modelling: address Determine countermeasures and mitigation. Options: • removing the risk posed by the threat completely • reduce the risk - business impact that a threat poses is high enough • take the risk - the business impact is acceptable • do nothing No protection against a threat, indicate a vulnerability.
with python: security(): PyConPL 2017 22 @dybacompl Securing anAPP Let’s create a secure web APP with PHP !
with python: security(): PyConPL 2017 23 @dybacompl Securing anAPP
with python: security(): PyConPL 2017 24 @dybacompl Securing anAPP Let’s create a secure web APP with PHP ! Python Has Power my_blog, using AngularJS for frontend, Sanic for BE, PostgreSQL and nginx with simple endpoints: / - static home /api/login /api/blog /api/blog/<id> /api/user /api/user/<id>
with python: security(): PyConPL 2017 25 @dybacompl Securing anAPPThreat Modelling #1 Frontend Threat Modelling: AngularJS
with python: security(): PyConPL 2017 26 @dybacompl Common attack vectors on web applications Open Web Application Security Project - OWASP
with python: security(): PyConPL 2017 27 @dybacompl Common attack vectors on web applications Open Web Application Security Project - OWASP
with python: security(): PyConPL 2017 28 @dybacompl Common attack vectors on web applications OWASP TOP 10: 1. A1 Injection 2. A2 Broken Authentication and Session Management 3. A3 Cross-Site Scripting (XSS) 4. A4 Insecure Direct Object References 5. A5 Security Misconfiguration 6. A6 Sensitive Data Exposure 7. A7 Missing Function Level Access Control 8. A8 Cross-Site Request Forgery (CSRF) 9. A9 Using Components with Known Vulnerabilities 10.A10 Unvalidated Redirects and Forwards Try them out: BeeBox project https://sourceforge.net/projects/bwapp/files/bee-box/ OWASP Broken Web Applications Project (OWASP BWAP) https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
with python: security(): PyConPL 2017 29 @dybacompl Securing anAPPThreat Modelling #1 Frontend Threat Modelling: AngularJS OWASP TOP 10: 1. A1 Injection 2. A2 Broken Authentication and Session Management 3. A3 Cross-Site Scripting (XSS) 4. A4 Insecure Direct Object References 5. A5 Security Misconfiguration 6. A6 Sensitive Data Exposure 7. A7 Missing Function Level Access Control 8. A8 Cross-Site Request Forgery (CSRF) 9. A9 Using Components with Known Vulnerabilities 10.A10 Unvalidated Redirects and Forwards Good thing is that AngularJS mitigates most of them.
with python: security(): PyConPL 2017 30 @dybacompl Securing anAPPThreat Modelling #1 Backend Threat Modelling: Sanic
with python: security(): PyConPL 2017 31 @dybacompl Common attack vectors on Python applications 1. Python Code injection Nope, unless you use eval/exec or pickle especially from user/computer input. Getting a remote shell with Python Pickle in Twisted (fixed): https://blog.nelhage.com/2011/03/exploiting-pickle/
with python: security(): PyConPL 2017 32 @dybacompl Why eval is so dengerous Why people are tempted to even use eval and exec ? Almost 30 times faster for Python2 and Over 40 times faster for Python3 !
with python: security(): PyConPL 2017 33 @dybacompl Why eval is so dengerous Eval may be also much shorter.
with python: security(): PyConPL 2017 34 @dybacompl Common attack vectors on Python applications 1. SQL injection 2. Python code injection using SQL injection Nope, unless you implement SQL yourself and not use ORM’s like djangoORM or SQLAlechemy, etc. That’s possible even when using ORMS, but it can be mitigated for example: • by avoiding it using JSON for storing data for class constructor. • additional anti-code injection validation
with python: security(): PyConPL 2017 35 @dybacompl Why eval is so dengerous The main threat to a Python application is located between chair and keyboard: Developer
with python: security(): PyConPL 2017 36 @dybacompl Securing anAPPThreat Modelling #1 Backend Threat Modelling: Sanic OWASP TOP 10: 1. A1 Injection 2. A2 Broken Authentication and Session Management 3. A3 Cross-Site Scripting (XSS) 4. A4 Insecure Direct Object References 5. A5 Security Misconfiguration 6. A6 Sensitive Data Exposure 7. A7 Missing Function Level Access Control 8. A8 Cross-Site Request Forgery (CSRF) 9. A9 Using Components with Known Vulnerabilities 10.A10 Unvalidated Redirects and Forwards 11. Using uncommon external libraries without proper check up. 12. Using outdated libraries may also lead to vulnerabilities.
with python: security(): PyConPL 2017 37 @dybacompl Securing anAPPThreat Modelling #1 DB Threat Modelling: PostgreSQL OWASP TOP 10: 1. A1 Injection 2. A5 Security Misconfiguration 3. A6 Sensitive Data Exposure HTTP Server Threat Modelling: nginx OWASP TOP 10: 1. A5 Security Misconfiguration 2. A10 Unvalidated Redirects and Forwards Server Threat Modelling: SSH OWASP TOP 10: 1. A5 Security Misconfiguration
with python: security(): PyConPL 2017 38 @dybacompl Securing anAPPThreat Modelling #1 Use-cases to understand how the application is used: 1. Everyone can enter site and view blog, blog posts and users. 2. Registered users can add new posts. 3. Admins can manage users and deletes posts.
with python: security(): PyConPL 2017 39 @dybacompl Securing anAPPThreat Modelling #1 Decompose the Application: 1. Interactions with external entities. 2. Use-cases to understand how the application is used 3. Identifying entry points - Done 4. identifying assets – Done 5. identifying trust levels – Access Control Lists – ACL’s Login Logout Read blog Write blog Delete blog Manage Users Anonymous Yes No Yes No No No User No Yes Yes Yes No No Admin No Yes Yes Yes Yes Yes Login Logout Read blog Write blog Delete blog Manage Users DB Read Yes No Yes Yes No Yes DB Write No No No Yes No Yes DB Delete No No No No Yes Yes
with python: security(): PyConPL 2017 40 @dybacompl Securing anAPPThreat Modelling #1 Decompose the Application: 1. Interactions with external entities. 2. Use-cases to understand how the application is used 3. Identifying entry points - Done 4. identifying assets - Done 5. identifying trust levels – Access Control Lists – ACL’s / /api/logi n /api/ blog /api/ blog/<id> /api/ user /api/ user/<id> GET Ye s No Yes Yes Yes Yes POST No Yes Yes Yes Yes Yes DEL No No No Yes No Yes / /api/logi n /api/ blog /api/ blog/<id> /api/ user /api/ user/<id> Anonymous G P G G - G User G - GP GP - G Admin G - GP GPD GP GPD
with python: security(): PyConPL 2017 41 @dybacompl Securing anAPPThreat Modelling #1 Decompose the Application: 1. Interactions with external entities. - Done 2. Use-cases to understand how the application is used - Done 3. Identifying entry points - Done 4. identifying assets - Done 5. identifying trust levels – Access Control Lists – ACL’s - Done
with python: security(): PyConPL 2017 42 @dybacompl Securing anAPPThreat Modelling #2 Determine and rank threats - what is the most valued part of our business ? !!! Blog posts, users – Information or Confidentiality* How posts can be targeted ? 1. Someone gets admin access and deletes everything. 2. Someone gets user access and creates spam or spreads malware. 3. Someone hacks our DB and deletes/modifies posts. 4. Denial of service – our posts are not accessible. 5. Someone owns the whole server… ! Application source code and configuration. 1. Someone gets access places malicious code. 2. Someone gets the code and make it open source or sales it. 3. If there happen to be any code vulnerabilities, exploiting them. 4. Someone owns the whole VC system. What matters in some cases may not be a whole functionality but specific data like: Credit Card numbers, Login/Passwords etc.
with python: security(): PyConPL 2017 43 @dybacompl Securing anAPPThreat Modelling #3 Risk mitigation. 1. Someone gets admin access and deletes all. Adding multi factor authentication for at least Admins. 2. Someone gets user access and creates spam or spreads malware. Limiting post per day, edits per hour. Shorter sessions. 3. Someone hacks our DB and deletes/modifies posts. Access to DB should be over TLS and only from specific (range) IP 4. Denial of service – our posts are not accessible. Using anti d(r)dos services. 5. Someone owns the whole server… Adding multi factor authentication, SSH acces over cert based auth only, SSH acces only from specific Ips, App should not be runing under priviliged user., AppArmor or SELinux Part of mitigation is also having proper testing at unitests level. sshttp - hiding SSH servers behind HTTP https://github.com/stealth/sshttp
with python: security(): PyConPL 2017 44 @dybacompl Automated security testing Source Code Analysis tools: Bandit – Python only, Open Source can be easily integrated with Jenkins SonarQube – Supports many languages, Free or paid SaaS, Open Source, Jenkins ready, “Continuous Inspection” Automatic Scanning tools: ZAP (Zed Attack Proxy) – Free, Open Source, Jenkins ready Burp – Free/Paid, Jenkins ready in ~2017 Metasploit – Free, OpenSource, Jenkins ready SQLMap - Free, OpenSource scapy - Free, OpenSource, Python Commercial solutions and managed services: Qualys, Nessus, F-Secure Radar
with python: security(): PyConPL 2017 45 @dybacompl Pentesting and pentesters Penetration test (Pentest): What: authorized attack on a system, app or infrastructure Why: find security weaknesses compliance How: elevating access inside the system accessing restricted data Who: external 3rd party and / or dedicated pentesting tooling When: New major features, major releases Periodically at the end of longer development cycle
with python: security(): PyConPL 2017 46 @dybacompl Pentesting and pentesters Penetration tester: person who performs a penetration test  AKA: • Pentester • Hacker • White hat • Security consultant Unaware for majority of employs pentesting drill is called Red Teaming. Red Teaming can consist of: • Physical security: breaking into the office, server rooms, conference room. • Network security: planting raspberryPI on the net, routing data through sniffer • Phishing and social engineering • Software testing If the red timing finishes undetected, that means you have huge security problems as the Attacker during the drill after achieving all goals starts being “noisy” till a point someone should have notice…
with python: security(): PyConPL 2017 47 @dybacompl Pentesting and pentesters Different ways of pentesting White Box: • Pentester has full access to the application and system he is testing • Covers widest range of attack vectors • Pentester has access to the source code, documentation Grey Box: • Pentester does not have access to the system • He has different types of accounts (user, mod, admin), but not app root • He has access to the source code, documentation • Pentesting is targeted Black Box: • The Pentester does not have knowledge about the system or knows only basics. • No access to source code • No access to the app above end user level • Similar perspective to real attacker
with python: security(): PyConPL 2017 48 @dybacompl Who is a CISO Chief information security officer • Computer security/incident response team • Disaster recovery and business continuity management • Identity and access management • Information privacy • Information regulatory compliance • Information risk management • Security architecture • Security development – process and tools • IT Security – process and tools • Security awareness
with python: security(): PyConPL 2017 49 @dybacompl Being hacked. 2. Being hacked using one of well known and documented threats 3. Being hacked using a known vulnerability 4. Being hacked using an unknown vulnerability – 0 day 1. Being hacked by a bot or a script kiddie or a bot Smart thing is to learn on others mistake The 4 circles of being pwned: Not seeing the destructive outcome of an attack does not necessarily mean that you were not hacked, there is a chance that you have been owned long time ago and you still do not know about it! Gartner report from 2016 says that it takes on average 200 days since hack for a company to find about it.
with python: security(): PyConPL 2017 50 @dybacompl Being hacked. Internet is changing !
with python: security(): PyConPL 2017 51 @dybacompl Interesting links http://owasp.org https://vulnhub.com https://github.com/sbilly/awesome-security https://github.com/nixawk/pentest-wiki https://safeandsavvy.f-secure.com/ https://reddit.com/r/netsec/ https://blogs.cisco.com/author/talos https://youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w http://gynvael.coldwind.pl/ https://nakedsecurity.sophos.com/ https://risky.biz/netcasts/risky-business/ https://badcyber.com/ https://packetstormsecurity.com https://labs.mwrinfosecurity.com/ https://ctftime.org/ctf-wtf/ http://overthewire.org/wargames/ https://picoctf.com/ https://microcorruption.com/about https://www.offensive-security.com/when-things-get-tough/
with python: security(): PyConPL 2017 52 @dybacompl Interesting links Regarding multifactor authentication Justin Mayer EuroPython2017’ talk form yesterday: “REPLACING PASSWORDS WITH MULTIPLE FACTORS: EMAIL, OTP, AND HARDWARE KEYS”
with python: security(): PyConPL 2017 53 @dybacompl Q&A Q & A I’m hiring to my team ! 

More Related Content

PDF
How GitLab and HackerOne help organizations innovate faster without compromis...
byHackerOne
 
PDF
DevSecOps for Developers: How To Start
byPatricia Aas
 
PDF
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
byMITRE - ATT&CKcon
 
PDF
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
byDevSecCon
 
PDF
6 DevSecOps Hacks (femtech 2019)
byPatricia Aas
 
PDF
Security in serverless world
byYan Cui
 
PPTX
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
byAgile Testing Alliance
 
PDF
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
byAchim D. Brucker
 
How GitLab and HackerOne help organizations innovate faster without compromis...
byHackerOne
 
DevSecOps for Developers: How To Start
byPatricia Aas
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
byMITRE - ATT&CKcon
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
byDevSecCon
 
6 DevSecOps Hacks (femtech 2019)
byPatricia Aas
 
Security in serverless world
byYan Cui
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
byAgile Testing Alliance
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
byAchim D. Brucker
 

What's hot

PDF
Android pentesting
byMykhailo Antonishyn
 
PPTX
Dev{sec}ops
bySteven Carlson
 
PPTX
Product Security
bySteven Carlson
 
PDF
SQL Injection - The Unknown Story
byImperva
 
PPTX
Android pentesting
byMykhailo Antonishyn
 
PDF
Dev(Sec)Ops - Architecture for Security and Compliance
byYi-Feng Tzeng
 
PDF
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
byFasten Project
 
PDF
Zero to Ninety in Securing DevOps
byDevSecOps Days
 
PDF
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
byMITRE - ATT&CKcon
 
PDF
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
byRay Song
 
PPTX
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
byBlack Duck by Synopsys
 
PPTX
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
PPTX
Securing your web applications a pragmatic approach
byAntonio Parata
 
PDF
SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Tu...
byAkram El-Korashy
 
PDF
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...
byYandex
 
PDF
We explain the security flaw that's freaking out the internet
byaditi agarwal
 
PDF
Severless PHP Case : Agile Dashboard via GitLab Board API
byYi-Feng Tzeng
 
PPTX
Msr2011 zaman
bySAIL_QU
 
PDF
Progressive Deployment & NoDeploy
byYi-Feng Tzeng
 
PDF
Vissoft21.ppt
byYann-Gaël Guéhéneuc
 
Android pentesting
byMykhailo Antonishyn
 
Dev{sec}ops
bySteven Carlson
 
Product Security
bySteven Carlson
 
SQL Injection - The Unknown Story
byImperva
 
Android pentesting
byMykhailo Antonishyn
 
Dev(Sec)Ops - Architecture for Security and Compliance
byYi-Feng Tzeng
 
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
byFasten Project
 
Zero to Ninety in Securing DevOps
byDevSecOps Days
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
byMITRE - ATT&CKcon
 
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
byRay Song
 
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
byBlack Duck by Synopsys
 
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
Securing your web applications a pragmatic approach
byAntonio Parata
 
SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Tu...
byAkram El-Korashy
 
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...
byYandex
 
We explain the security flaw that's freaking out the internet
byaditi agarwal
 
Severless PHP Case : Agile Dashboard via GitLab Board API
byYi-Feng Tzeng
 
Msr2011 zaman
bySAIL_QU
 
Progressive Deployment & NoDeploy
byYi-Feng Tzeng
 
Vissoft21.ppt
byYann-Gaël Guéhéneuc
 

Similar to PyConPL 2017 - with python: security

PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PDF
How is Python Useful for Cybersecurity in 2024
byriyak40
 
PDF
Secure Python Development: Best Practices for APIs & Microservices
byGrapesTech Solutions
 
PDF
Ways You Can Use Python For Cybersecurity - AppsDevPro
bySofiaCarter4
 
PPTX
Introduction to python for cybersecurity pythonminna
byTopeAbdulgafar
 
PPTX
Programming and Secure software development presentation consists of various ...
byNavneetNavi8
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPTX
Python for Cybersecurity Professionals.pptx
bychethanhk10
 
PDF
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
byMichael Pirnat
 
PPTX
CyberSecurityppt. pptx
byiamayesha2526
 
PDF
Testing python security PyCon IE
byJose Manuel Ortega Candel
 
PPTX
PyCon Canada 2015 - Is your python application secure
byIMMUNIO
 
PDF
«(Без)опасный Python», Иван Цыганов, Positive Technologies
byit-people
 
PDF
(Un)safe Python
byIvan Tsyganov
 
PDF
Is your python application secure? - PyCon Canada - 2015-11-07
byFrédéric Harper
 
PDF
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
byCodemotion
 
PPTX
Owasp top 10 web application security risks 2017
bySampath Bhargav Pinnam
 
PPTX
Pentesting for startups
bylevigross
 
PDF
The net is dark and full of terrors - James Bennett
byLeo Zhou
 
PDF
Making Web Development "Secure By Default"
byDuo Security
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
How is Python Useful for Cybersecurity in 2024
byriyak40
 
Secure Python Development: Best Practices for APIs & Microservices
byGrapesTech Solutions
 
Ways You Can Use Python For Cybersecurity - AppsDevPro
bySofiaCarter4
 
Introduction to python for cybersecurity pythonminna
byTopeAbdulgafar
 
Programming and Secure software development presentation consists of various ...
byNavneetNavi8
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Python for Cybersecurity Professionals.pptx
bychethanhk10
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
byMichael Pirnat
 
CyberSecurityppt. pptx
byiamayesha2526
 
Testing python security PyCon IE
byJose Manuel Ortega Candel
 
PyCon Canada 2015 - Is your python application secure
byIMMUNIO
 
«(Без)опасный Python», Иван Цыганов, Positive Technologies
byit-people
 
(Un)safe Python
byIvan Tsyganov
 
Is your python application secure? - PyCon Canada - 2015-11-07
byFrédéric Harper
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
byCodemotion
 
Owasp top 10 web application security risks 2017
bySampath Bhargav Pinnam
 
Pentesting for startups
bylevigross
 
The net is dark and full of terrors - James Bennett
byLeo Zhou
 
Making Web Development "Secure By Default"
byDuo Security
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
How to Evaluate a High Performance Database
byScyllaDB
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
API-First Architecture in Financial Systems
bycyy111112
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 

PyConPL 2017 - with python: security

  • 1.
    with python: security(): PyConPL2017 1 @dybacompl with python: security() by Piotr Dyba
  • 2.
    with python: security(): PyConPL2017 2 @dybacompl Disclaimers Disclaimer 1: All that will be presented is my personal opinion. Disclaimer 2: Nobody is paying me for mentioning any of the open source or commercial products mentioned in this presentation. Disclaimer 3: Blue text or text in blue boxes during the presentation, those are hints for devopses which had to be cut out in order to fit in to 45min time slot. The presentation will focus on developers perspective.
  • 3.
    with python: security(): PyConPL2017 3 @dybacompl Agenda 1. whoami 2. Cyber Secuirty 3. why is cyber-security awareness in a company so important nowadays. 4. Threat modelling 5. Common attack vectors on web and on Python applications. 6. Automated security testing. 7. Pentesting and pentesters. 8. Who is a CISO 9. Interesting links 10. Q&A Afterwards face to face feedback is greatly appreciated.
  • 4.
    with python: security(): PyConPL2017 4 @dybacompl whoami Piotr Dyba
  • 5.
    with python: security(): PyConPL2017 5 @dybacompl whoami Poznań, Poland
  • 6.
    with python: security(): PyConPL2017 6 @dybacompl whoami Team leader & software engineer
  • 7.
    with python: security(): PyConPL2017 7 @dybacompl whoami 220 people, mostly women Pythoning, weekly !
  • 8.
    with python: security(): PyConPL2017 8 @dybacompl Cyber Secuirty Protection of: • computer systems • IoT devices • Smartphones from the theft or damage to their • hardware • software • Information • disruption of services. Cyber security starts from controlling physical access to the hardware through protecting against harm that may come via network access up to user incompetence. What it is ?
  • 9.
    with python: security(): PyConPL2017 9 @dybacompl why is cyber-security awareness in a company so important nowadays Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  • 10.
    with python: security(): PyConPL2017 10 @dybacompl why is cyber-security awareness in a company so important nowadays
  • 11.
    with python: security(): PyConPL2017 11 @dybacompl why is cyber-security awareness in a company so important nowadays.x` F-Secure: Public Honeypots – attacks per day
  • 12.
    with python: security(): PyConPL2017 12 @dybacompl why is cyber-security awareness in a company so important nowadays. F-Secure: Public Honeypots username password Count 1 root root 1165236 2 admin admin 66522 3 user user 23994 4 test test 13302 5 pi raspberry 35938 6 support support 35331 7 ubnt ubnt 33170 8 oracle oracle 9294 9 guest guest 23524 10 git git 10829
  • 13.
    with python: security(): PyConPL2017 13 @dybacompl why is cyber-security awareness in a company so important nowadays.
  • 14.
    with python: security(): PyConPL2017 14 @dybacompl Threat modelling An approach for: 1. identify 2. quantify 3. addressing security risks. What it is ? https://mobilisationlab.org/wp-content/uploads/2015/08/batman-threat-model-1200.png
  • 15.
    with python: security(): PyConPL2017 15 @dybacompl Threat modelling An approach for: 1. identify 2. quantify 3. addressing security risks. What it is ? https://mobilisationlab.org/wp-content/uploads/2015/08/batman-threat-model-1200.png
  • 16.
    with python: security(): PyConPL2017 16 @dybacompl Threat modelling An approach for: 1. identify 2. quantify 3. addressing security risks. What it is ? https://mobilisationlab.org/wp-content/uploads/2015/08/batman-threat-model-1200.png
  • 17.
    with python: security(): PyConPL2017 17 @dybacompl Threat modelling An approach for: 1. identify 2. quantify 3. addressing security risks. What it is ? https://mobilisationlab.org/wp-content/uploads/2015/08/batman-threat-model-1200.png
  • 18.
    with python: security(): PyConPL2017 18 @dybacompl Threat modelling: identify Decompose the Application: 1. Identifying assets. 2. Use-cases to understand how the application is used 3. Identifying entry points 4. interactions with external entities 5. identifying trust levels – Access Control Lists – ACL’s Tips: 1. Reuse data flow diagrams or app’s UMLs 2. Reuse testing paths especially from Behavioural or Integrations tests
  • 19.
    with python: security(): PyConPL2017 19 @dybacompl Threat modelling: identify threats and quantify them Determine and rank threats. 1. Use STRIDE or Application Security Frame (ASF) or another framework that provides ways to collect information regarding: 1. auditing and logging audit – who did what (and why) logging – what is happening 2. authentication and authorization, authentication – is he/she who he/she claims to be - logging authorization - who is allowed to do what 3. configuration management, 4. data validation and protection in storage and transit 5. Exception management
  • 20.
    with python: security(): PyConPL2017 20 @dybacompl Threat modelling: identify threats and quantify them Determine and rank threats. 2. Identify threats both from the attacker and the defensive perspective Beginners tip: Use for example Common Vulnerability Scoring System (CVSS) for measuring and compering threats: Tip: Use and abuse cases can illustrate how existing protective measures could be bypassed, or where a lack of such protection exists.
  • 21.
    with python: security(): PyConPL2017 21 @dybacompl Threat modelling: address Determine countermeasures and mitigation. Options: • removing the risk posed by the threat completely • reduce the risk - business impact that a threat poses is high enough • take the risk - the business impact is acceptable • do nothing No protection against a threat, indicate a vulnerability.
  • 22.
    with python: security(): PyConPL2017 22 @dybacompl Securing anAPP Let’s create a secure web APP with PHP !
  • 23.
    with python: security(): PyConPL2017 23 @dybacompl Securing anAPP
  • 24.
    with python: security(): PyConPL2017 24 @dybacompl Securing anAPP Let’s create a secure web APP with PHP ! Python Has Power my_blog, using AngularJS for frontend, Sanic for BE, PostgreSQL and nginx with simple endpoints: / - static home /api/login /api/blog /api/blog/<id> /api/user /api/user/<id>
  • 25.
    with python: security(): PyConPL2017 25 @dybacompl Securing anAPPThreat Modelling #1 Frontend Threat Modelling: AngularJS
  • 26.
    with python: security(): PyConPL2017 26 @dybacompl Common attack vectors on web applications Open Web Application Security Project - OWASP
  • 27.
    with python: security(): PyConPL2017 27 @dybacompl Common attack vectors on web applications Open Web Application Security Project - OWASP
  • 28.
    with python: security(): PyConPL2017 28 @dybacompl Common attack vectors on web applications OWASP TOP 10: 1. A1 Injection 2. A2 Broken Authentication and Session Management 3. A3 Cross-Site Scripting (XSS) 4. A4 Insecure Direct Object References 5. A5 Security Misconfiguration 6. A6 Sensitive Data Exposure 7. A7 Missing Function Level Access Control 8. A8 Cross-Site Request Forgery (CSRF) 9. A9 Using Components with Known Vulnerabilities 10.A10 Unvalidated Redirects and Forwards Try them out: BeeBox project https://sourceforge.net/projects/bwapp/files/bee-box/ OWASP Broken Web Applications Project (OWASP BWAP) https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
  • 29.
    with python: security(): PyConPL2017 29 @dybacompl Securing anAPPThreat Modelling #1 Frontend Threat Modelling: AngularJS OWASP TOP 10: 1. A1 Injection 2. A2 Broken Authentication and Session Management 3. A3 Cross-Site Scripting (XSS) 4. A4 Insecure Direct Object References 5. A5 Security Misconfiguration 6. A6 Sensitive Data Exposure 7. A7 Missing Function Level Access Control 8. A8 Cross-Site Request Forgery (CSRF) 9. A9 Using Components with Known Vulnerabilities 10.A10 Unvalidated Redirects and Forwards Good thing is that AngularJS mitigates most of them.
  • 30.
    with python: security(): PyConPL2017 30 @dybacompl Securing anAPPThreat Modelling #1 Backend Threat Modelling: Sanic
  • 31.
    with python: security(): PyConPL2017 31 @dybacompl Common attack vectors on Python applications 1. Python Code injection Nope, unless you use eval/exec or pickle especially from user/computer input. Getting a remote shell with Python Pickle in Twisted (fixed): https://blog.nelhage.com/2011/03/exploiting-pickle/
  • 32.
    with python: security(): PyConPL2017 32 @dybacompl Why eval is so dengerous Why people are tempted to even use eval and exec ? Almost 30 times faster for Python2 and Over 40 times faster for Python3 !
  • 33.
    with python: security(): PyConPL2017 33 @dybacompl Why eval is so dengerous Eval may be also much shorter.
  • 34.
    with python: security(): PyConPL2017 34 @dybacompl Common attack vectors on Python applications 1. SQL injection 2. Python code injection using SQL injection Nope, unless you implement SQL yourself and not use ORM’s like djangoORM or SQLAlechemy, etc. That’s possible even when using ORMS, but it can be mitigated for example: • by avoiding it using JSON for storing data for class constructor. • additional anti-code injection validation
  • 35.
    with python: security(): PyConPL2017 35 @dybacompl Why eval is so dengerous The main threat to a Python application is located between chair and keyboard: Developer
  • 36.
    with python: security(): PyConPL2017 36 @dybacompl Securing anAPPThreat Modelling #1 Backend Threat Modelling: Sanic OWASP TOP 10: 1. A1 Injection 2. A2 Broken Authentication and Session Management 3. A3 Cross-Site Scripting (XSS) 4. A4 Insecure Direct Object References 5. A5 Security Misconfiguration 6. A6 Sensitive Data Exposure 7. A7 Missing Function Level Access Control 8. A8 Cross-Site Request Forgery (CSRF) 9. A9 Using Components with Known Vulnerabilities 10.A10 Unvalidated Redirects and Forwards 11. Using uncommon external libraries without proper check up. 12. Using outdated libraries may also lead to vulnerabilities.
  • 37.
    with python: security(): PyConPL2017 37 @dybacompl Securing anAPPThreat Modelling #1 DB Threat Modelling: PostgreSQL OWASP TOP 10: 1. A1 Injection 2. A5 Security Misconfiguration 3. A6 Sensitive Data Exposure HTTP Server Threat Modelling: nginx OWASP TOP 10: 1. A5 Security Misconfiguration 2. A10 Unvalidated Redirects and Forwards Server Threat Modelling: SSH OWASP TOP 10: 1. A5 Security Misconfiguration
  • 38.
    with python: security(): PyConPL2017 38 @dybacompl Securing anAPPThreat Modelling #1 Use-cases to understand how the application is used: 1. Everyone can enter site and view blog, blog posts and users. 2. Registered users can add new posts. 3. Admins can manage users and deletes posts.
  • 39.
    with python: security(): PyConPL2017 39 @dybacompl Securing anAPPThreat Modelling #1 Decompose the Application: 1. Interactions with external entities. 2. Use-cases to understand how the application is used 3. Identifying entry points - Done 4. identifying assets – Done 5. identifying trust levels – Access Control Lists – ACL’s Login Logout Read blog Write blog Delete blog Manage Users Anonymous Yes No Yes No No No User No Yes Yes Yes No No Admin No Yes Yes Yes Yes Yes Login Logout Read blog Write blog Delete blog Manage Users DB Read Yes No Yes Yes No Yes DB Write No No No Yes No Yes DB Delete No No No No Yes Yes
  • 40.
    with python: security(): PyConPL2017 40 @dybacompl Securing anAPPThreat Modelling #1 Decompose the Application: 1. Interactions with external entities. 2. Use-cases to understand how the application is used 3. Identifying entry points - Done 4. identifying assets - Done 5. identifying trust levels – Access Control Lists – ACL’s / /api/logi n /api/ blog /api/ blog/<id> /api/ user /api/ user/<id> GET Ye s No Yes Yes Yes Yes POST No Yes Yes Yes Yes Yes DEL No No No Yes No Yes / /api/logi n /api/ blog /api/ blog/<id> /api/ user /api/ user/<id> Anonymous G P G G - G User G - GP GP - G Admin G - GP GPD GP GPD
  • 41.
    with python: security(): PyConPL2017 41 @dybacompl Securing anAPPThreat Modelling #1 Decompose the Application: 1. Interactions with external entities. - Done 2. Use-cases to understand how the application is used - Done 3. Identifying entry points - Done 4. identifying assets - Done 5. identifying trust levels – Access Control Lists – ACL’s - Done
  • 42.
    with python: security(): PyConPL2017 42 @dybacompl Securing anAPPThreat Modelling #2 Determine and rank threats - what is the most valued part of our business ? !!! Blog posts, users – Information or Confidentiality* How posts can be targeted ? 1. Someone gets admin access and deletes everything. 2. Someone gets user access and creates spam or spreads malware. 3. Someone hacks our DB and deletes/modifies posts. 4. Denial of service – our posts are not accessible. 5. Someone owns the whole server… ! Application source code and configuration. 1. Someone gets access places malicious code. 2. Someone gets the code and make it open source or sales it. 3. If there happen to be any code vulnerabilities, exploiting them. 4. Someone owns the whole VC system. What matters in some cases may not be a whole functionality but specific data like: Credit Card numbers, Login/Passwords etc.
  • 43.
    with python: security(): PyConPL2017 43 @dybacompl Securing anAPPThreat Modelling #3 Risk mitigation. 1. Someone gets admin access and deletes all. Adding multi factor authentication for at least Admins. 2. Someone gets user access and creates spam or spreads malware. Limiting post per day, edits per hour. Shorter sessions. 3. Someone hacks our DB and deletes/modifies posts. Access to DB should be over TLS and only from specific (range) IP 4. Denial of service – our posts are not accessible. Using anti d(r)dos services. 5. Someone owns the whole server… Adding multi factor authentication, SSH acces over cert based auth only, SSH acces only from specific Ips, App should not be runing under priviliged user., AppArmor or SELinux Part of mitigation is also having proper testing at unitests level. sshttp - hiding SSH servers behind HTTP https://github.com/stealth/sshttp
  • 44.
    with python: security(): PyConPL2017 44 @dybacompl Automated security testing Source Code Analysis tools: Bandit – Python only, Open Source can be easily integrated with Jenkins SonarQube – Supports many languages, Free or paid SaaS, Open Source, Jenkins ready, “Continuous Inspection” Automatic Scanning tools: ZAP (Zed Attack Proxy) – Free, Open Source, Jenkins ready Burp – Free/Paid, Jenkins ready in ~2017 Metasploit – Free, OpenSource, Jenkins ready SQLMap - Free, OpenSource scapy - Free, OpenSource, Python Commercial solutions and managed services: Qualys, Nessus, F-Secure Radar
  • 45.
    with python: security(): PyConPL2017 45 @dybacompl Pentesting and pentesters Penetration test (Pentest): What: authorized attack on a system, app or infrastructure Why: find security weaknesses compliance How: elevating access inside the system accessing restricted data Who: external 3rd party and / or dedicated pentesting tooling When: New major features, major releases Periodically at the end of longer development cycle
  • 46.
    with python: security(): PyConPL2017 46 @dybacompl Pentesting and pentesters Penetration tester: person who performs a penetration test  AKA: • Pentester • Hacker • White hat • Security consultant Unaware for majority of employs pentesting drill is called Red Teaming. Red Teaming can consist of: • Physical security: breaking into the office, server rooms, conference room. • Network security: planting raspberryPI on the net, routing data through sniffer • Phishing and social engineering • Software testing If the red timing finishes undetected, that means you have huge security problems as the Attacker during the drill after achieving all goals starts being “noisy” till a point someone should have notice…
  • 47.
    with python: security(): PyConPL2017 47 @dybacompl Pentesting and pentesters Different ways of pentesting White Box: • Pentester has full access to the application and system he is testing • Covers widest range of attack vectors • Pentester has access to the source code, documentation Grey Box: • Pentester does not have access to the system • He has different types of accounts (user, mod, admin), but not app root • He has access to the source code, documentation • Pentesting is targeted Black Box: • The Pentester does not have knowledge about the system or knows only basics. • No access to source code • No access to the app above end user level • Similar perspective to real attacker
  • 48.
    with python: security(): PyConPL2017 48 @dybacompl Who is a CISO Chief information security officer • Computer security/incident response team • Disaster recovery and business continuity management • Identity and access management • Information privacy • Information regulatory compliance • Information risk management • Security architecture • Security development – process and tools • IT Security – process and tools • Security awareness
  • 49.
    with python: security(): PyConPL2017 49 @dybacompl Being hacked. 2. Being hacked using one of well known and documented threats 3. Being hacked using a known vulnerability 4. Being hacked using an unknown vulnerability – 0 day 1. Being hacked by a bot or a script kiddie or a bot Smart thing is to learn on others mistake The 4 circles of being pwned: Not seeing the destructive outcome of an attack does not necessarily mean that you were not hacked, there is a chance that you have been owned long time ago and you still do not know about it! Gartner report from 2016 says that it takes on average 200 days since hack for a company to find about it.
  • 50.
    with python: security(): PyConPL2017 50 @dybacompl Being hacked. Internet is changing !
  • 51.
    with python: security(): PyConPL2017 51 @dybacompl Interesting links http://owasp.org https://vulnhub.com https://github.com/sbilly/awesome-security https://github.com/nixawk/pentest-wiki https://safeandsavvy.f-secure.com/ https://reddit.com/r/netsec/ https://blogs.cisco.com/author/talos https://youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w http://gynvael.coldwind.pl/ https://nakedsecurity.sophos.com/ https://risky.biz/netcasts/risky-business/ https://badcyber.com/ https://packetstormsecurity.com https://labs.mwrinfosecurity.com/ https://ctftime.org/ctf-wtf/ http://overthewire.org/wargames/ https://picoctf.com/ https://microcorruption.com/about https://www.offensive-security.com/when-things-get-tough/
  • 52.
    with python: security(): PyConPL2017 52 @dybacompl Interesting links Regarding multifactor authentication Justin Mayer EuroPython2017’ talk form yesterday: “REPLACING PASSWORDS WITH MULTIPLE FACTORS: EMAIL, OTP, AND HARDWARE KEYS”
  • 53.
    with python: security(): PyConPL2017 53 @dybacompl Q&A Q & A I’m hiring to my team ! 

Editor's Notes

  • #2 Good Morning I hope you are not too hungery before the grill, now lets talk about CyberSecuirty.
  • #3 Before we can start I have three disclaimers 1. The following presentation is my own opinion. 2. I am not beeing paid for mentioning any of open source or comercial solutions 3. I had to cut out some parts in order to fit into 45min slot so if you see some text in blue it is mean more for devops and sys admins, so I will focus on developers perspecitve
  • #4 I’ll start by brifly describe myself THEN I will talk about basics of websecurity After which we will create a threat modell of an application. I will finish with some more important facts that you should now when you start your adveture with CyberSecuirty. Please ask questions after the presentation. I will also appreciate any kind of feedback afterwards
  • #5 My name is Piotr Dyba, but is Peter also fine
  • #6 I Come from Poznań, Poland which is only 2,5h drive from Berlin and about 15h drive from Rimini
  • #7  I work at F-Secure Poland, where I am a team leader and software engineer where we develop Rapid Detection Service
  • #8 I am also lead mentor at pyladis Poland where we are having up to 220 students during our weekly meeting in two level groups which is quite a lot. We also have soft skill courses for the mentors like ‘Learning processes of an adult’ or ‘Proper traning tools and patterns when teaching’.
  • #9 So lets start from scratch, what is Cyber Secuirty? Cyber Security is means and protocols to defend your resources and devices from disruption, damage or theft. So it is not only firewalls and Antivirus software, but it start with the hardware, so policies for handling computers and servers at work, accesses to server rooms and even up to what security should disallow to bring to the company like external pen drives. When we can assume that our hardware is safe enough we need to harden our software on both workstations and servers and impose proper policies for the users, data handling, access.
  • #10 Why is cyber-security awareness in a company so important nowadays, look on how many infomration were leaked over time and also how many companies were hacked 10 years ago and now…
  • #11 Do you rember that screen from just 1 month ago ? NotPetya laid waste on many companies accross the globe in just one day, some of them took a lot of time to recover. The most publicly known cases are companies like TNT and Raben. Raben is a good example of well prepared recovery it took them less than 24h to move whole server infrastructure from Windows to Linux, I would say that is quite an achievement.
  • #12 This graph show a number of attacker per day in last 6 months so it varied from 2 to almost 16 milions per day, by attack I mean action against one of F-secure research honeypots deployed in public internet. Who knows what a honeypot is please rise your hand ? OK That’s nice, quite a few people now about them, but Ok for the rest a honeypot is a server that pretends to be an easy target for an attacker where all his actions can be monitored, registered but most important it does not affect the important parts of infrastructure it’s just a trap that exposes services like ssh, mysql, smtp etc. in our case written in Python.
  • #13  From those attack we are seeing that a lot of them are bots that are trying to login using few default username-password combinations and we think that they are sometimes succeeding, because if they were not that would stop scanning in such a manner.
  • #14 So we established that the secuirty is important and the sooner you add it to your project and workflow the more secure the app will become. So lets start with threat modeling.
  • #15 Threat modeling is an approachfor analyzing the security of an application or a computer system. It is a structured system that enables you to identify, quantify, and address the security risks associated with the target of the modeling. Now imagine that we are batman and lets identify our assets which are the bat cave, our buttler Alfred and infomrations in form of emails and texts.
  • #16 We can distinguish three Threats so the police, our arch enemy joker and the press.
  • #17 Now lets quantify those threats. So Alfred is irreplacable and has acces to all our other assets so he is our highest risk and highest prioritety for defense. Our bat cave is also precious but it can be rebuilded. Lastly information so Email and text messages that can allow us to be tracked where are we going or what do we do but we can handle the journalists and the police ourselves.
  • #18 So for our main asset Alfred we can obscure his location and his identity which is not that easy in modern world. The bat cave is much simpler task because we can have security systems, traps, misleading bases of operations etc. there is a tone of possibilites here. For emails and texts we can encrypt them and just be caution when writing something delicate should be enough.
  • #19 So as in the batman example we can start with identifaying our assets and what is their purpose, so what are their use cases. The next step is to specify entry points to that asset and then how it interacts wit external parts of the service or 3rd party services The last step is defining the Access Control Lists or ACL for shortcut for example what is possible for anonymus user, registered user and admin to do. If you already have been developing an application there I a high chance that part of you work is already done so you can reuse data flow diagrams or application UML. Event better if you have behavioural or integration tests in place
  • #20 There are few frameworks that we can work with like STRIDE and ASF both of them should give us a reliable outcome consiting of infomration regarding: Auditing and logging just to be on one page Auditing is used to answer the question "Who did what?" and possibly why. Logging is more focused on what's happening. authentication and authorization and again to be on the same page authentication is the a process of ascertaining that somebody really is who he claims to be and authorization is a procces to determine who is allowed to do what configuration management – so how and where do we are store configs data validation and protection in storage and transit – that means where do we store the data, where do we validate it before recording it if it done only on the backend side or on both BE and FE side, just to be clear validating data only on FE is a suicide. Protection in transit, the basic approach is to have all communication over TLS so encrypted. More advanced approach is to have the data additionally encrypted before sending it and it is becoming corporate level security standard. The last level I heard of being in use is the data also is being send over dedicated VPN tunnel. Last thing we need to worry about is Exception management – so how do we track exceptions occurrence and what are the procedures to handle them.
  • #21 Now we just need to measure severity of the threats we have. We can try approaching that by ourself determining what assets are the most important for us or use for example CVSS.!! The Common Vulnerability Scoring System is based on factors like attack vector, attack complexity which is hard to measure, privliges, user interaction, scope, confidentiality, integrity and availability. All together can give you a reference rating but if you are not sure about the value like in case of attack complexity try both and either make average or leave it as a range. It is important to remember that this is just a reference point, a tool to help not an oracle for what should you do. !!As mentioned before if you have use case UMLs or even better abuse case UMLs they may come in handy here
  • #22 We can address issues in 4 ways from completely remove the threat, reducing it, acknowledging it and do nothing or pretended there is no issue. Obviously Best options is removal of the threat but some times it is even impossible to remove it or the costs for removing are to high so we can try mitigate it. Taking the risk by leaving it as is or marking it as “adress later”, maybe fine in some cases an example for that is when attacker is able to travers over a directory with long and random file names of non important pictures of other users cats. So there is a chance that someone will type some random gibberish and he will see the picture of other user cat but he will still don’t know whose cat is it and we don’t really care if that happens. But if the user can travers not only over cat pictures but also over config files etc. and we still do nothing about it then we are asking to be hacked.
  • #23 So lets make a threat model of our simple imaginay application… !!! in PHP… as every one knows PHP is very secure and hack proof language...
  • #24 Probably as secure that IE was few years back, it was not the best browser for seeing the internet but it was definitely the best browser for the internet to see you.
  • #25 So if you are not sure PHP of course stands for <CLICK> Python has power… !!! so lets build a simple app using AngularJS for front end Sanic for backend with PostgresSQL as database and nginx for proxying and enforcing https with few simple endpoints like home for static serving the javasript and html parts, login endpoint, list and one isntance views for blog posts and users.
  • #26 So how can we hack our app? We can start from analysing it on our own but probably some one already thought about it.
  • #27 Of course and it was not someone but thousands of people developing it colaborativly. There is a huge project called Open Web application Secuirty Project – OWASP in short. That is not only gathering all common threats but also have examples of attacks, measure their severity and much more. It can be used both by technical and less technical person like Project Manager as most of threats have also a business level explanations.
  • #28 OWASP is much bigger source of knowledge then only threats, it consists information of tools, books events and other interesting sites.
  • #29 OWASP publishes a list of most common attack every few years there, last one is from 2013 and fresh one is coming up this years, but if you look on the last ones the changes are minimal over time which leads to sad conclusion that many people still do not learn on others mistakes. A1-A10 if you want to try them out there our two projects that can hel you with that BeeBox and OWASP Broken Web Application Proejct
  • #30 So for our Front end we can expect six of OWASP top 10, so Broken authentication and session management, cross site scripting… this one is fun because it does not affect us directly but our users, cross site scripting allows attacker to embed their script in to our webpage for example in comment that will not affect our site but for example make our trusting users to download some malware… Security missconfiration, missing ACLs, CSRF so who knows django… … … ? Ok most of you rember that when using django template language you add CSRF tokens in forms right ? So this is the reson for doing so atackers cannot abuse your forms that easly. If you are not adding them you should… We are using a well know framework, which is really good unless we or our developrs do something stupid. AngularJS mitigates or even handles all of those issues.
  • #31 Sanic is asyncrhonus python framwork based on uvloop so what can go wrong ?  
  • #32 Attacker can try injection code in to our Python Application…. It won’t happen unless they found a new loophole in Python itself and we are not using at all eval/exec or pickle especially form user input we are safe here. SQL injection… Also we are quite safe here unless we are using our own SQL engine instead of mature ORMs like SQLalchemy or djangoORM. So honestly the main threat to a Python application is located between chair and keyboard… the developer. Good for us we can mitigate that also to a point using security static code analysis which I will explain later during tooling part. If you are interested in how to exploit picle there is a link that can explin that really good with example on an already fixed bug in Twisted framework.
  • #33 But why people would even use eval or exec if it is so dangerous ? It can make you app faster on python 2.7 30 times and what is interesting 40 times on python 3.5 which many people consider slower than 2.7
  • #34 Eval may simplify your code. A known example of string calculator shows that really well. From 10 lines of code for the most basic equation it can be just one line using eval which will work with even more complex equations.
  • #35 SQL injection… Also we are quite safe here unless we are using our own SQL engine instead of mature ORMs like SQLalchemy or djangoORM.
  • #36 So honestly the main threat to a Python application is located between chair and keyboard… the developer. Good for us we can mitigate that also to a point using security static code analysis which I will explain later during tooling part.
  • #37 We can see that Threat Modeling of a python app can have even more Vulnerabilities then front end but most of them are mittigated out of the box as long as we are using common sense when developing and we follow two important rules 1. when using external libraries we should check them up if for example they are not sending the data to NSA/KGB/ETC. And they are not outdated for example there is a bug in SSL implementation in urllib3 with which ubuntu 14.04 is distributed.
  • #38 Interesting fact is that SQL db’s have rather small amount of top10 threats that can be easly mittgated, but still are getting hacked often.
  • #39 So lets get back to our Blog app So we have only 3 basic uses cases for our app: Everyone can enter site and view blog and blog posts. Registered users can add new posts Admins can manage users and delete posts
  • #40 We already identified our endpoints when we designed our simple blog app and on prevous slide we add use cases now lets think about Interactions, and access control lists. So we have 3 types of users Anonymus, registerd and admin. Anonymus should only be able log in and read the blog, User can additional logout and write new posts. Only admin can mange users and delete posts. Lets project what we know on Database interactions so Login action can only read from DB, Logout does not event need to read anything from the database, reading blog does only require read access and so on. Important fact is that only admin can manage users and delete blog posts so we can quite easily defend against losing the data, just by that.
  • #41 Lets think about our database actions on API layer and focus on Get Post Delet actions shown in two tables. We know we can disable del and post methods for home, and for login we can only accept post method. The rest endpoint specification will depend on the projects approach to creating proper endpoints so it may differ to the example shown on the slide.
  • #42 At this point we have complited all points of the Decomposition phase of threat modeling. Now lets move to second part.
  • #43 Lets think a little bit about what is the most precious thing we have in our app… In case of blog it is information so our users and blog posts Depending on your business model usually it is better/easier to recover from data destruction the unstole data. How can they be affected? Access elevation to a registered users or even an admin. direct attack against our database denial of service attack and full ownage of the server which is as bad as it sounds Our second most valued asset may be our code base which can be targeted in different ways than the information it self by adding some malicious getting open sourced or our code can be sold gaining even read only access will allow attacker to find easily vulnerabilities and exploit them We can loos the control of our version control system
  • #44 The last step of threat modeling is mitigation: To avoid elevating privileges to admin level We can add two or multi factor authentication for at least Admins, and restrict access to admin panel for certain IPs or IP ranges Before a bot or a unwanted user starts spamming we can Limiting post per day, edits per hour and adding Shorter sessions adding captcha will definitly mittagte thos issues Preventing attacks against database should start from restricting Access to DB only over TLS and only from specific IPs or IP range It is hard to defend by yourself against distributed denial of service attack, reflected denial of service attacks or combination of both so distributed reflected denial of service attacks our only hope lays in Using dedicated anti d(r)dos services like cloudflare.com Defending against server pawnage should be done on many layers. Moving ssh to higher port number, adding two or mulit factor authentication, adding passphrase to use with cert based login. SSH access should be avalaible only from specific IPs or using a dedicated jump host. App should not be running under privileged user and it is wise to use software such a AppArmor so Mandatory Access Control system which is a kernel enhancement to confine programs to a limited set of resources for example if our python app tries opening /etc/passwd file AppArmor will stop it. sshttp – is an interesting approach to hide SSH in plain sight behind HTTP port.
  • #45 Now lets talk about tooling: Abstract Syntax Tree Bandit is a static code analysis tool designed to find common security issues in Python code, it is writen in Python and it can be easily extended with you own security policies. It works in similar manner to pylint or pep8 tool. By static code analysis I mean reading thought the code and looking for possible security bugs. you can get it directly from Pypi. SonarQube is more advanced then bandit it has ready plugin for Jenkins and it support also JS, HTML and 20 other languages. The tool has integrated web ui and many more useful features. you can spawn your own instance or buy it as a service. Automatic scanning tools: Burp can Scan for vulnerabilities, Intercept browser traffic and Automate custom attacks, it does not have Jenkins plugin yet but it was announced that this Year something should be ready for continues development. Zap is open source alternative to burp which is developed under OWASP project and it already has dedicated Jenkins plugin. both of them can be also used manually so you can define you own attack patterns and payloads. if want to test a custom implemented protocols you will probably need to use scapy which is a python library for preparing dedicated TCP, ICMP packages and UDP Datagrarms where it is possible to create any packages. There are few well known commercial solutions and even managed services. The advantage of the service approach is quite nice as you are getting only report that does not consists of False Positives from the scans. There are three major players in this filed: Nessus, Qualys and F-Secure Radar.
  • #46 A penetration test is an authorized attack on a system, application and/or infrastructure it can also include physical access. The reson for doing pen tests is quite obvious find security weaknesses and to fullfilling a compliance needed by 3rd party There are usually two main objectives for a pen tester to achive: get priviliged access and/or obtein restricted informations Who should perform such a test ? Even when having on site pen testing team application should be tested by a 3rd party company and it should be done before major releases or periodically after a longer development cycle, in best case scenario automated pentesting using for ex. Zap is also in place.
  • #47 Penetration tester obiviusly is a person who performs a penetration test, but you can also call them Pen Tester, Hackers, White hats or security consultants just remember not to call them black hat or cracker which basically means a criminal because it will make them sad. The last thing that it is important to know is what is a read teaming excericise. A read Teaming drill is an attack usually on many layers against a company that only CEO or CTO are aware of. It may consist attack on physical secuirty, that even has a budget for damages like broken windows or destroyed locks, phishing or planting bugs etc. If the red timing finishes undetected, that means you have huge security problems as the Attacker during the drill after achieving all his goals starts being “noisy” till a point someone really should have noticed…
  • #48 There are tree major approaches when pen testing white, grey and black box White box means full transparancy and full access for pen tester to our production systems. Greybox narrows the access, but still requires source code and sometimes developer instance before starting the main pen test, the pen testing becomes targeted and often sucesfull. Black box, as the name suggests limits access, so the Pentesters perspective is the same of a real attacker and it will be more demanding on the service that undergoes testing.
  • #49 Who is a CISO Chief information security officer is a person responsible for Computer security/incident response team Disaster recovery and business continuity management Identity and access management Information privacy Information regulatory compliance PCI, Data Protection Act, GIODO in Poland Information risk management Security architecture and development so process and tools IT Security And Security awareness in the company.
  • #50 OK so we got hacked, but how bad is it for us ? There are 5 circles of shame to measure that. The first one is the worst so being hacked by script kiddie or a bot that’s the level where people start rethinking their carrier choices… It bad really bad, but only a little less bad is being hacked by one of OWASP top 10s... Then being hacked by other well documented vulnerability is of cours still bad and still it needs to be fixed ASAP. Least but not last getting owned by new and shinny vulnerability that is out there and the knowledge and awerness is not yet high enough is obviously bad for business but at least not that shamefull. Lastly being hacked by unknown publicly vulnerability, as it is still not good for buissness at the same time show how serius the attackers needs to be and how your defences where good anought to draw him or her to the last resort he or she had. In cases 1-4 especially 1 and 2 you can except a lot of information on the net how easy were you hacked. For the fifth circle attacker will try to keep his ways a secret as long as possible, so you may not even see a fallback in the press about it. Just lets keep in mind that attack may be not destructive at all and after attackers success he may be doing only invisible actions like gathering the data or some increasing trolling. Of course he may also install some nasty ransomware and demend a high ransom. Gartner reported last year that on average it takes 200 days for a company to notice that they have been hacked. 200 days imaging what can attacker do during that time.
  • #51 Internet is changing So few years ago it was commonly advised move ssh port to higher port…. Now we have massscan and higher port may messy your firewalls.
  • #52 I hope you enjoyed my talk, and even I don’t know how to summon the dark lord yet I will gladly answer your questions.
  • #53 I hope you enjoyed my talk, and even I don’t know how to summon the dark lord yet I will gladly answer your questions.
  • #54 I hope you enjoyd my talk, and even I don’t know how to summon the dark lord I will gladly answare your questions.