SlideShare une entreprise Scribd logo

ColdFusion Security and Risk Management

Justin Mclean
Justin Mclean
Technologie
1  sur  50
Télécharger pour lire hors ligne
ColdFusion Security and Risk Management Justin Mclean Email: justin@classsoftware.com Twitter: @justinmclean Blog: http://blog.classsoftware.com Monday, 22 November 2010
Who am I? • Director of Class Software for 10 years • Developing and creating web applications for 15 years • Programming for 25 years • Adobe Community Professional • Adobe certified developer and trainer in ColdFusion and Flex • Based in Sydney Australia Monday, 22 November 2010
Security • No system is 100% secure • Security takes time and effort and can be costly • How much security is actually needed? • Is a security feature actually effective? Monday, 22 November 2010
Risk Assessment Risk assessment is a tool used to balance business objectives and security requirements in order to achieve cost effective security measures. Monday, 22 November 2010
Process 1. Identify assets 2. Identify and quantify the possible threats 3. Determine the consequence of each threat 4. Evaluate the current risk 5. Decide acceptable level of risk 6. Treat each risk Monday, 22 November 2010
Frequency • This is not a once off process • Repeat when: • System is in place • Changes are made to the system or assets • Made aware of new threats Monday, 22 November 2010
Identify Assets • Create list of assets • Hardware • Availability of service • Integrity of information • Reputation of system and/or organisation • Staff Monday, 22 November 2010
Identify Threats • Create a list of threats • Be creative include unlikely threats • Tendency to ignore obvious threats • Careful of preconceived attitudes Monday, 22 November 2010
How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
Risk • Risk is a combination of frequency and consequence • The more likely a threat increases risk • The more serious a threat increases risk Monday, 22 November 2010
Risk Insignificant Minor Significant Damaging Serious Grave Negligible Nil Nil Nil Nil Nil Nil Very Low Nil Low Low Low Medium Medium Low Nil Low Medium Medium High High Medium Nil Low Medium High High Critical High Nil Medium High High Critical Extreme Very High Nil Medium High Critical Extreme Extreme Extreme Nil Medium High Critical Extreme Extreme Consequence Threat Monday, 22 November 2010
Acceptable Risk • Set level of acceptable risk • Assign priorities for each threat based on acceptable risk and risk of threat Monday, 22 November 2010
Priorities • A risk greater than acceptable risk + 1 level • B risk is acceptable risk + 1 level • C risk same as acceptable risk • D risk less than acceptable risk • Aim to do all of A,B and C priorities • Do D priorities if you have time and budget Monday, 22 November 2010
Treatments • Addition of security measures • Reduction of security measures • Minimisation of harm • Change of service or system specifications • Transference of risk • Acceptance of risk Monday, 22 November 2010
Effort and Cost • May be many ways to treat a single threat • Amount of effort or cost may decide which treatment chosen Monday, 22 November 2010
Election System Student election system for the University of Technology Sydney Monday, 22 November 2010
Student Election System Monday, 22 November 2010
Server Configuration • Run with minimal down time • Perform well under load • Limited external access to server Monday, 22 November 2010
Server Treatment • Staging/production system • Not a shared server • Standalone separate machines for database and CF server • No access to production server • Code reviewed by external agency Monday, 22 November 2010
Network Issues • Occasional network outages • Occasional slow access from outside Monday, 22 November 2010
Network Treatment • Ability to change the end date after an election has started • Date could only be extended not reduced Monday, 22 November 2010
SQL Security Issues • SQL injection attacks • Sensitivity of data • Trust and integrity of election results Monday, 22 November 2010
SQL Injection • Most common form of attack • Malformed form or URL parameters to run evil SQL statements • Wrap SQL in methods with type safe arguments • Cfqueryparam is your friend! Monday, 22 November 2010
SQL Security Treatment • Multiple data sources • Multiple database users • Restrict SQL actions. No deletes and almost no updates few inserts and mainly selects. • Table level permissions Monday, 22 November 2010
Datasource Options Monday, 22 November 2010
Multiple Database Users • Table level permissions • SQL operation permissions Monday, 22 November 2010
SQL Permissions • Deny all to all users to all tables • Add permissions for each SQL operation as needed • Don’t be tempted to give admin user all permissions Monday, 22 November 2010
Deny All deny all on elections to electionvoter, electionadmin, electionlogin deny all on candidates to electionvoter, electionadmin, electionlogin; deny all on rolls to electionvoter, electionadmin, electionlogin; deny all on ballots to electionvoter, electionadmin, electionlogin; Monday, 22 November 2010
Grant Access grant select on roll to electionvoter, electionadmin; grant update on roll to electionvoter; grant insert on roll to electionadmin; Monday, 22 November 2010
Login Issues • Dictionary attacks • Timing attacks • Storing passwords Monday, 22 November 2010
Login Treatment • Account lock out if password wrong x times • Random time delay Monday, 22 November 2010
Java Sleep <!--- delay is to hinder timing style attacks ---> <cfset thread=createObject("java","java.lang.Thread")> <cfset thread.sleep(300 + int(rand()*21)*10)> Monday, 22 November 2010
Code Modification • Pages code not modified • Only run trusted pages Monday, 22 November 2010
Code Modification Treatment • Finger print each page via MD5 • Check finger print when page is run via Application onRequest method Monday, 22 November 2010
onRequest <!--- read the cfm file ---> <cftry> <cffile action="read" variable="pagecontents" file="#CGI.PATH_TRANSLATED#"> ....... </cftry> <!--- get page from database ---> <cfquery name="dbpage" datasource="#request.datasource#"> select page, hash from pages where page = <cfqueryparam value="#hash(listlast(arguments.page,'/')) #" cfsqltype="cf_sql_varchar"> </cfquery> <!--- check if page exists and page hash is correct ---> <cfif dbpage.recordcount is 1 and hash(pagecontents) is dbpage.hash> <cfinclude template="#arguments.page#"> <cfelse> <cfinclude template="./elections/security.cfm"> </cfif> Monday, 22 November 2010
Limiting Information • Assume someone will break into the system • What information can they obtain? • What could they modify? • Limit what they can see/use • Minimise damage they can do • Log everything Monday, 22 November 2010
Why do this? • Know that you’re spent you budget efficiently • Confidence that your system is secure as it needs to be • An understanding of the risks in your system • Minimal damage occurs if the worse does happen Monday, 22 November 2010
Questions? Ask now, see me after the session, follow me on twitter @justinmclean or email me at justin@classsoftware.com Monday, 22 November 2010

Recommandé

Pentest Standard Keynote - SourceBoston
Pentest Standard Keynote - SourceBostonPentest Standard Keynote - SourceBoston
Pentest Standard Keynote - SourceBostonIftach Ian Amit
 
Putting your device in a browser or on the web
Putting your device in a browser or on the webPutting your device in a browser or on the web
Putting your device in a browser or on the webJustin Mclean
 
Connecting open source hardware to the web
Connecting open source hardware to the webConnecting open source hardware to the web
Connecting open source hardware to the webJustin Mclean
 
Connecting RIAs and hardware together
Connecting RIAs and hardware togetherConnecting RIAs and hardware together
Connecting RIAs and hardware togetherJustin Mclean
 
Connecting hardware to ColdFusion
Connecting hardware to ColdFusionConnecting hardware to ColdFusion
Connecting hardware to ColdFusionJustin Mclean
 
A Practical Guide to Connecting Hardware to Flex
A Practical Guide to Connecting Hardware to FlexA Practical Guide to Connecting Hardware to Flex
A Practical Guide to Connecting Hardware to FlexJustin Mclean
 
Edge Of The Web
Edge Of The WebEdge Of The Web
Edge Of The WebJustin Mclean
 
Corso Security Manager
Corso Security ManagerCorso Security Manager
Corso Security ManagerCertification Europe Italia
 

Recommandé

Pentest Standard Keynote - SourceBoston
Pentest Standard Keynote - SourceBostonPentest Standard Keynote - SourceBoston
Pentest Standard Keynote - SourceBostonIftach Ian Amit
 
Putting your device in a browser or on the web
Putting your device in a browser or on the webPutting your device in a browser or on the web
Putting your device in a browser or on the webJustin Mclean
 
Connecting open source hardware to the web
Connecting open source hardware to the webConnecting open source hardware to the web
Connecting open source hardware to the webJustin Mclean
 
Connecting RIAs and hardware together
Connecting RIAs and hardware togetherConnecting RIAs and hardware together
Connecting RIAs and hardware togetherJustin Mclean
 
Connecting hardware to ColdFusion
Connecting hardware to ColdFusionConnecting hardware to ColdFusion
Connecting hardware to ColdFusionJustin Mclean
 
A Practical Guide to Connecting Hardware to Flex
A Practical Guide to Connecting Hardware to FlexA Practical Guide to Connecting Hardware to Flex
A Practical Guide to Connecting Hardware to FlexJustin Mclean
 
Edge Of The Web
Edge Of The WebEdge Of The Web
Edge Of The WebJustin Mclean
 
Corso Security Manager
Corso Security ManagerCorso Security Manager
Corso Security ManagerCertification Europe Italia
 
HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group
HackerOne, Security Meetup 4 декабря 2014, Mail.Ru GroupHackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group
HackerOne, Security Meetup 4 декабря 2014, Mail.Ru GroupMail.ru Group
 
Crowd conf 2011
Crowd conf 2011Crowd conf 2011
Crowd conf 2011James DiPadua
 
IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...
IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...
IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...Gigaom
 
Protect Your Drupal Site Against Common Security Attacks
Protect Your Drupal Site Against Common Security AttacksProtect Your Drupal Site Against Common Security Attacks
Protect Your Drupal Site Against Common Security AttacksAcquia
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 
Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)Joel Chippindale
 
Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)FutureLearn
 
Day3 wayne beaton eclipse community mgt
Day3 wayne beaton eclipse community mgtDay3 wayne beaton eclipse community mgt
Day3 wayne beaton eclipse community mgtfOSSa 2010 Main Presentations
 
2010 GTAC Crowd Source Testing Mozilla Style
2010 GTAC Crowd Source Testing Mozilla Style2010 GTAC Crowd Source Testing Mozilla Style
2010 GTAC Crowd Source Testing Mozilla StyleMatt Evans
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Kimberley Dray
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOpsIrina Kostina
 
Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...
Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...
Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...Phase2
 
Running user testing
Running user testingRunning user testing
Running user testingcxpartners
 
The Product Journey: The Importance of Having Strong Decision Agility in Your...
The Product Journey: The Importance of Having Strong Decision Agility in Your...The Product Journey: The Importance of Having Strong Decision Agility in Your...
The Product Journey: The Importance of Having Strong Decision Agility in Your...Aggregage
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Contenu connexe

Similaire à ColdFusion Security and Risk Management

HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group
HackerOne, Security Meetup 4 декабря 2014, Mail.Ru GroupHackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group
HackerOne, Security Meetup 4 декабря 2014, Mail.Ru GroupMail.ru Group
 
IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...
IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...
IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...Gigaom
 
Protect Your Drupal Site Against Common Security Attacks
Protect Your Drupal Site Against Common Security AttacksProtect Your Drupal Site Against Common Security Attacks
Protect Your Drupal Site Against Common Security AttacksAcquia
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 
Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)Joel Chippindale
 
Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)FutureLearn
 
2010 GTAC Crowd Source Testing Mozilla Style
2010 GTAC Crowd Source Testing Mozilla Style2010 GTAC Crowd Source Testing Mozilla Style
2010 GTAC Crowd Source Testing Mozilla StyleMatt Evans
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Kimberley Dray
 
Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...
Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...
Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...Phase2
 
Running user testing
Running user testingRunning user testing
Running user testingcxpartners
 
The Product Journey: The Importance of Having Strong Decision Agility in Your...
The Product Journey: The Importance of Having Strong Decision Agility in Your...The Product Journey: The Importance of Having Strong Decision Agility in Your...
The Product Journey: The Importance of Having Strong Decision Agility in Your...Aggregage
 

Similaire à ColdFusion Security and Risk Management (16)

HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group
HackerOne, Security Meetup 4 декабря 2014, Mail.Ru GroupHackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group
HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group
 
Crowd conf 2011
Crowd conf 2011Crowd conf 2011
Crowd conf 2011
 
IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...
IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...
IS CLOUD COMPUTING A TECHNOLOGY, AN OPERATIONS MODEL OR A BUSINESS STRATEGY f...
 
Protect Your Drupal Site Against Common Security Attacks
Protect Your Drupal Site Against Common Security AttacksProtect Your Drupal Site Against Common Security Attacks
Protect Your Drupal Site Against Common Security Attacks
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
 
Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)
 
Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)Reducing risk through continuous delivery (Nov 2014)
Reducing risk through continuous delivery (Nov 2014)
 
Day3 wayne beaton eclipse community mgt
Day3 wayne beaton eclipse community mgtDay3 wayne beaton eclipse community mgt
Day3 wayne beaton eclipse community mgt
 
2010 GTAC Crowd Source Testing Mozilla Style
2010 GTAC Crowd Source Testing Mozilla Style2010 GTAC Crowd Source Testing Mozilla Style
2010 GTAC Crowd Source Testing Mozilla Style
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...
Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...
Weathering The Storm- How Robin Hood Foundation Uses Drupal to Fight Poverty ...
 
Running user testing
Running user testingRunning user testing
Running user testing
 
The Product Journey: The Importance of Having Strong Decision Agility in Your...
The Product Journey: The Importance of Having Strong Decision Agility in Your...The Product Journey: The Importance of Having Strong Decision Agility in Your...
The Product Journey: The Importance of Having Strong Decision Agility in Your...
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

ColdFusion Security and Risk Management

  • 1. ColdFusion Security and Risk Management Justin Mclean Email: justin@classsoftware.com Twitter: @justinmclean Blog: http://blog.classsoftware.com Monday, 22 November 2010
  • 2. Who am I? • Director of Class Software for 10 years • Developing and creating web applications for 15 years • Programming for 25 years • Adobe Community Professional • Adobe certified developer and trainer in ColdFusion and Flex • Based in Sydney Australia Monday, 22 November 2010
  • 3. Security • No system is 100% secure • Security takes time and effort and can be costly • How much security is actually needed? • Is a security feature actually effective? Monday, 22 November 2010
  • 4. Risk Assessment Risk assessment is a tool used to balance business objectives and security requirements in order to achieve cost effective security measures. Monday, 22 November 2010
  • 5. Process 1. Identify assets 2. Identify and quantify the possible threats 3. Determine the consequence of each threat 4. Evaluate the current risk 5. Decide acceptable level of risk 6. Treat each risk Monday, 22 November 2010
  • 6. Frequency • This is not a once off process • Repeat when: • System is in place • Changes are made to the system or assets • Made aware of new threats Monday, 22 November 2010
  • 7. Identify Assets • Create list of assets • Hardware • Availability of service • Integrity of information • Reputation of system and/or organisation • Staff Monday, 22 November 2010
  • 8. Identify Threats • Create a list of threats • Be creative include unlikely threats • Tendency to ignore obvious threats • Careful of preconceived attitudes Monday, 22 November 2010
  • 9. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  • 10. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  • 11. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  • 12. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  • 13. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  • 14. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  • 15. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  • 16. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  • 17. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  • 18. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  • 19. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  • 20. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  • 21. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  • 22. Risk • Risk is a combination of frequency and consequence • The more likely a threat increases risk • The more serious a threat increases risk Monday, 22 November 2010
  • 23. Risk Insignificant Minor Significant Damaging Serious Grave Negligible Nil Nil Nil Nil Nil Nil Very Low Nil Low Low Low Medium Medium Low Nil Low Medium Medium High High Medium Nil Low Medium High High Critical High Nil Medium High High Critical Extreme Very High Nil Medium High Critical Extreme Extreme Extreme Nil Medium High Critical Extreme Extreme Consequence Threat Monday, 22 November 2010
  • 24. Acceptable Risk • Set level of acceptable risk • Assign priorities for each threat based on acceptable risk and risk of threat Monday, 22 November 2010
  • 25. Priorities • A risk greater than acceptable risk + 1 level • B risk is acceptable risk + 1 level • C risk same as acceptable risk • D risk less than acceptable risk • Aim to do all of A,B and C priorities • Do D priorities if you have time and budget Monday, 22 November 2010
  • 26. Treatments • Addition of security measures • Reduction of security measures • Minimisation of harm • Change of service or system specifications • Transference of risk • Acceptance of risk Monday, 22 November 2010
  • 27. Effort and Cost • May be many ways to treat a single threat • Amount of effort or cost may decide which treatment chosen Monday, 22 November 2010
  • 28. Election System Student election system for the University of Technology Sydney Monday, 22 November 2010
  • 30. Server Configuration • Run with minimal down time • Perform well under load • Limited external access to server Monday, 22 November 2010
  • 31. Server Treatment • Staging/production system • Not a shared server • Standalone separate machines for database and CF server • No access to production server • Code reviewed by external agency Monday, 22 November 2010
  • 32. Network Issues • Occasional network outages • Occasional slow access from outside Monday, 22 November 2010
  • 33. Network Treatment • Ability to change the end date after an election has started • Date could only be extended not reduced Monday, 22 November 2010
  • 34. SQL Security Issues • SQL injection attacks • Sensitivity of data • Trust and integrity of election results Monday, 22 November 2010
  • 35. SQL Injection • Most common form of attack • Malformed form or URL parameters to run evil SQL statements • Wrap SQL in methods with type safe arguments • Cfqueryparam is your friend! Monday, 22 November 2010
  • 36. SQL Security Treatment • Multiple data sources • Multiple database users • Restrict SQL actions. No deletes and almost no updates few inserts and mainly selects. • Table level permissions Monday, 22 November 2010
  • 38. Multiple Database Users • Table level permissions • SQL operation permissions Monday, 22 November 2010
  • 39. SQL Permissions • Deny all to all users to all tables • Add permissions for each SQL operation as needed • Don’t be tempted to give admin user all permissions Monday, 22 November 2010
  • 40. Deny All deny all on elections to electionvoter, electionadmin, electionlogin deny all on candidates to electionvoter, electionadmin, electionlogin; deny all on rolls to electionvoter, electionadmin, electionlogin; deny all on ballots to electionvoter, electionadmin, electionlogin; Monday, 22 November 2010
  • 41. Grant Access grant select on roll to electionvoter, electionadmin; grant update on roll to electionvoter; grant insert on roll to electionadmin; Monday, 22 November 2010
  • 42. Login Issues • Dictionary attacks • Timing attacks • Storing passwords Monday, 22 November 2010
  • 43. Login Treatment • Account lock out if password wrong x times • Random time delay Monday, 22 November 2010
  • 44. Java Sleep <!--- delay is to hinder timing style attacks ---> <cfset thread=createObject("java","java.lang.Thread")> <cfset thread.sleep(300 + int(rand()*21)*10)> Monday, 22 November 2010
  • 45. Code Modification • Pages code not modified • Only run trusted pages Monday, 22 November 2010
  • 46. Code Modification Treatment • Finger print each page via MD5 • Check finger print when page is run via Application onRequest method Monday, 22 November 2010
  • 47. onRequest <!--- read the cfm file ---> <cftry> <cffile action="read" variable="pagecontents" file="#CGI.PATH_TRANSLATED#"> ....... </cftry> <!--- get page from database ---> <cfquery name="dbpage" datasource="#request.datasource#"> select page, hash from pages where page = <cfqueryparam value="#hash(listlast(arguments.page,'/')) #" cfsqltype="cf_sql_varchar"> </cfquery> <!--- check if page exists and page hash is correct ---> <cfif dbpage.recordcount is 1 and hash(pagecontents) is dbpage.hash> <cfinclude template="#arguments.page#"> <cfelse> <cfinclude template="./elections/security.cfm"> </cfif> Monday, 22 November 2010
  • 48. Limiting Information • Assume someone will break into the system • What information can they obtain? • What could they modify? • Limit what they can see/use • Minimise damage they can do • Log everything Monday, 22 November 2010
  • 49. Why do this? • Know that you’re spent you budget efficiently • Confidence that your system is secure as it needs to be • An understanding of the risks in your system • Minimal damage occurs if the worse does happen Monday, 22 November 2010
  • 50. Questions? Ask now, see me after the session, follow me on twitter @justinmclean or email me at justin@classsoftware.com Monday, 22 November 2010