Speaking about how to go about taking security seriously in a digital company. Be it from scratch, or fixing a legacy codebase, learn from Canada Revenue Agency's Heartbleed mess-up and advice from a white-hat hacker.
43. What could CRA have
done?
• Have a competent security officer or sysadmin
44. What could CRA have
done?
• Have a competent security officer or sysadmin
• Inter-department cooperation with CSEC
(they knew 1 day before Heartbleed went public)
45. What could CRA have
done?
• Have a competent security officer or sysadmin
• Inter-department cooperation with CSEC
(they knew 1 day before Heartbleed went public)
• A way for people to tell them security issues
46. What could CRA have
done?
• Have a competent security officer or sysadmin
• Inter-department cooperation with CSEC
(they knew 1 day before Heartbleed went public)
• A way for people to tell them security issues
• Be quick!
47. “We don’t have time or money to think about
security right now.”
–Almost any company
49. Responsible Disclosure
• Officially allows users/hackers/researchers to
contact you about security issues
• Basically just a webpage
• Cheapest security investment you can make*
*depending who you talk you
50. Who has a RD policy?
•
• Microsoft
• GitHub
• Apple
• Tesla Motors… Yes, really
54. Lessons learned
• It’s pesky and time consuming if you have security
debt
55. Lessons learned
• It’s pesky and time consuming if you have security
debt
• Expect a lot of bullshit, entitlement, and comedy
(See @CluelessSec)
56. Lessons learned
• It’s pesky and time consuming if you have security
debt
• Expect a lot of bullshit, entitlement, and comedy
(See @CluelessSec)
• Expect to be humbled
59. Responsible Disclosure:
you should have it
The bare minimum:
• Offer no reward or swag
• Tell people what’s acceptable, what’s not
60. Responsible Disclosure:
you should have it
The bare minimum:
• Offer no reward or swag
• Tell people what’s acceptable, what’s not
• Provide a special email or a direct phone number
61. Security 101 for Digital Companies
aka “How to not get hacked within a year”*
68. Encrypt your passwords!
The consequences
• Domino effect with other customer’s accounts
• Permanent black mark on your company record
69. Encrypt your passwords!
The consequences
• Domino effect with other customer’s accounts
• Permanent black mark on your company record
• You could be sued. Maybe even class-action
70. Encrypt your passwords!
The consequences
• Domino effect with other customer’s accounts
• Permanent black mark on your company record
• You could be sued. Maybe even class-action
• It’s so cheap and easy to do now. Why not?
72. Encrypt your passwords!
But, don’t roll your own crypto
• MD5, SHA1, etc. were not designed for passwords
73. Encrypt your passwords!
But, don’t roll your own crypto
• MD5, SHA1, etc. were not designed for passwords
• Use a password hashing library for your language
74. Encrypt your passwords!
But, don’t roll your own crypto
• MD5, SHA1, etc. were not designed for passwords
• Use a password hashing library for your language
• It should use bcrypt, scrypt, PBKDF2, or an
algorithm designed for passwords
75. Encrypt your passwords!
But, don’t roll your own crypto
• MD5, SHA1, etc. were not designed for passwords
• Use a password hashing library for your language
• It should use bcrypt, scrypt, PBKDF2, or an
algorithm designed for passwords
• You want it to be slow to hash, maybe 1 second
91. • Foreign & domestic governments
• Them nasty hackers
92. • Foreign & domestic governments
• Them nasty hackers
• Even that “innocent” person at the café
93. • Foreign & domestic governments
• Them nasty hackers
• Even that “innocent” person at the café
• Your competitor?
94. • Foreign & domestic governments
• Them nasty hackers
• Even that “innocent” person at the café
• Your competitor?
• Users find comfort in green padlocks…
96. Get Auth & Auth Right!
• Research latest Authorization & Authentication
practices or libraries
97. Get Auth & Auth Right!
• Research latest Authorization & Authentication
practices or libraries
• The most common languages or frameworks
already have libraries available
98. Get Auth & Auth Right!
• Research latest Authorization & Authentication
practices or libraries
• The most common languages or frameworks
already have libraries available
• A rock solid login mechanism is your foundation
107. Top 10
• Get every dev into it, until they dream about it
108. Top 10
• Get every dev into it, until they dream about it
• Covers most common & most dangerous web app
security issues
(XSS, CSRF, SQLi, etc.)
109. Top 10
• Get every dev into it, until they dream about it
• Covers most common & most dangerous web app
security issues
(XSS, CSRF, SQLi, etc.)
• Print out OWASP’s guide books too.
(They’re tomes, but good desk references)
122. C Credits
• “Anonymous Hacker” by Brian Klug (CC BY-NC 2.0) (Slide 1, 43)
• “Heartbleed” by Leena Snidate/Codenomicon (CC0 1.0) (Slide 9)
• “The Secret” by Cedward Brice (CC BY-NC 2.0) (Slide 24)
• “Pure Mathematics” by Ed Brambley (CC BY-SA 2.0) (Slide 31)
• “Widget, confused as ever” by Anna Pickard (CC BY-NC-SA 2.0) (Slide 36, 37)
• “The Big E Day 2 2011” by RustyClark (CC BY 2.0) (Slide 40)
• “EFF version of NSA logo” by EFF (CC BY 2.0) (Slide 43)
• “Bryant Park, Nov 2009 - 52” by Ed Yourdon (CC BY 2.0) (Slide 43)
• “Owasp logo” by OWASP (CC BY-SA 3.0) (Slide 47, 48)
• “Day 342 - Hacker” by Christophe Verdier (CC BY-NC 2.0) (Slide 54)
• “Question Box” by Raymond Bryson (CC BY 2.0) (Slide 55)