Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Security Awareness for Open Source Web Applications

101 vues

Publié le

Security awareness slides at TYPO3 Conference 2019 in the Hague.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Security Awareness for Open Source Web Applications

  1. 1. Tatár Balázs János @tatarbj Open Source enthusiast since 2007 CTO @ Petend Open Source Security Correspondent @ European Commission SecOSdreamer @ Secure Open Source days (SecOSdays) Open Source Globetrotter @ FOSS communities TATÁR BALÁZS JÁNOS @tatarbj WHO AM I?
  2. 2. A bug’s life Security awareness at work Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/ TATÁR BALÁZS JÁNOS @tatarbj
  3. 3. SECURITY AWARENESS Security measures at our work place Programs to educate employees DevOps -> DevSecOps Individual responsibilities for company security policies Measures to audit these efforts Source: http://www.bugs.org/dream/teachers/index.html TATÁR BALÁZS JÁNOS @tatarbj
  4. 4. ORGANISATIONAL STRUCTURES Top-down approach Creating security policies Assessing your company’s vulnerabilities Investing in security technologies Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/ TATÁR BALÁZS JÁNOS @tatarbj
  5. 5. EASY-TO-IMPLEMENT STEPS Hints for small businesses Using different forms of Media to reinforce the Message Highlight recent attacks in News Seek the Services of a Professional Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters TATÁR BALÁZS JÁNOS @tatarbj
  6. 6. Security issues are bugs with different severity and business impact. TATÁR BALÁZS JÁNOS @tatarbj
  7. 7. THE BUG Programming malfunction Authentication / Authorization / Data confidentiality / Data integrity No blaming game! Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/ TATÁR BALÁZS JÁNOS @tatarbj
  8. 8. The Eggs Planning and Security by Design Source: https://pixabay.com/vectors/search/ant/ TATÁR BALÁZS JÁNOS @tatarbj
  9. 9. PLANNING PHRASE At the start of every IT projects Budgeting issues Continuous education Iterative approach Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/ TATÁR BALÁZS JÁNOS @tatarbj
  10. 10. THINKING EVIL™ Method by Andrew van der Stock TATÁR BALÁZS JÁNOS @tatarbj
  11. 11. Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? TATÁR BALÁZS JÁNOS @tatarbj
  12. 12. If I were evil, how would I abuse this feature? TATÁR BALÁZS JÁNOS @tatarbj
  13. 13. Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? TATÁR BALÁZS JÁNOS @tatarbj
  14. 14. SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html TATÁR BALÁZS JÁNOS @tatarbj
  15. 15. SECURITY PRINCIPLES II. Third-parties Don’t trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/ TATÁR BALÁZS JÁNOS @tatarbj
  16. 16. The Caterpillar Development iterations until the first release Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart TATÁR BALÁZS JÁNOS @tatarbj
  17. 17. Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. TATÁR BALÁZS JÁNOS @tatarbj
  18. 18. THE BASIC SKILLS The secure mind-set Protection from disclosure/alteration/destruction Rights and privileges belonging to the requester Ability to build historical evidence Management of configuration, sessions and errors/exceptions Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata TATÁR BALÁZS JÁNOS @tatarbj
  19. 19. APPLICATION LEVEL SECURITY Protection of your application Sanitize inputs at the client side and server side Verify file upload functionality Use only current encryption and hashing algorithms Check the randomness of the session Make sure third party libraries are secured Set strong password policy Source: https://www.pinterest.com/pin/67554063138904545 TATÁR BALÁZS JÁNOS @tatarbj
  20. 20. INFRASTRUCTURE LEVEL SECURITY Protection of your host Use HTTPS for domain entries Do not allow for directory listing Use TLS not SSL Hide web server information Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow TATÁR BALÁZS JÁNOS @tatarbj
  21. 21. WEB SECURITY PRACTICES Protection of your users Encode request/response Do not store sensitive data inside cookies Set secure and HttpOnly flags in cookies Do not store sensitive information in a form’s hidden fields Set secure response headers Source: https://www.pexels.com/photo/bee-hiding-1244184/ TATÁR BALÁZS JÁNOS @tatarbj
  22. 22. The Chrysalis First releases of the application Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/ TATÁR BALÁZS JÁNOS @tatarbj
  23. 23. VULNERABILITY ASSESSMENT Forest of the false positive issues Environmental conditions Scanning of the application / infrastructure Iterative approach to improve findings Asset management Source: https://99px.ru/avatari_vkontakte/10916/ TATÁR BALÁZS JÁNOS @tatarbj
  24. 24. SECURITY ASSESSMENT VA + manual verification Looking to gain a broad coverage of the systems under test No exploitation of vulnerabilities Verification by authorized access Examining logs, system responses, error messages, code, etc… Source: https://masterok.livejournal.com/4202997.html TATÁR BALÁZS JÁNOS @tatarbj
  25. 25. Penetration tests simulate attacks by malicious parties. TATÁR BALÁZS JÁNOS @tatarbj
  26. 26. SECURITY AUDIT VA + SA + Pentest Driven by a risk function to look at specific compliance issues Combination of different approaches Characterized by a narrow scope Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/ TATÁR BALÁZS JÁNOS @tatarbj
  27. 27. SECURITY REVIEW And something else then before Verification that industry or internal security standards have been applied Gap analysis, review of design documents and architecture diagrams Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html TATÁR BALÁZS JÁNOS @tatarbj
  28. 28. The Butterfly Maintenance releases and activities Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/ TATÁR BALÁZS JÁNOS @tatarbj
  29. 29. The three pillars Information security TATÁR BALÁZS JÁNOS @tatarbj
  30. 30. Confidentiality: only allow access to data for which the user is permitted TATÁR BALÁZS JÁNOS @tatarbj
  31. 31. Integrity: ensure data is not tampered or altered by unauthorized users TATÁR BALÁZS JÁNOS @tatarbj
  32. 32. Availability: ensure systems and data are available to authorized users when they need it TATÁR BALÁZS JÁNOS @tatarbj
  33. 33. VULNERABILITY MANAGEMENT Iterative identification Evolutive and corrective maintenance Detection Reporting Remediation Necessary mitigation vs. what-if cases Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120 TATÁR BALÁZS JÁNOS @tatarbj
  34. 34. TRUSTED SOURCES Monitor regularly Vendors, third party providers National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) ... and the TYPO3 Security Team! Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/ TATÁR BALÁZS JÁNOS @tatarbj
  35. 35. TYPO3 SECURITY TEAM Activities by professionals Incident handling Create/review core security fixes Coordination & monitoring Introducing new security features & educating TYPO3 Security Guide typo3-announce mailing list TATÁR BALÁZS JÁNOS @tatarbj Source: https://store-images.s-microsoft.com/image/apps.2544.13768621950225582.167ba0c8-6eb8-47bb-96fe-278c89bf0dc9.ea440c13-fd1d-4705-b62c-9bfd9054b8b3
  36. 36. SECURITY ADVISORIES I. The way to let us know Disclosure policy Vulnerability management follows industry standards (CVSS v3.0) TYPO3-CORE-SA-[year]-[number] TYPO3-EXT-SA-[year]-[number] TYPO3-PSA-[year]-[number] TATÁR BALÁZS JÁNOS @tatarbj Source: https://media.istockphoto.com/photos/six-monarch-butterfly-picture-id680833460?k=6&m=680833460&s=612x612&w=0&h=mK7pfS37Wr2PahZNH-bIdprHLyrH6ygjqIffgn6Sezo=
  37. 37. SECURITY ADVISORIES II. „It has been discovered that…” Component type & Vulnerable subcomponent & Release date Vulnerability type and Affected Versions Severity & Suggested CVSS v3.0 CVE (if assigned already) Non-descriptive description, Solution and Credits TATÁR BALÁZS JÁNOS @tatarbj Source: https://www.twincities.com/wp-content/uploads/2019/08/jmp-monarchs-002.jpg
  38. 38. SecOSdays 25-26 October 2019 – Sofia, Bulgaria https://secosday.eu TATÁR BALÁZS JÁNOS @tatarbj
  39. 39. Questions? TATÁR BALÁZS JÁNOS @tatarbj
  40. 40. Thank you! TATÁR BALÁZS JÁNOS @tatarbj