Stop expecting magic fairy dust: Make apps secure by design

STOPEXPECTING
MAGIC
FAIRY DUSTMAKE APPS SECURE BY DESIGN

@zmre zmre
Patrick Walsh
15 Years of Security and Eng. Leadership
CEO IronCore Labs

Story is from the book: Secure by Design
Östgöta Bank Robbery of 1854
@zmre / #bsdc

PICK-PROOF LOCK == FEATURE != SECURE SYSTEM
@zmre / #bsdc

SECURE DESIGN SECURE APP
@zmre / #bsdc

PERFORMANCE
DEVELOPMENT CONCERNS
SCALABILITY
USABILITY
SECURITY
RELIABILITY
MAINTAINABILITY
@zmre / #bsdc

(CONFIDENTIALITY,
INTEGRITY,
AVAILABILITY)
SECURITY CONCERNS
==
@zmre / #bsdc

WHO IS RESPONSIBLE FOR YOUR
SECURITY BUDGET?
@zmre / #bsdc

I T
OWNS
SECURITY
BUDGET
IT’s toolkit: ﬁrewall,
anti-virus, intrusion
detection, VPN, etc.
(CISO or CIO)
@zmre / #bsdc

Bugs and security
ﬂaws can’t be ﬁxed
from outside.
A wall without a
gate is a prison. By
design, perimeters
have gates.
<
/>
App Code
@zmre / #bsdc

A perfectly secure
app doesn’t need
a perimeter.
<
/>
App Code
@zmre / #bsdc

But programmers
aren’t perfect.
And no code runs
in isolation. It’s
balanced atop a
fragile chain of
trust.
So we need both.
<
/>
App Code
@zmre / #bsdc

IT 
ASSUME APP IS VULNERABLE
DEV 
ASSUME NETWORK IS COMPROMISED
@zmre / #bsdc

/ˈprinsəpəl/
noun
1. a rule or belief governing one's
behavior
2. fundamental quality or attribute;
an essence
SECURE DESIGN PRINCIPLES
@zmre / #bsdc

Layers 
Defense in Depth
Verify Everything 
Complete Mediation
Play The What If Game 
Weakest Link
Expect Transparency 
Open Design
Distrust Users & Services 
Least Privilege
Compartmentalize 
Separation of Duties
KISS 
Economy of Mechanism
Usability 
Psychological Acceptability
Secure by Default 
Fail Safe
Monitor 
n/a
PATRICK’S SECURE DESIGN PRINCIPLES 
OWASP EQUIVALENTS
@zmre / #bsdc

SYLVANIA LIGHTIFY BY OSRAM
@zmre / #bsdc

/smärt/
adjective
1. a quick-witted intelligence
2. clean, neat, and well-dressed
noun
1. intelligence; acumen
2. sharp stinging pain
DEFINITION OF SMART
@zmre / #bsdc

SYLVANIA LIGHTIFY BY OSRAM
XSS on username field.
No SSL cert verification.
Malicious wi-fi network name
hack.
Trivial bullshit pre-shared key:
0123456789abcdef.
6 other serious issues.
Research credit: Rapid7@zmre / #bsdc

VERIFY EVERYTHING 
COMPLETE MEDIATION
Assume the worst. Check all
inputs. Verify all SSL connections.
Check permissions at each data
access.
Should have veriﬁed (or pinned)
SSL cert. Should have a RegEx
validation on username ﬁeld.
More code.
OVERVIEW CASE STUDY HARD PART

NO EXCUSE
Not to use HTTPS in dev/staging/QA.
@zmre / #bsdc

EXPECT TRANSPARENCY 
OPEN DESIGN
Never rely on obscurity to
keep something secure.
Assume all details are public.
Magic pre-shared keys
are bad. Especially weak
and unprotected ones.
Security is easy if obscurity
works. Have to think harder to
make it robust if transparent.
OVERVIEW HARD PARTCASE STUDY

AWS key stolen, server accessed, all customers’ data decrypted and stolen.
@zmre / #bsdc

“customer data was compromised, including
the ability to decrypt encrypted data.”
@zmre / #bsdc

Every user’s secret tokens, passwords, and notes are encrypted
with that user’s unique AES key.
Every user’s AES key is stored on the server and encrypted with
the server’s master AES key.
An attacker with access to the server can trivially decrypt all
secrets. And did.
OneLogin ARCHITECTURE
@zmre / #bsdc

LAYERS 
DEFENSE IN DEPTH
Use multiple access
methods, protections
and technologies.
Access to their server (via
AWS keys or otherwise)
gave access to all data.
Can reduce usability,
reusability, and increase
complexity.

PLAY THE WHAT IF GAME 
WEAKEST LINK
When designing systems,
always seek the weakest
link and ask, “what if…”
What if a hacker gets
onto a server?
Can be hard to identify
and ﬁx the weakest link.

Who has their router at home?
@zmre / #bsdc

http://a.b.c.d/cgi-bin/;COMMAND
@zmre / #bsdc

http://a.b.c.d/cgi-bin/;killall$IFS'httpd'
“Users who have the option of doing so should strongly
consider discontinuing use of aﬀected devices.”
@zmre / #bsdc

NO AUTOMATIC UPDATES
@zmre / #bsdc

DISTRUST USERS & SERVICES 
LEAST PRIVILEGE
Limit permissions and keep
things “need-to-know.” Deﬁne
the minimum required
permissions and use those.
Services (especially httpd)
should never run as root.
Giving all services and users
admin privileges makes life
easy, but is a terrible mistake.

MIRAI BOTNET 
THE “FUTURE”
@zmre / #bsdc

60 factory default usernames and passwords
Weaponized IoT: IP cameras, home routers, universal
remotes, DVRs, and more.
Used for DDoS attacks.
Took down DynDNS and Brian Krebs.
MIRAI BOTNET
@zmre / #bsdc

SECURE BY DEFAULT 
FAIL SAFE
Even fresh out of the box, software
should be secure. That goes
double for failure states. “Fail open”
only when no security implications.
Should have forced a setup
step to set a password before
product would work.
Hard to make secure defaults a
good user experience.

Default conﬁg: listens on public port
Default conﬁg: no access control or authentication
Expectation: users RTFM and set up security.
MongoDB
@zmre / #bsdc

680
MongoDB CONSEQUENCES
TERABYTES
of data
UNSECURED
@zmre / #bsdc

30,000
MongoDB CONSEQUENCES
DATABASES
COMPROMISED & RANSOMED
@zmre / #bsdc

USABILITY 
PSYCHOLOGICAL ACCEPTABILITY
Users ﬁnd ways around
security if it gets in their way.
Like propping open doors.
Mongo used insecure defaults
to make it easy to get started,
but they made it hard to secure
and ultimately failed at usability.
Highly secure systems often
come at the expense of
usability so striking this balance
is diﬃcult.

COMPARTMENTALIZE 
SEPARATION OF DUTIES
Isolate access to data and gate it.
Diﬀerent systems have their own
gates. Modular and no trust or master
auth. One system, one purpose.
Extreme example where
networked A/V system should
be completely isolated from
driving controls.
More complexity, harder
troubleshooting, dev, QA.

Many crypto algorithms: going back to the nineties.
Support about a dozen diﬀerent versions
Across architectures and operating systems
Combinatorics of code paths is insanely high
OpenSSL
@zmre / #bsdc

2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
0 10 20 30 40
Low
Moderate
High
FREAK, Logjam
HeartBleed, Poodle, Goto Fail
DROWN
OCSP Stapling
ASN1 Bio
Plaintext Recovery
OpenSSL CONSEQUENCES
@zmre / #bsdc

KISS 
ECONOMY OF MECHANISM
You must be able to reason about
and understand a system or it can’t
be secure. Legacy is the enemy
when no one understands it and is
afraid to remove it.
OpenSSL is the living example
of this and it’s just getting
worse.
Removing old functionality is
hard to do to customers and
systems. But better for security
and maintainability.

MONITOR
Audit and log everything, and
monitor those logs. Use oﬀ-
prem or tamper resistant
mechanisms.
Be ready to detect if your app
is hacked and to have data to
tell you how.
Acting on info and getting to
people who understand it.

Thank You
@zmre
zmre
@ironcorelabs
ironcorelabs.com
Patrick Walsh

Stop expecting magic fairy dust: Make apps secure by design

Recommandé

Recommandé

Contenu connexe

Similaire à Stop expecting magic fairy dust: Make apps secure by design

Similaire à Stop expecting magic fairy dust: Make apps secure by design (20)

Dernier

Dernier (20)

Stop expecting magic fairy dust: Make apps secure by design