Agenda
List of mistakes that are painful to remediate
‣TLS
‣Web Security
‣Passwords
‣ Infrastructure
‣Corporate Environment
Not an exhaustive list
Target audience‣Companies just starting up or in their initial growth phase
‣Every company will hit these issues at some point
Not having TLS from day 1
‣There is no reason to have HTTP endpoints
•Most TLS performance issues are a myth
‣One HTTP link compromises the security of your whole application (sslstrip)
https://github.com/diogomonica/py-cookieJsInjection
SSLv3 enabled
‣There are essentially no legitimate clients without TLS support
•No, IE6 on SP2 is not a legitimate client
‣A lot of pressure from PCI Council to be strict about disabling SSLv3
[ insert favorite POODLE link here ]
Crappy certificates
‣Choose a good issuer
•If you have an app you will be pinning to it
‣Make sure you are not using MD5 or SHA1 for the signature
https://github.com/diogomonica/gocert
Lack of security headers
‣Even if you are 100% https, the first connection is still vulnerable
•The HSTS header fixes that
‣Tons of important headers. Start every application by using Twitter’s Secure headers gem/list.
https://github.com/twitter/secureheaders
Everything under the same domain
‣Use a completely different domain for all trusted activity
•Example: trustedsite.com VS usercontentsite.com
‣Host all of your static files from a different domain
•Scopes the TLS certificates you will have to give to CDNs
‣Host all javascript from yet another different domain
•Allows you to set CSP policies on where Javascript is loaded
Cookie scoping as an afterthought
‣The site blog.diogomonica.com can set cookies with scope diogomonica.com
•Cookie Stealing
•Cookie Eviction
•Session Fixation
‣Make sure you only use Secure and HttpOnly cookies
http://bit.ly/18fet3L
Not enabling CSP in reporting mode
‣The objective is to eventually enable CSP in enforce mode
•Helps track the addition of in-line and foreign Javascript
•On that note: host all of your Javascript
http://mzl.la/1B3GPZT
Internal admin dashboard as part of the same app
‣Applications usually start off by having admin dashboard built-in
•Accessible from the Internet
‣ If something is supposed to be internal, make sure you:
•Make it internal only from day 1
•Deploy it on a different host/vm/container
•Don’t use origin IP for authorization (Header injection issues)
Logging blacklists
‣Logging should work in a white-list model
‣Very easy to end up with PII or other sensitive information in logs
•Good luck getting it out of hadoop
•Good luck getting it out of Splunk
•Good luck cleaning all of your backups
Checking-in secrets
‣Build a secret-distribution story early
•People commit AWS credentials to github repositories all the time
‣Check for leaked keys daily (gitrob)
https://github.com/michenriksen/gitrob
Sharing passwords around
‣Laptops get stolen/lost all the time
•Full-disk encryption won’t save you against DMA Attacks
•Laptop compromise means all credentials get leaked
‣Use centralized secret storage applications instead (e.g. Bitium, Onelogin)
•Enable multi-factor authentication to access
Hashing passwords
‣Use bcrypt
‣Use bcrypt
‣Use bcrypt
http://codahale.com/how-to-safely-store-a-password/
Not making your application deployment nimble
‣Run all your applications in containers*
•Allows you to update the underlying Operating System easily
‣Use SELinux: helps with some classes of application-level vulnerabilities
https://www.docker.com/
*I’m obviously very biased on this subject
Production access without 2FA
‣Create choke-points for production access
•SSH access should require TOTP token through a Bastion host
•Internal dashboard access should go through a 2FA SSO
SSH BastionHost
Datacenter
Front-endServer
Back-endServer
CorporateNetwork
SSO Portal InternalDashboard
Trust from the corporate network
‣Corporate network should have no trust relations with production (or minimal trust)
SSH BastionHost
Datacenter
Front-endServer
Back-endServer
Internet
SSO Portal InternalDashboard
No centralized logging
‣Create a new service/application check-list for with two items:
•Enable centralized logging
•Ensure NTP is being synced
‣Are you using AWS? Go enable Cloudtrail now!
•Seriously, do it now, I’ll wait.
http://aws.amazon.com/cloudtrail/
Not having root use as an alertable event
‣#people with the root password should be < #fingers in your hand
‣Log all uses of sudo -s ; sudo -i ; su - ; su root ; etc
•These should not be common events
http://knowyourmeme.com/memes/sad-panda
HTTP for your S2S communication
‣All S2S communication should be HTTPS
Datacenter
Front-endServer
Back-endServer
ApplicationServer
Not having a self-service check-list
‣Create a self-service security check-list with the following items:
•Download, install and set Chrome as the default browser
•Install the Adblock extension
•Java must be disabled
•Flash must be set as click to play
•Full-disk encryption is mandatory
•Enroll the laptop in Find my Mac
•Passwords are generated and stored in 1Password
Summary
‣There are security issues that every company will eventually have to deal with
‣Some mistakes will be a lot more costly than others
‣Bring in someone in whose job is to worry about Security early on
•Remember: real security engineers ship!