effective approaches to web application security · effective approaches to web application...
TRANSCRIPT
![Page 1: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/1.jpg)
Effective approaches to web application security
@zanelackey
![Page 2: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/2.jpg)
Who am I?
• Security Engineering Manager @ Etsy
– Lead AppSec/NetSec/SecEng teams
• Formerly @ iSEC Partners
• Books/presentations primarily focused on application and mobile security
![Page 3: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/3.jpg)
What is Etsy?
Online marketplace for creative independent businesses
![Page 4: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/4.jpg)
Scale at Etsy
1.5B pageviews/mo
40M uniques/mo
#51 by US traffic*
* April 2012, Alexa site ranking
![Page 5: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/5.jpg)
About this talk
Real world approaches to web application security challenges
![Page 6: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/6.jpg)
About this talk
Specifically, techniques that are simple and effective
![Page 7: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/7.jpg)
Continuous deployment?
![Page 8: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/8.jpg)
<- What it (hopefully) isn’t
![Page 9: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/9.jpg)
Three words: iterate, iterate, iterate
![Page 10: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/10.jpg)
![Page 11: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/11.jpg)
Etsy pushes to production 30 times a day on average
![Page 12: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/12.jpg)
(dogs push too)
![Page 13: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/13.jpg)
But doesn’t the rapid rate of change mean
things are less secure?!
![Page 14: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/14.jpg)
Actually, the opposite is true
![Page 15: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/15.jpg)
Being able to deploy quick is our #1 security feature
![Page 16: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/16.jpg)
Compared to
We’ll rush that security fix. It will go out in the next release in about 6 weeks.
- Former vendor at Etsy
![Page 17: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/17.jpg)
What it boils down to(spoiler alert)
• Make things safe by default
• Detect risky functionality / Focus your efforts
• Automate the easy stuff
• Know when the house is burning down
![Page 18: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/18.jpg)
Safe by default
![Page 19: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/19.jpg)
How have the traditional defenses for XSS worked out?
![Page 20: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/20.jpg)
![Page 21: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/21.jpg)
Safe by default
• Problems? – Often done on a per-input basis
• Easy to miss an input or output
– May use defenses in wrong context• Input validation pattern may block full HTML injection, but
not injecting inside JS
– May put defenses on the client side in JS
– Etc …
These problems miss the point
![Page 22: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/22.jpg)
Safe by default
• The real problem is that it’s hard to find where protections have been missed
• How can we change our approach to make it simpler?
![Page 23: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/23.jpg)
Safe by default
Input validation
Output encoding
![Page 24: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/24.jpg)
Safe by default
Input validation
Output encoding
![Page 25: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/25.jpg)
Safe by default
Encode dangerous HTML characters to HTML entities at the very start of your framework
To repeat… Before input reaches main application code
![Page 26: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/26.jpg)
Safe by default
On the surface this doesn’t seem like much of a change
![Page 27: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/27.jpg)
Safe by default
Except, we’ve just made lots of XSS problems grep-able
![Page 28: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/28.jpg)
![Page 29: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/29.jpg)
Safe by default
Now we look for a small number of patterns:• HTML entity decoding functions or explicit string
replacements
• Data in formats that won’t be sanitized – Ex: Base64 encoded, double URL encoded, etc
• Code that opts out of platform protections
![Page 30: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/30.jpg)
Safe by default
Fundamentally shifts us:
From: “Where is my app missing protections?”
(hard)
To: “Where is it made deliberately unsafe?”
(easy)
![Page 31: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/31.jpg)
Safe by default
Obviously not a panacea
– DOM based XSS
– Javascript: URLs
– Can be a pain during internationalization efforts
![Page 32: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/32.jpg)
Focus your efforts
![Page 33: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/33.jpg)
Focus your efforts
• Continuous deployment means code ships fast
• Things will go out the door before security team knows about them
• How can we detect high risk functionality?
![Page 34: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/34.jpg)
Detect risky functionality
• Know when sensitive portions of the codebase have been modified
• Build automatic change alerting on the codebase
– Identify sensitive portions of the codebase
– Create automatic alerting on modifications
![Page 35: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/35.jpg)
Detect risky functionality
• Doesn’t have to be complex to be effective
• Approach:
– sha1sum sensitive platform level files
– Unit tests alert if hash of the file changes
– Notifies security team on changes, drives code review
![Page 36: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/36.jpg)
Detect risky functionality
• At the platform level, watching for changes to site-wide sensitive functionality
– CSRF defenses
– Session management
– Encryption wrappers
– Login/Authentication
– Etc
![Page 37: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/37.jpg)
Detect risky functionality
• At the feature level, watching for changes to specific sensitive methods
• Identifying these methods is part of initial code review/pen test of new features
![Page 38: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/38.jpg)
Detect risky functionality
• Watch for dangerous functions
• Usual candidates:
– File system operations
– Process execution/control
– Encryption / Hashing
– Etc
![Page 39: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/39.jpg)
Detect risky functionality
• Unit tests watch codebase for dangerous functions
– Split into separate high risk/low risk lists
• Alerts are emailed to the appsec team, drive code reviews
![Page 40: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/40.jpg)
Detect risky functionality
• Monitor application traffic
• Purpose is twofold:
– Detecting risky functionality that was missed by earlier processes
– Groundwork for attack detection and verification
![Page 41: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/41.jpg)
Detect risky functionality
• Regex incoming requests at the framework
– Sounds like performance nightmare, shockingly isn’t
• Look for HTML/JS in request
– This creates a huge number of false positives
• That’s by design, we refine the search later
![Page 42: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/42.jpg)
Detect risky functionality
• We deliberately want to cast a wide net to see HTML entering the application
• From there, build a baseline of HTML
– Entering the application in aggregate
– Received by specific endpoints
![Page 43: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/43.jpg)
Detect risky functionality
What to watch for:
– Did a new endpoint suddenly show up?
• A new risky feature might’ve just shipped
– Did the amount of traffic containing HTML just significantly go up?
• Worth investigating
![Page 44: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/44.jpg)
Detect risky functionality
Aggregate increased, time to investigate
![Page 45: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/45.jpg)
Automate the easy stuff
![Page 46: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/46.jpg)
Automate the easy stuff
• Automate finding simple issues to free up resources for more complex tasks
• Use attacker traffic to automatically drive testing
• We call it Attack Driven Testing
![Page 47: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/47.jpg)
Automate the easy stuff
• Some cases where this is useful:
– Application faults
– Reflected XSS
– SQLi
![Page 48: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/48.jpg)
Automate the easy stuff
• Application faults (HTTP 5xx errors)
• As an attacker, these are one of the first signs of weakness in an app
– As a defender, pay attention to them!
![Page 49: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/49.jpg)
Automate the easy stuff
• Just watching for 5xx errors results in a lot of ephemeral issues that don’t reproduce
• Instead:
– Grab last X hours worth of 5xx errors from access logs
– Replay the original request
– Alert on any requests which still return a 5xx
![Page 50: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/50.jpg)
Automate the easy stuff
• Cron this script to run every few hours
• If a request still triggers an application fault hours later, it’s worth investigating
![Page 51: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/51.jpg)
Automate the easy stuff
• Similar methodology for verifying reflected XSS
• For reflected XSS we:
– Identify requests containing basic XSS payloads
– Replay the request
– Alert if the XSS payload executed
![Page 52: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/52.jpg)
Automate the easy stuff
• Basic payloads commonly used in testing for XSS:
– alert()
– document.write()
– unescape()
– String.fromCharCode()
– etc
![Page 53: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/53.jpg)
Automate the easy stuff
We created a tool to use NodeJS as a headless browser for verification
![Page 54: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/54.jpg)
Automate the easy stuff
Test webserver
1. Fetch URL containing potential XSS
![Page 55: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/55.jpg)
Automate the easy stuff
Test webserver
2. Page contents returned to a temp buffer, not interpreted yet
![Page 56: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/56.jpg)
Automate the easy stuff
Test webserver
3. Inject our instrumented JS into page contents
+
Our JS Page contents
![Page 57: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/57.jpg)
Automate the easy stuff
Test webserver
4. Combination of instrumented JS + page contents interpreted
+
Our JS Page contents
![Page 58: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/58.jpg)
Automate the easy stuff
Test webserver
5. If instrumented JS is executed, alert appsec team for review
![Page 59: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/59.jpg)
Automate the easy stuff
• Sample instrumented JS:
(function() {
var proxiedAlert = window.alert;
window.alert = function() {
location="XSSDETECTED";
};
})();
![Page 60: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/60.jpg)
Automate the easy stuff
• Open sourced NodeJS tool
– https://github.com/zanelackey/projects
• Combine this approach with driving a browser via Watir/Selenium
– Make sure to use all major browsers
![Page 61: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/61.jpg)
Know when the house is burning down
![Page 62: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/62.jpg)
Know when the house is burning down
Graph early, graph often
![Page 63: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/63.jpg)
Know when the house is burning down
Which of these is a quicker way to spot a problem?
![Page 64: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/64.jpg)
Know when the house is burning down
![Page 65: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/65.jpg)
Know when the house is burning down
![Page 66: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/66.jpg)
Know when the house is burning down
• Methodology:– Instrument application to collect data points
– Fire them off to an aggregation backend
– Build individual graphs
– Combine groups of graphs into dashboards
• We’ve open sourced our instrumentation library– https://github.com/etsy/statsd
![Page 67: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/67.jpg)
Know when the house is burning down
![Page 68: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/68.jpg)
Know when the house is burning down
![Page 69: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/69.jpg)
Know when the house is burning down
Now we can visually spot attacks
![Page 70: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/70.jpg)
Know when the house is burning down
But who’s watching at 4AM?
![Page 71: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/71.jpg)
Know when the house is burning down
• In addition to data visualizations, we need automatic alerting
• Look at the raw data to see if it exceeds certain thresholds
• Works well for graphs like this…
![Page 72: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/72.jpg)
Know when the house is burning down
![Page 73: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/73.jpg)
Know when the house is burning down
But not like this…
![Page 74: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/74.jpg)
Know when the house is burning down
![Page 75: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/75.jpg)
Know when the house is burning down
• We need to smooth out graphs that follow usage patterns
• Use exponential smoothing formulas like Holt-Winters
• Math is hard, let’s look at screenshots!
![Page 76: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/76.jpg)
Know when the house is burning down
![Page 77: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/77.jpg)
Know when the house is burning down
• Now that we’ve smoothed out the graphs…
• Use the same approach as before:
– Grab the raw data
– Look for values above/below a set threshold
– Alert
![Page 78: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/78.jpg)
Know when the house is burning down
Alert on events that (should) never happen
![Page 79: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/79.jpg)
Know when the house is burning down
Successful attacks don’t happen in a vacuum! They generate signals
![Page 80: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/80.jpg)
Know when the house is burning down
• Figure out what the signal of a weakness being identified looks like
• Alert when a signal occurs
• Fix the identified weaknesses
![Page 81: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/81.jpg)
Know when the house is burning down
Two examples: SQLi and code execution
![Page 82: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/82.jpg)
Know when the house is burning down
• The road to exploited SQLi is littered with broken queries
1. Watch the logs for SQL syntax errors
2. Alert when they appear
3. Fix the lack of validation allowing the error
![Page 83: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/83.jpg)
Know when the house is burning down
• Further along the attack process, a SQLi attack looks like… your database
• Sensitive DB table names shouldn’t be showing up in requests
• Alert if they do!
![Page 84: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/84.jpg)
Know when the house is burning down
A funny story about code execution…
![Page 85: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/85.jpg)
Know when the house is burning down
• preg_replace() in PHP has an interesting modifier
“e (PREG_REPLACE_EVAL) If this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string. “
![Page 86: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/86.jpg)
Know when the house is burning down
• preg_replace() in PHP has an interesting modifier
“e (PREG_REPLACE_EVAL) If this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string.”
![Page 87: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/87.jpg)
Know when the house is burning down
• What do the signals for this look like?
![Page 88: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/88.jpg)
Know when the house is burning down
You can’t fix what you’re not alerting on
![Page 89: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/89.jpg)
Conclusions
![Page 90: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/90.jpg)
![Page 91: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/91.jpg)
Have the ability to deploy/respond quickly
![Page 92: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/92.jpg)
• Make things safe by default
• Focus your efforts / Detect risky functionality
• Automate the easy stuff
• Know when the house is burning down
![Page 94: Effective approaches to web application security · Effective approaches to web application security zane@etsy.com @zanelackey. Who am I? ... –sha1sum sensitive platform level files](https://reader030.vdocuments.site/reader030/viewer/2022040508/5e4893e1b27ffe27117970b0/html5/thumbnails/94.jpg)
References / Thanks
• DevOpsSec: http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security
• Special Thanks:
– Nick Galbreath, Dan Kaminsky, Marcus Barczak