if security is hard, you are doing it wrong - fabio locati - codemotion amsterdam 2016
TRANSCRIPT
Title
If security is hard,
you are doing it wrong
Fabio Alessandro Locati
AMSTERDAM 11-12 MAY 2016
Big corporations
Real Case - SituationA subsidiary IT system is breached (5-10 June 2014)
The parent company commissions a security audit on the breached system (4 July)
The audit report comes back (13 August):It identifies that an SQL injection bug in the application is the only cause of the attack
It suggests few updates to softwares
The parent company imposes the updates to all subidiaries (15 August)
Real Case - Corrective actionsUpdate OpenSSL to 1.0.1g+ due to CVE 2014-0160 (Heartbleed)
Update PHP to 5.5.12+ due to CVE 2014-0185 (privilege escalation)
Update the Kernel to 3.13.6+ due to CVEs 2014-2523 & 2014-0100 (DoS)
We had OpenSSL 1.0.1e-16.15.el6, the bug was fixed in 1.0.1e-16.7.el6
We had PHP 5.3.3-37.el6, the bug was only present on 5.5+
We had the Kernel 2.6.32-497.el6, the bug was fixed in 2.6.32-279.el6
Real Case - ConsiderationsPointless to close the stable door after the horse has bolted
Security is a word, but it's meaning is a whole worldAsk yourself what are you trying to achieve
Ask yourself the value of what you are protecting (for you and for others)
No money can buy a secure system
There is no silver bullet in security
Built in vs Bolt on
Real Case - SituationSaaS company
50+ AWS EC2 instances classic
Partner asks PCI-DSS compliance within 3 months
Real Case - SolutionLock down all servers
Creation of procedures for updates of the SaaS platform that included:Regressions tests
Security tests
PCI-DSS certification
Real Case - ProblemsNot able to perform ordinary maintenance
No automated test were ready when they reached PCI-DSS compliance
Medium problem solving time from 30' to 8 hours (1600%)
Medium time between releases from 2 days to 4.5 weeks (1575%)
Real Case - ConsiderationsAlways think about security before you start your next project
Do not drop in security in a software/infrastructure
Do not rush to add security
Use configuration management system
Design infrastructures that are safe(r) from ground up
Trust but check
Real Case - [email protected]("/login", methods=["GET", "POST"])def login(): form = LoginForm() if form.validate_on_submit(): user = User.query.get(form.email.data) if user: if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)
Real Case - Problem if form.validate_on_submit(): user = User.query.get(form.email.data) if user:- if bcrypt.check_password_hash(user.password, form.password.data):+ # if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)
Real Case - ConsiderationsUse a Code Version System
Implement a code-review system
Implement an auto-deployment pipeline
Put lots of tests in the pipeline
Containers
Real Case - SituationJanuary 2015: The company X has deployed Docker in production
February 2016: all applications use Docker (total: 327 different images)
1 March 2016:OpenSSL releases 1.0.1s containing:1 high security fix
5 low security fixes
OpenSSL communicates that 1.0.1r (released on 28 January 2016) contained also:1 high security fix
1 moderate security fix
Real Case - SituationOperating Systems:62 RHEL 7
53 CentOS 6
47 CentOS 7
44 RHEL 6
24 Ubuntu 15.10
21 Ubuntu 14.04
19 Debian 8
14 Fedora 22
11 BusyBox 1.23
11 Ubuntu 15.04
9 Busybox 1.24
8 Fedora 23
4 Debian 7
Real Case - ConsiderationsLimit the number of images you base your systems on
Only take future-proof images from trusted sources
Keep track of what you deployed
Don't forget the underline infrastructure
Containers do not contain (Dan Walsh)
People
Real Case - ConsiderationsPeople are unreliable
Asking more means obtaining less
People will always* try to take shortcuts
People are cheap
People are curious
Final considerationsSecurity is a mindset
Security is a word, but it's meaning is a whole world (CIA model)
Pointless to close the stable door after the horse has bolted
Think about security before you start your next project
Keep your environments clean
Don't forget the underline infrastructure
People are often the weakest link of the chain
Thanks!
Fabio Alessandro LocatiMail: [email protected] key: 0xB2DC9C1B
All pictures belongto their respective authorsAMSTERDAM 9-12 MAY 2016