let's sleep better: programming techniques to face new security attacks in cloud
TRANSCRIPT
@gpaterno
Giuseppe “Gippa” Paternò
Let's sleep betterprogramming techniques to face new security attacks
@gpaterno
DevOps
@gpaterno
Bots are awesome!
“Resistance is futile”
NSA & GCHQ
@gpaterno
So, what shall I do?
@gpaterno
Input Validation
@gpaterno
Use your framework! (examples in python)
@gpaterno
Injection flaws
class Person(forms.Form):
username = forms.CharField(max_length=50)
name = forms.CharField(max_length=50)
surname = forms.CharField(max_length=50)
email = forms.EmailField(max_length=50, label=‘E-mail’)
form = Person(request.POST)
if form.is_valid():
request.session['name'] = form.cleaned_data['name']
request.session['surname'] = form.cleaned_data['surname']
@gpaterno
Cross Site Scripting (XSS)
Badfrom django.http import HttpResponse
def say_hello(request):
name = request.GET.get('name', 'world')
return HttpResponse('<h1>Hello, %s!</h1>' % name)
Goodfrom django.shortcuts import render
def say_hello(request):
name = request.GET.get('name', 'world')
return render(request, 'hello.html', {'name': name})
# template.html
<h1>Hello, {{ name }}!</h1>
@gpaterno
Insecure Direct Object Reference
Baddef dump_file(request):
filename = request.GET["filename"]
filename = os.path.join(BASE_PATH, filename)
content = open(filename).read()
Goodpath = posixpath.normpath(urllib.unquote(path))
for part in path.split('/'):
if not part:
continue
drive, part = os.path.splitdrive(part)
head, part = os.path.split(part)
if part in (os.curdir, os.pardir):
continue
newpath = os.path.join(newpath, part).replace('\\', '/')
@gpaterno
Cross Site Request Forgery (CSRF)
Middleware
MIDDLEWARE_CLASSES = (
'django.middleware.csrf.CsrfViewMiddleware',
In Template
form method="POST" action="{% url my_view %}">
{% csrf_token %}
{{ form.as_p }}
<button class="btn btn-primary" type="submit">Submit</button>
</form>
@gpaterno
Unvalidated redirects and forwards
@gpaterno
… if you can’t use your framework …
Escape User Input
White List
Stored Procedures
Parametrised Queries
@gpaterno
Authentication &Authorization
@gpaterno
10 millions of victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009)
221 billions $ lost every year due to identity theft (Aberdeen Group)
35 billion corporate and government records compromised in 2010 (Aberdeen Group)
2 yearsof a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004)
2 billions $ damages reported in Italy in 2009 (Ricerca ABI)
@gpaterno
Are you the next one?
@gpaterno
Broken authentication
@gpaterno
Missing function-level access control
@gpaterno
Rely on a proven authentication backend!
@gpaterno
Use a 2 Factor Authentication
@gpaterno
Authorise every single request (is he/she entitled to perform the request?)
@gpaterno
Underlying platform
@gpaterno
Security misconfiguration
@gpaterno
Sensitive data exposure
@gpaterno
Using software with known vulnerabilities
(aka patching!)
@gpaterno
Use automation tools (Puppet, Chef, Ansible, …)
@gpaterno
… don’t be selfish: audit yourself :)
@gpaterno
Remote APIs
@gpaterno
Input Validation … just in case you forgot ;-)
@gpaterno
Assign class/capabilities to API endpoint
app = Applications.objects.filter(uuid=app_id, secret=app_secret)[0]
can_delete = app.can_delete
can_write = app.can_write
privacy = app.privacy
@gpaterno
Restrict source IP/Network access
try:
# IPv4
if ipaddress.ip_address(remote_address).version == 4:
if ipaddress.IPv4Address(remote_address) in \
ipaddress.IPv4Network(app.ipv4_net):
is_authorized = True
# IPv6
else:
if ipaddress.IPv6Address(remote_address) in \
ipaddress.IPv6Network(app.ipv6_net):
is_authorized = True
except:
is_authorized = False
@gpaterno
APIs request throttling (aka DDoS prevention)
from ratelimit.decorators import ratelimit
@ratelimit(key='ip')
def myview(request):
# ...
@ratelimit(key='ip', rate='100/h')
def secondview(request):
# ...
@gpaterno
Do not expose information in URLs (Proxy are logging!!!)
@gpaterno
Encrypt transport and payload
@gpaterno
I hate it ….. but ….
oauth2
@gpaterno
Example: SecurePass APIs
• RESTful APIs
• mixture of POST (in request) and JSON (in response)
• Channel encrypted with TLS high cypher
• Endpoint identified by APP ID and APP Secret
• Example: /api/v1/users/info
API limits:
• in capabilities, APP ID read-only or read-write
• in network, APP ID can be limited to a given IPv4/IPv6
• in scope, APP APP ID is linked to only a specific realm/domain ID is linked to only a specific realm/domain
@gpaterno
For the braves: Mandatory Access Control
• Isolate API endpoint processes from each other and other processes on a machine.
• Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux
• Objective: containment and escalation of API endpoint security breaches.
• Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events.
@gpaterno
Mobile Applications
@gpaterno
Authenticate User (2FA must)
Request Device ID to backend
Keep track of device info (OS, name, …)
Generate unique ID for the mobile
Use Device ID for every request
Update last device ID timestamp
Re-challenge user auth if not used
Allow device deletion (lost/stolen)
@gpaterno
Continuous Security /
Continuous Integration
@gpaterno
Build
Funcional tests
Static security tests
Create template
Deploy template
Automated VA
@gpaterno
Static code analysers
• http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
• https://github.com/google/firing-range
@gpaterno
<vendor>
</vendor>
Cloud Identity Management Two Factor Authentication Web Single Sign-On
Few minutes to integrate www.secure-pass.net (free account available)
Remote audit of the service Compliance check Easy to read report
http://www.garl.ch/
@gpaterno
“Giuseppe is paving the way for enterprises to embrace OpenStack. Telecom Italia is, nonetheless, among these enterprises.”
Gianluca Pancaccini, CIO of Telecom Italia
"Giuseppe has done a great job of creating an important source of information on OpenStack technology“
Jeff Cotten, CEO of RackSpace International
“SUSE appreciate Giuseppe clear and concise explanation of OpenStack and it's architecture. This will be a valuable resource.”
Ralf Flaxa, VP of Engineering SUSE
Donate now: https://life-changer.helvetas.ch/openstack
