web application security - amazon s3 · •security engineer during the day • design review •...
TRANSCRIPT
![Page 1: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/1.jpg)
Web Application Security
![Page 2: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/2.jpg)
• Security engineer during the day
• Design review
• Code review
• Pentest
• Developer/DevOps at night
• Docker/Nginx/Apache
• Rails/Go/Python/PHP
About me
![Page 3: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/3.jpg)
Agenda
• Random thoughts and advice around web application security
• Case study on my personal website
• Future of web application security
![Page 4: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/4.jpg)
What makes a web application secure?
![Page 5: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/5.jpg)
Security needs to be easy and opt-out• Pick a framework with mature libraries for:
• Database management:
• Developers should rarely write SQL
• User management
• Developers shouldn’t need to write user management
• This is actually really hard to get right
• Output escaping in views:
• Not escaping data should be a conscious decision, not the default
![Page 6: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/6.jpg)
Security needs to be easy and opt-out• Examples:
• Ruby-on-Rails, Spring, .Net framework with MVC, Angular
• Counter-examples:
• raw-PHP, raw-???
• The latest cool stuff on HN
![Page 7: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/7.jpg)
Secure development• Really hard problem to solve
• Off-The-Shelf products are often limited:
• not based on your context
• not based on developers’ skill-set
• What is worse than a dev that you train on secure development and leave your organisation…
![Page 8: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/8.jpg)
Don’t use blacklist
Using a blacklist is gambling on whether or not your security knowledge is and will stay stronger than your
strongest opponent's…
Example of how hard it is to create a white-list: https://fin1te.net/articles/safecurl-ssrf-protection-and-a-capture-the-bitcoins/
![Page 9: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/9.jpg)
The Bug Factor• Way to measure security of a system (based on https://
en.wikipedia.org/wiki/Bus_factor)
• How many bugs away are you from
• a full compromise (shell)?
• your database on pastebin?
• …???
![Page 10: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/10.jpg)
The Bug Factor
• Increasing your bug factor:
• Network segregation
• Principle of least privilege
• Defence in depth
![Page 11: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/11.jpg)
Alerting
• Every time something triggers an error in your application, you should be notified (email, Slack, IRC)…
• This is not even a security problem… this happens to also solve a security problem
![Page 12: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/12.jpg)
Transport Layer Security• Should be mandatory
• Very easy/cheap/minimal performance impact:
• AWS certificate manager
• Let’s encrypt
• HTTP vs self-signed certificate?
![Page 13: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/13.jpg)
HTTP Security headers
• You can greatly improve the security of your web application by justing adding some HTTP headers:
• limit the impact of an XSS
• prevent being iframed.
• …
![Page 14: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/14.jpg)
HTTP Security headers: HSTS• HTTP Strict Transport Security
• Ensure people always visit your site over TLS
• Strict-Transport-Security: max-age=31536000
• Supported by most browsers
• Effort to deploy/maintain: small
![Page 15: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/15.jpg)
HTTP Security headers: CSP• Content-Security Policy
• Allow a developer to white-list content for CSS, JavaScript and Images
• 2 modes: report and block
• CSP 1 supported by most browsers, CSP 2 almost only supported by Chrome
• Effort to deploy/maintain: CSP 1 (high), CSP 2 (medium)
![Page 16: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/16.jpg)
HTTP Security headers: HPKP
• HTTP Public Key Pinning
• Prevent rogue/compromised CA to intercept users’ communication
• Supported by Chrome and Firefox
• Effort to deploy/maintain: medium
![Page 17: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/17.jpg)
Secrets and source code
• Keeping your keys and credentials outside of the source code is a difficult problem:
• Credentials can be packaged with the source code at build time
• Credentials can be on the system (file or environment variables)
![Page 18: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/18.jpg)
What keeps an application secure over time?
A. Input filtering
B. Output escaping
C. A Web Application Firewall with a learning engine
D. Automated testing and automation
E. Chuck Norris
![Page 19: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/19.jpg)
What keeps an application secure over time?
A. Input filtering
B. Output escaping
C. A Web Application Firewall with a learning engine
D. Automated testing and automation
E. Chuck Norris
![Page 20: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/20.jpg)
Why?Security is constantly evolving, what will make your application secure is your ability to secure it now, but also to keep it secure over time.
To keep an application, it needs to be constantly patched (new attacks vector, new vulnerabilities in a dependency, …)
It’s not “Do you patch”, it’s “When do you patch”
Your application has security issues or potential security improvements, being able to easily test and deploy fixes or improvements will allow you to keep it secure
Spend your money on patching automation, not vulnerability management
Computing is cheap, people having meetings on risk assessment ain’t
![Page 21: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/21.jpg)
Patching, patching, patching
http://martinfowler.com/bliki/FrequencyReducesDifficulty.html
If something is hard, do it often!
![Page 23: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/23.jpg)
Case study: pentesterlab.com
• Pretty simple web application
• Manages users (registration, authentication, password reset, …)
• Allow to download public and private content
• Online exercises
![Page 24: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/24.jpg)
• Ruby-on-Rails
• HTML escaping by default
• No need to write any SQL query
• I’m already subscribed to the security mailing-list
• Very smart people reviewed the codebase
• Very talented people are using it
Case study: pentesterlab.com
![Page 25: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/25.jpg)
• Alerting:
• Exception notification library:
https://github.com/smartinez87/exception_notification
• User management:
• devise library (https://github.com/plataformatec/devise)
• Registration, Confirmation, Password Hashing, Lock-out…
Case study: pentesterlab.com
![Page 26: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/26.jpg)
• Sharing public content (ISO file):
• Early version hosted on the same server
• Version 2:
• File stored in S3 with public access
• $$$ but easy management
Case study: pentesterlab.com
![Page 27: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/27.jpg)
• Sharing public content (ISO file) - Current version:
• 4 Nginx servers sharing the same hostname and the same TLS certificate
• Synchronised using BitTorrentSync (Nginx webroot is a BitTorrentSync repository)
• “CDN on a budget”
• New node deployed in 5 minutes automatically (aside from DNS update) with Ansible
Case study: pentesterlab.com
![Page 28: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/28.jpg)
Case study: pentesterlab.com
Master
ptl.io
ptl.ioptl.io ptl.io
![Page 29: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/29.jpg)
• Sharing private content (ISO file):
• Current version:
• S3 with private files
• The server generates a link valid for X minutes (built-in S3 option)
• Harder to share the content with other people
Case study: pentesterlab.com
![Page 30: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/30.jpg)
• Giving access to vulnerable systems:
• Common approach:
• VPN based
• Kind of annoying for me (user management)
• Kind of annoying for customers (setup, speed, connectivity)
Case study: pentesterlab.com
![Page 31: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/31.jpg)
• Giving access to vulnerable systems:
• My approach:
• Only web applications
• One reverse proxy with DNS wildcard (????.libcurl.so always resolves to libcurl.so)
• Multiple vulnerable systems running in docker
Case study: pentesterlab.com
![Page 32: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/32.jpg)
Case study: pentesterlab.com
Attackerlibcurl.so
exercise1
exercise2
http://ptl-1283933-12982021.libcurl.so
exercise3
![Page 33: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/33.jpg)
Case study: pentesterlab.com
Attackerlibcurl.so
exercise1
exercise2
http://ptl-invalid-invalid.libcurl.so
exercise3
HTTP 302https://pentesterlab.com/
![Page 34: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/34.jpg)
• Less public security research
• Exploit sales
• Enterprises struggling with dependency hell
• microservices
• docker
Future of web application security
![Page 35: Web Application Security - Amazon S3 · •Security engineer during the day • Design review • Code review • Pentest • Developer/DevOps at night • Docker/Nginx/Apache •](https://reader031.vdocuments.site/reader031/viewer/2022022111/5c2ebbf209d3f2e30b8caf0e/html5/thumbnails/35.jpg)
• Better bugs:
• framework have more&more magic
• serialisation
• routing
• parameters handling (not everything is a string)
Future of web application security