MozCamp Buenos Aires - Mozilla Security
•Als KEY, PDF herunterladen•
1 gefällt mir•629 views
Presentation given at the 2012 Mozcamp in Buenos Aires
Empfohlen
Weitere ähnliche Inhalte
Mehr von Michael Coates
Mehr von Michael Coates (9)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
MozCamp Buenos Aires - Mozilla Security
- 2. Mozilla & The Future of Security Michael Coates mcoates@mozilla.com michael-coates.blogspot.com @_mwc
- 3. Security Reality Reality in The World “The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” theregister.co.uk datalossdb.org Mozilla Manifesto “Individuals' security on the Internet is fundamental and cannot be treated as optional.”
- 4. Agenda • Security is a part of everything • Together we can build a secure web • A trip through the Mozilla Security Lifecycle • Securing Community Servers
- 5. Security is Life & Death Internet Enabled Pacemaker Internet Connected Oven http://www.tmio.com/products/ http://www.reuters.com/article/2009/08/11/us-pacemaker-idUSTRE5790AK20090811
- 6. Importance of Security • Technology integrated into all aspects of daily life • Security enables technology advancements into critical spaces • Continued technology expansion requires security • Cars, Planes, Humans • Utilities - Power, Water • Internet Enabled Ovens, Pacemakers
- 7. Building a Secure Web with Mozilla Community
- 8. Tackling Security • Difficult security problems • Need brilliant, creative thinkers • Mozilla community can unite to lead security solutions for the open web
- 9. Security Challenges Facing Today • Boot 2 Gecko • MarketPlace • Apps • Mobile Firefox • Identity • User Data!
- 10. Community & Security • Firefox & Web Bounty Programs • Security Review Process
- 11. Firefox Bounty Program • Encourage security research • Goal is protect our users • Eligibility: new sg:critical and sg:high http://www.mozilla.org/security/bug-bounty.html
- 12. Web Bounty Program • Bounties paid for web security issues in critical web sites • Increase your security testing skills on live site • Critical & High vulnerabilities - SQL injection, cross site scripting, etc • Source code always available http://www.mozilla.org/security/bug-bounty.html
- 13. Bounty Program • 2011 Bugs Submitted: 132 (+51 dupes) Across 13 products, 45 components • bugzilla.mozilla.org • www.getfirefox.com • *.services.mozilla.com • addons.mozilla.org • getpersonas.com • services.addons.mozilla.org • aus*.mozilla.org • versioncheck.addons.mozilla.org • www.mozilla.com/org • pfs.mozilla.org • www.firefox.com • download.mozilla.org
- 14. Participate in Security! • Security reviews always open • https://wiki.mozilla.org/Security/Reviews • Training for Security Testing • http://people.mozilla.org/~mcoates/WebSecurityLab.html • Building New Tools to Aid • Garmr - https://github.com/mozilla/Garmr • Zed Attack Proxy - https://www.owasp.org/index.php/ OWASP_Zed_Attack_Proxy_Project
- 16. Mozilla Security Program • Early & often • Security embedding • Team effort & approach • Early security guidance eliminates costly changes late in development
- 17. Phases of Security • Security Integrated Into: • Planning • Development • QA • Network & Host security hardening • Security review before launch • Ongoing security testing & monitoring
- 18. Security in Planning Phase • Threat Modeling • Risk Analysis
- 19. Security in Development Phase • Secure Coding Guidelines • Hands on Security Training https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines http://people.mozilla.org/~mcoates/WebSecurityLab.html
- 20. Security in QA Phase • QA Security Tests • Pass / Fail style testing • Integrates security in existing processes https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
- 21. Hardening the Infrastructure • Secure Network Design • Network Isolation • Security Zones • Firewalls, ACLs • Host Hardening • Attack Detection - OSSEC • Detailed Logging - AuditD • Hardened OS (mandatory access controls) - RSBAC
- 22. Security Review Prior to Launch • Secure Code Reviews • Application specific penetration testing • Automated security verification • Repeatable test suites with app specific tests https://wiki.mozilla.org/WebAppSec/Web_Security_Verification
- 23. Attack Monitoring & Response • Continuous Monitoring • Ongoing Security Verification
- 25. Basics • Passwords - Change default root password • Close Unneeded Ports - Use nmap to check • Updates - Keep it patched!
- 26. Next Steps • SSH • Disable root logins - e.g. ssh as low privilege and sudo • Enable PubKey authentication (users need passphrases for their keys) • Updates • Install via packages - package manager allows easy update • Watch Out For: • Telnet, FTP - Password sent in the clear • PHPMyAdmin - Riddled with vulnerabilities
- 27. Other Tips • Enhanced Protections / Logging: • OSSEC - monitors for attacks, can auto block • AuditD - detailed logging of activities on system • Beyond Security • Backup Plans • Documentation • Automation
- 28. Unite! • #security on irc • dev-security mailing list • https://wiki.mozilla.org/Security • Upcoming Talks • [16:40 Sat] Privacy and User Control - Stacy Martin • [12:55 Sun] B2G & App Security Model - Lucas Adamski & Camilo Viecco • [13:40 Sun] Getting a Handle on Privacy & Security - Shane Caraveo
- 29. Wrap Up • Security is a requirement for the success of the future open web • This will be challenging, but we’ve tackled big problems before • Let’s keep enhancing our security lifecycle to protect our users and the web
- 30. Thanks michael coates mcoates@mozilla.com :mcoates @_mwc
Hinweis der Redaktion
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n