The document discusses information security for data-driven platforms and open source projects. It motivates the importance of security through examples of data breaches. It covers topics like encryption, authentication, vulnerabilities in open source code, and how to evaluate open source libraries for security issues. The document demonstrates penetration testing tools like Vega and SQLMap to find vulnerabilities like SQL injection in web applications.
Demystify Data Security Threats & Open Source Risks
1. Demystify Information Security & Threats for
Data-Driven Platforms
Chetan Khatri
Solution Architect - Data & ML.
Accionlabs Inc.
18th Oct, 2019
2. Who Am I?
Professional Career:
● 2016 - Present. - Technical Lead / Solution Architect - Data & ML.
● 2015 - 2016 - Principal Big Data Engineer, Lead - Data Science Practice.
● 2014 - 2016 - Developer - Data Platforms.
● 2012 - 2014 - Consultant - Product developments.
University: Master of Computer Science.
Data Warehousing, Data Mining, Information Security / Cryptography, Reverse
Engineering, Information Retrieval.
3. Agenda
● Motivation
● Information Security - Ethics.
● Encryption
● Authentication
● Information Security & Potential threats with Open Source World.
● Find vulnerabilities.
● Checklist before using any Open Source library.
● Vulnerabilities report.
● Penetration Testing for Data Driven Developments.
14. Information Security - Ethics.
● Information Storage - What, Which form, Access to whom?
● Information Usage - Where, How, Which form?
● Responsibility - Ownership, usage?
● Confidentiality
● Authentication
● Governance - Regulators, Guidelines, Damage?
● Freedom vs Force
● Damage to the Society.
● Impact on humanity.
● Data Breach and Cost.
18. Data Monetization against ethics
Source:
https://techcrunch.com/2019/03/22/facebook-staff-raised-concerns-
about-cambridge-analytica-in-september-2015-per-court-filing/
Source:
https://www.theguardian.com/news/2018/mar/17/cambridge-analyti
ca-facebook-influence-us-election
19. Encryption
How many people have seen Password in Plain Text at Database?
80%??
90%??
Yes, Sad but True.
Source:
https://www.digitaltrends.com/news/equifax-data-breach-class-action-lawsuit-hack
-password/
20. Encryption
How many people have seen Password in Plain Text at Database?
80%??
90%??
Yes, Sad but True.
Never ever store password of the application in Plain-text.
Encrypt it. Use Asymmetric Key Encryption
If RSA, use ssh-keygen -t rsa -b 4096
29. How do I choose SECURE open source packages?
Have a look
First look
30. Key questions for a first look?
● Read the README.md or any other readily accessible introductory
information?
● Does code seem to be held with good software development standards?
● Does this code develop for professional purposes or hobby projects?
● Any signs for known issues in the code?
● Does this code only solve one use case or is it robust enough for other use
cases?
● Is this code active or an archive, “abandoned”?
Look for warning signs...
39. Key Questions for each Open Source Library
Do only 1-2 Collaborators exist? Chances are
more to have unreviewed, harmful code.
Code merged to master branch is been reviewed
with PR?
How many issues are OPEN?
Validate that OPEN issues are being addressed?
Is that code maintained or abandon?
Are issues getting fixed and released promptly?
40. Key Questions for each Open Source Library
Check recently active committers and
commit? To understand how old is the
project.
Check how they handle vulnerabilities and
security.
How you can report security
vulnerabilities?
Check open security bugs/issues?
Good example: Apache Community.
https://www.apache.org/security/
43. No known vulnerabilities doesn’t mean SECURITY!
1101 new vulnerabilities
reported only in Oct,
2019.
Source:
https://nvd.nist.gov/vuln/full-l
isting/2019/10
46. Check number of OPEN services and ports
sudo nmap -p-
-sS -A
IP-Address
47. Server Files / Directories Scan on permission and
Access
java -jar DirBuster-0.12.jar -H -u
http://167.71.224.201:1337
httrack website copier
48. Subgraph Vega
● Vega is a free and open source web security scanner and web security testing
platform to test the security of web applications.
● SQL Injection
● XSS
● Inadvertently disclosed sensitive information
● Reflected cross-site scripting
● Stored cross-site scripting
● Blind SQL injection
● Remote file include
● Shell injection
● TLS / SSL security settings
59. SqlMap - A penetration testing tool for exploiting SQL
injection flaws and a lot!
● Database fingerprinting.
● Full Support for SQL Injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based,
stacked queries and out-of-band.
● Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
● dump database tables entirely.
● Out of Box Search support for Database names, Table names, Column names and values.
● Support to execute arbitrary commands and retrieve their standard output.
● Support to establish an out-of-band stateful TCP connection between the attacker machine and the database
server.