SlideShare ist ein Scribd-Unternehmen logo

From 0 to 0xdeadbeef - security mistakes that will haunt your startup

Diogo Mónica
Diogo Mónica

Every company has to deal with the topic of security. Depending on the product/service, security might be more or less important, but it doesn’t matter if the product is moving money or sending disappearing pictures, if the company grows, it will have to deal with security sooner or later. Unfortunately, not all security mistakes are created equal. This talk will go over some security mistakes are several orders of magnitude harder to fix later in the lifecycle of a company, helping people prioritize their decisions when trying to keep the fine balance between security and product.

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
From 0 to 0xDEADBEEF: The security mistakes that will haunt your startup @diogomonica
Agenda List of mistakes that are painful to remediate ‣TLS ‣Web Security ‣Passwords ‣Infrastructure ‣Corporate Environment Not an exhaustive list
Target audience ‣Companies just starting up or in their initial growth phase ‣Every company will hit these issues at some point
Real Security Engineers Ship
TLS Mistakes
Not having TLS from day 1 ‣There is no reason to have HTTP endpoints •Most TLS performance issues are a myth ‣One HTTP link compromises the security of your whole application (sslstrip) https://github.com/diogomonica/py-cookieJsInjection
SSLv3 enabled ‣There are essentially no legitimate clients without TLS support •No, IE6 on SP2 is not a legitimate client ‣A lot of pressure from PCI Council to be strict about disabling SSLv3 [ insert favorite POODLE link here ]
Crappy certificates ‣Choose a good issuer •If you have an app you will be pinning to it ‣Make sure you are not using MD5 or SHA1 for the signature https://github.com/diogomonica/gocert
Lack of security headers ‣Even if you are 100% https, the first connection is still vulnerable •The HSTS header fixes that ‣Tons of important headers. Start every application by using Twitter’s Secure headers gem/list. https://github.com/twitter/secureheaders
Not keeping up to date w/ attacks https://www.ssllabs.com/ssltest/
Web Security Mistakes
Everything under the same domain ‣Use a completely different domain for all trusted activity •Example: trustedsite.com VS usercontentsite.com ‣Host all of your static files from a different domain •Scopes the TLS certificates you will have to give to CDNs ‣Host all javascript from yet another different domain •Allows you to set CSP policies on where Javascript is loaded
Cookie scoping as an afterthought ‣The site blog.diogomonica.com can set cookies with scope diogomonica.com •Cookie Stealing •Cookie Eviction •Session Fixation ‣Make sure you only use Secure and HttpOnly cookies http://bit.ly/18fet3L
Not enabling CSP in reporting mode ‣The objective is to eventually enable CSP in enforce mode •Helps track the addition of in-line and foreign Javascript •On that note: host all of your Javascript http://mzl.la/1B3GPZT
Internal admin dashboard as part of the same app ‣Applications usually start off by having admin dashboard built-in •Accessible from the Internet ‣If something is supposed to be internal, make sure you: •Make it internal only from day 1 •Deploy it on a different host/vm/container •Don’t use origin IP for authorization (Header injection issues)
Logging blacklists ‣Logging should work in a white-list model ‣Very easy to end up with PII or other sensitive information in logs •Good luck getting it out of hadoop •Good luck getting it out of Splunk •Good luck cleaning all of your backups
Password Mistakes
Checking-in secrets ‣Build a secret-distribution story early •People commit AWS credentials to github repositories all the time ‣Check for leaked keys daily (gitrob) https://github.com/michenriksen/gitrob
Sharing passwords around ‣Laptops get stolen/lost all the time •Full-disk encryption won’t save you against DMA Attacks •Laptop compromise means all credentials get leaked ‣Use centralized secret storage applications instead (e.g. Bitium, Onelogin) •Enable multi-factor authentication to access
Hashing passwords ‣Use bcrypt ‣Use bcrypt ‣Use bcrypt http://codahale.com/how-to-safely-store-a-password/
Infrastructure Mistakes
Not making your application deployment nimble ‣Run all your applications in containers* •Allows you to update the underlying Operating System easily ‣Use SELinux: helps with some classes of application-level vulnerabilities https://www.docker.com/ *I’m obviously very biased on this subject
Production access without 2FA ‣Create choke-points for production access •SSH access should require TOTP token through a Bastion host •Internal dashboard access should go through a 2FA SSO SSH Bastion Host Datacenter Front-end Server Back-end Server Corporate Network SSO Portal Internal Dashboard
Trust from the corporate network ‣Corporate network should have no trust relations with production (or minimal trust) SSH Bastion Host Datacenter Front-end Server Back-end Server Internet SSO Portal Internal Dashboard
No centralized logging ‣Create a new service/application check-list for with two items: •Enable centralized logging •Ensure NTP is being synced ‣Are you using AWS? Go enable Cloudtrail now! •Seriously, do it now, I’ll wait. http://aws.amazon.com/cloudtrail/
Not having root use as an alertable event ‣#people with the root password should be < #fingers in your hand ‣Log all uses of sudo -s ; sudo -i ; su - ; su root ; etc •These should not be common events http://knowyourmeme.com/memes/sad-panda
HTTP for your S2S communication ‣All S2S communication should be HTTPS Datacenter Front-end Server Back-end Server Application Server
Corporate Environment Mistakes
Not having a self- service check-list ‣Create a self-service security check-list with the following items: •Download, install and set Chrome as the default browser •Install the Adblock extension •Java must be disabled •Flash must be set as click to play •Full-disk encryption is mandatory •Enroll the laptop in Find my Mac •Passwords are generated and stored in 1Password
Summary ‣There are security issues that every company will eventually have to deal with ‣Some mistakes will be a lot more costly than others ‣Bring in someone in whose job is to worry about Security early on •Remember: real security engineers ship!
Q&A @diogomonica

Empfohlen

DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich Mogull
SeniorStoryteller
 

Empfohlen

DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich Mogull
SeniorStoryteller
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
n|u - The Open Security Community
 
Security War Games
Security War GamesSecurity War Games
Security War Games
SeniorStoryteller
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
I See You
I See YouI See You
I See You
Andrew Beard
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
Chris Gates
 
An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijacking
Diogo Mónica
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Diogo Mónica
 

Weitere ähnliche Inhalte

Was ist angesagt?

[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
I See You
I See YouI See You
I See You
Andrew Beard
 

Was ist angesagt? (20)

Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
Security War Games
Security War GamesSecurity War Games
Security War Games
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
I See You
I See YouI See You
I See You
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 

Andere mochten auch

An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijacking
Diogo Mónica
 
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial WorldSecure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
Diogo Mónica
 
ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing MapsESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing Maps
Diogo Mónica
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 
On the use of radio resource tests in wireless ad hoc networks
On the use of radio resource tests in wireless ad hoc networksOn the use of radio resource tests in wireless ad hoc networks
On the use of radio resource tests in wireless ad hoc networks
Diogo Mónica
 
Why Docker
Why DockerWhy Docker
Why Docker
dotCloud
 
Cloud conf keynote - Orchestrating Least Privilege
Cloud conf keynote - Orchestrating Least PrivilegeCloud conf keynote - Orchestrating Least Privilege
Cloud conf keynote - Orchestrating Least Privilege
Diogo Mónica
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
Docker, Inc.
 

Andere mochten auch (20)

An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijacking
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
 
PhD Thesis Diogo Mónica
PhD Thesis Diogo MónicaPhD Thesis Diogo Mónica
PhD Thesis Diogo Mónica
 
WiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detectionWiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detection
 
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc NetworksObservable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
 
MultiPath TCP - The path to multipath
MultiPath TCP - The path to multipathMultiPath TCP - The path to multipath
MultiPath TCP - The path to multipath
 
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial WorldSecure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
 
ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing MapsESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing Maps
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
On the use of radio resource tests in wireless ad hoc networks
On the use of radio resource tests in wireless ad hoc networksOn the use of radio resource tests in wireless ad hoc networks
On the use of radio resource tests in wireless ad hoc networks
 
Bletchley
BletchleyBletchley
Bletchley
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Docker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupDocker presentation | Paris Docker Meetup
Docker presentation | Paris Docker Meetup
 
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityWeb Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDB
 
Why Docker
Why DockerWhy Docker
Why Docker
 
Cloud conf keynote - Orchestrating Least Privilege
Cloud conf keynote - Orchestrating Least PrivilegeCloud conf keynote - Orchestrating Least Privilege
Cloud conf keynote - Orchestrating Least Privilege
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
 

Ähnlich wie From 0 to 0xdeadbeef - security mistakes that will haunt your startup

Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)
Chris Nickerson
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About
Indus Khaitan
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
NorthBayWeb
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Beau Bullock
 

Ähnlich wie From 0 to 0xdeadbeef - security mistakes that will haunt your startup (20)

Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
Lets git together
Lets git togetherLets git together
Lets git together
 
Dev objective2015 lets git together
Dev objective2015 lets git togetherDev objective2015 lets git together
Dev objective2015 lets git together
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael Tremante
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About
 
Scaling woo commerce-v2-pagely
Scaling woo commerce-v2-pagelyScaling woo commerce-v2-pagely
Scaling woo commerce-v2-pagely
 
iOS Indie Developer Toolkit - CocoaHeads 3city
iOS Indie Developer Toolkit - CocoaHeads 3cityiOS Indie Developer Toolkit - CocoaHeads 3city
iOS Indie Developer Toolkit - CocoaHeads 3city
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
 
Lambda Architectures in Practice
Lambda Architectures in PracticeLambda Architectures in Practice
Lambda Architectures in Practice
 
Secure your Azure Web App 2019
Secure your Azure Web App 2019Secure your Azure Web App 2019
Secure your Azure Web App 2019
 
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

From 0 to 0xdeadbeef - security mistakes that will haunt your startup

  • 1. From 0 to 0xDEADBEEF: The security mistakes that will haunt your startup @diogomonica
  • 2. Agenda List of mistakes that are painful to remediate ‣TLS ‣Web Security ‣Passwords ‣Infrastructure ‣Corporate Environment Not an exhaustive list
  • 3. Target audience ‣Companies just starting up or in their initial growth phase ‣Every company will hit these issues at some point
  • 6. Not having TLS from day 1 ‣There is no reason to have HTTP endpoints •Most TLS performance issues are a myth ‣One HTTP link compromises the security of your whole application (sslstrip) https://github.com/diogomonica/py-cookieJsInjection
  • 7. SSLv3 enabled ‣There are essentially no legitimate clients without TLS support •No, IE6 on SP2 is not a legitimate client ‣A lot of pressure from PCI Council to be strict about disabling SSLv3 [ insert favorite POODLE link here ]
  • 8. Crappy certificates ‣Choose a good issuer •If you have an app you will be pinning to it ‣Make sure you are not using MD5 or SHA1 for the signature https://github.com/diogomonica/gocert
  • 9. Lack of security headers ‣Even if you are 100% https, the first connection is still vulnerable •The HSTS header fixes that ‣Tons of important headers. Start every application by using Twitter’s Secure headers gem/list. https://github.com/twitter/secureheaders
  • 10. Not keeping up to date w/ attacks https://www.ssllabs.com/ssltest/
  • 12. Everything under the same domain ‣Use a completely different domain for all trusted activity •Example: trustedsite.com VS usercontentsite.com ‣Host all of your static files from a different domain •Scopes the TLS certificates you will have to give to CDNs ‣Host all javascript from yet another different domain •Allows you to set CSP policies on where Javascript is loaded
  • 13. Cookie scoping as an afterthought ‣The site blog.diogomonica.com can set cookies with scope diogomonica.com •Cookie Stealing •Cookie Eviction •Session Fixation ‣Make sure you only use Secure and HttpOnly cookies http://bit.ly/18fet3L
  • 14. Not enabling CSP in reporting mode ‣The objective is to eventually enable CSP in enforce mode •Helps track the addition of in-line and foreign Javascript •On that note: host all of your Javascript http://mzl.la/1B3GPZT
  • 15. Internal admin dashboard as part of the same app ‣Applications usually start off by having admin dashboard built-in •Accessible from the Internet ‣If something is supposed to be internal, make sure you: •Make it internal only from day 1 •Deploy it on a different host/vm/container •Don’t use origin IP for authorization (Header injection issues)
  • 16. Logging blacklists ‣Logging should work in a white-list model ‣Very easy to end up with PII or other sensitive information in logs •Good luck getting it out of hadoop •Good luck getting it out of Splunk •Good luck cleaning all of your backups
  • 18. Checking-in secrets ‣Build a secret-distribution story early •People commit AWS credentials to github repositories all the time ‣Check for leaked keys daily (gitrob) https://github.com/michenriksen/gitrob
  • 19. Sharing passwords around ‣Laptops get stolen/lost all the time •Full-disk encryption won’t save you against DMA Attacks •Laptop compromise means all credentials get leaked ‣Use centralized secret storage applications instead (e.g. Bitium, Onelogin) •Enable multi-factor authentication to access
  • 20. Hashing passwords ‣Use bcrypt ‣Use bcrypt ‣Use bcrypt http://codahale.com/how-to-safely-store-a-password/
  • 22. Not making your application deployment nimble ‣Run all your applications in containers* •Allows you to update the underlying Operating System easily ‣Use SELinux: helps with some classes of application-level vulnerabilities https://www.docker.com/ *I’m obviously very biased on this subject
  • 23. Production access without 2FA ‣Create choke-points for production access •SSH access should require TOTP token through a Bastion host •Internal dashboard access should go through a 2FA SSO SSH Bastion Host Datacenter Front-end Server Back-end Server Corporate Network SSO Portal Internal Dashboard
  • 24. Trust from the corporate network ‣Corporate network should have no trust relations with production (or minimal trust) SSH Bastion Host Datacenter Front-end Server Back-end Server Internet SSO Portal Internal Dashboard
  • 25. No centralized logging ‣Create a new service/application check-list for with two items: •Enable centralized logging •Ensure NTP is being synced ‣Are you using AWS? Go enable Cloudtrail now! •Seriously, do it now, I’ll wait. http://aws.amazon.com/cloudtrail/
  • 26. Not having root use as an alertable event ‣#people with the root password should be < #fingers in your hand ‣Log all uses of sudo -s ; sudo -i ; su - ; su root ; etc •These should not be common events http://knowyourmeme.com/memes/sad-panda
  • 27. HTTP for your S2S communication ‣All S2S communication should be HTTPS Datacenter Front-end Server Back-end Server Application Server
  • 29. Not having a self- service check-list ‣Create a self-service security check-list with the following items: •Download, install and set Chrome as the default browser •Install the Adblock extension •Java must be disabled •Flash must be set as click to play •Full-disk encryption is mandatory •Enroll the laptop in Find my Mac •Passwords are generated and stored in 1Password
  • 30. Summary ‣There are security issues that every company will eventually have to deal with ‣Some mistakes will be a lot more costly than others ‣Bring in someone in whose job is to worry about Security early on •Remember: real security engineers ship!