SlideShare una empresa de Scribd logo

Securing your Rails application

C
clucasKrof

This presentation highlights tools you can use to secure your rails application

InternetTecnologíaEducación
1 de 41
Descargar para leer sin conexión
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#› Securing Your Rails Application Christophe Lucas Mandiant, a FireEye Company
Copyright (c) 2014, FireEye, Inc. All rights reserved. Heartbleed
Copyright (c) 2014, FireEye, Inc. All rights reserved. OpenSSL CVE-2014-0160 vulnerability • Allows attacker to read unencrypted traffic ! • Steal keys, usernames, passwords ! • Programming mistake
Copyright (c) 2014, FireEye, Inc. All rights reserved. New OpenSSL release to fix 6 bugs • SSL/TLS MITM vulnerability (CVE-2014-0224) • DTLS recursion flaw (CVE-2014-0221) • DTLS invalid fragment vulnerability (CVE-2014-0195) • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) • Anonymous ECDH denial of service (CVE-2014-3470)
Copyright (c) 2014, FireEye, Inc. All rights reserved. OpenSSL? • Open source implementation of the TLS protocols, written in C ! • SSL: Secure Socket layer • TLS: Transport Layer Security ! • The ’S’ in HTTPS
Copyright (c) 2014, FireEye, Inc. All rights reserved. Transport Layer Security • developed by Netscape • 1995: SSL 2.0 • 1996: SSL 3.0 • 1999: TLS 1.0, RFC 2246 • 2006: TLS 1.1, RFC 4346 • 2008: TLS 1.2, RFC 5246
Copyright (c) 2014, FireEye, Inc. All rights reserved. TLS handshake Client Server Client Hello TLS version, cypher Server Hello TLS version, cypher Public Key and certificate Validate certificate Client Finished Encrypted with PK Server Finished Encrypted TLS Record Protocol
Copyright (c) 2014, FireEye, Inc. All rights reserved. HTTP Secure
Copyright (c) 2014, FireEye, Inc. All rights reserved. How is my SSL? • https://www.howsmyssl.com • Version • Ephemeral key support • Session ticket support • TLS compression • Cypher suites
Copyright (c) 2014, FireEye, Inc. All rights reserved. Secure Hash Algorithm • 1993 SHA-0 • 1995 SHA-1, published by • 2001 SHA-2, published by • 2014 SHA-3 (Draft), published by
Copyright (c) 2014, FireEye, Inc. All rights reserved. Use SSL/TLS Credits: http://www.nsa.gov
Copyright (c) 2014, FireEye, Inc. All rights reserved. Being Boring: A Survival Guide to Ruby Cryptography Crypto API ! A bunch of crazy code written by amateurs Ruby OpenSSL Credits: Tony Acieri - Rubyconf 2013 Not boring
Copyright (c) 2014, FireEye, Inc. All rights reserved. Being Boring: A Survival Guide to Ruby Cryptography Crypto API Crypto library written by cryptographers Boring Credits: Tony Acieri - Rubyconf 2013
Copyright (c) 2014, FireEye, Inc. All rights reserved. OpenSSL Ruby NaCl ! https://github.com/cryptosphere/rbnacl
Copyright (c) 2014, FireEye, Inc. All rights reserved. Vulnerabilities • Transport • Rendering ! => secure the HTTP header
Copyright (c) 2014, FireEye, Inc. All rights reserved. Secure session • config/environments/production.rb config.force_ssl = true ! • Only send session cookie over secure connection ! • Adds secure attribute to Set-Cookie
Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved. Session Hijacking (MITM) Browser http:// https://Attacker
Copyright (c) 2014, FireEye, Inc. All rights reserved. Session Hijacking Browser http:// https://Attacker
Copyright (c) 2014, FireEye, Inc. All rights reserved. Session Hijacking Browser http:// https://Attacker
Copyright (c) 2014, FireEye, Inc. All rights reserved. Prevent Attack • Use HTTP Strict Transport Security (HSTS) ! • Ensure that the browser only visits the HTTPS version of the website Strict-Transport-Security: max-age=15768000 ; includeSubDomains ! • no more redirect, eliminates the first insecure roundtrip
Copyright (c) 2014, FireEye, Inc. All rights reserved. Transport • TLS: Transport Layer Security • Secure Cookies • HSTS: HTTP Strict Transport Security
Copyright (c) 2014, FireEye, Inc. All rights reserved. Protect Cookie Set-Cookie the_secure_cookie; Secure <script>alert(document.cookie);</script> ! HTTP only: ! Set-Cookie the_cookie; Secure; HttpOnly; ! Session cookies are HttpOnly by default
Copyright (c) 2014, FireEye, Inc. All rights reserved. Content Security Policy Whitelist content ! Content-Security-Policy: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
Copyright (c) 2014, FireEye, Inc. All rights reserved. Audit your CSP ! Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
Copyright (c) 2014, FireEye, Inc. All rights reserved. Frame Option (XFO) Prevent clickjacking ! X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https:// example.com/
Copyright (c) 2014, FireEye, Inc. All rights reserved. XSS protection Cross site scripting filter: ! X-XSS-Protection: 1; mode=block
Copyright (c) 2014, FireEye, Inc. All rights reserved. Prevent content sniffing Prevent attacks based on MIME-type confusion: ! X-Content-Type-Options: nosniff
Copyright (c) 2014, FireEye, Inc. All rights reserved. Rendering • HttpOnly Cookies • Content Security Policy • Frame Options • XSS protection • Content Type Options
Copyright (c) 2014, FireEye, Inc. All rights reserved. secure_headers gem • https://github.com/twitter/secureheaders • Content Security Policy (CSP) • HTTP Strict Transport Security (HSTS) • X-Frame-Options (XFO) • XSS Protection • MIME type sniffing protection
Copyright (c) 2014, FireEye, Inc. All rights reserved. Brakeman gem Static analyzer for vulnerabilities > brakeman +-------------------+---------+ | Scanned/Reported | Total | +-------------------+---------+ | Controllers | 17 | | Models | 11 | | Templates | 72 | | Errors | 0 | | Security Warnings | 21 (12) | +-------------------+---------+ ! +----------------------------+-------+ | Warning Type | Total | +----------------------------+-------+ | Cross Site Scripting | 4 | | Cross-Site Request Forgery | 1 | | Denial of Service | 2 | | File Access | 1 | | Format Validation | 1 | | Mass Assignment | 5 | | Remote Code Execution | 4 | | SQL Injection | 2 | | Session Setting | 1 | +----------------------------+-------+
Copyright (c) 2014, FireEye, Inc. All rights reserved. codesake-dawn gem static code scanner > dawn --rails . 13:37:54 [*] dawn v1.1.3 is starting up 13:37:54 [$] dawn: scanning . 13:37:54 [$] dawn: rails v4.1.1 detected 13:37:54 [$] dawn: applying all security checks 13:37:54 [$] dawn: 173 security checks applied - 0 security checks skipped 13:37:54 [$] dawn: 2 vulnerabilities found 13:37:54 [!] dawn: Owasp Ror CheatSheet: Session management check failed 13:37:54 [$] dawn: Severity: info 13:37:54 [$] dawn: Priority: unknown 13:37:54 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session. 13:37:54 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your code session_store. Add "Application.config.session_store :active_record_store" to your session_store.rb file. 13:37:54 [$] dawn: Evidence: 13:37:54 [$] dawn: In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack. 13:37:54 [$] dawn: {:filename=>"./config/initializers/session_store.rb", :matches=>[]}
Copyright (c) 2014, FireEye, Inc. All rights reserved. gauntlt gem • Build attacks with cucumber scripts > gauntlt !
Copyright (c) 2014, FireEye, Inc. All rights reserved. Rugged DevOps ! InfoSec + Dev +Ops = Rugged DevOps ! http://ruggeddevops.org ! https://www.ruggedsoftware.org !
Copyright (c) 2014, FireEye, Inc. All rights reserved. Code Monitoring tools • https://codeclimate.com • https://gemcanary.com • https://gemnasium.com
Copyright (c) 2014, FireEye, Inc. All rights reserved. Resources • http://guides.rubyonrails.org/security.html • https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet • https://www.ssllabs.com • https://github.com/cryptosphere/rbnacl • https://github.com/twitter/secureheaders • http://brakemanscanner.org • https://github.com/codesake/codesake-dawn • http://gauntlt.org
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#› Questions? christophe.lucas@mandiant.com @krof

Recomendados

Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...
Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...
Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...Liran Tal
 
Asterisk security with kingasterisk
Asterisk security with kingasteriskAsterisk security with kingasterisk
Asterisk security with kingasteriskKing Asterisk
 
NetDevOps Developer Environments with Vagrant @ SCALE16x
NetDevOps Developer Environments with Vagrant @ SCALE16xNetDevOps Developer Environments with Vagrant @ SCALE16x
NetDevOps Developer Environments with Vagrant @ SCALE16xHank Preston
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
How to be a Network Engineer in a Programmable Age
How to be a Network Engineer in a Programmable AgeHow to be a Network Engineer in a Programmable Age
How to be a Network Engineer in a Programmable AgeHank Preston
 
Useful Python Libraries for Network Engineers - PyOhio 2018
Useful Python Libraries for Network Engineers - PyOhio 2018Useful Python Libraries for Network Engineers - PyOhio 2018
Useful Python Libraries for Network Engineers - PyOhio 2018Hank Preston
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPNAll Things Open
 

Recomendados

Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...
Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...
Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...Liran Tal
 
Asterisk security with kingasterisk
Asterisk security with kingasteriskAsterisk security with kingasterisk
Asterisk security with kingasteriskKing Asterisk
 
NetDevOps Developer Environments with Vagrant @ SCALE16x
NetDevOps Developer Environments with Vagrant @ SCALE16xNetDevOps Developer Environments with Vagrant @ SCALE16x
NetDevOps Developer Environments with Vagrant @ SCALE16xHank Preston
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
How to be a Network Engineer in a Programmable Age
How to be a Network Engineer in a Programmable AgeHow to be a Network Engineer in a Programmable Age
How to be a Network Engineer in a Programmable AgeHank Preston
 
Useful Python Libraries for Network Engineers - PyOhio 2018
Useful Python Libraries for Network Engineers - PyOhio 2018Useful Python Libraries for Network Engineers - PyOhio 2018
Useful Python Libraries for Network Engineers - PyOhio 2018Hank Preston
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPNAll Things Open
 
Learning Python with Minecraft and my Dad - PyOhio 2018
Learning Python with Minecraft and my Dad - PyOhio 2018Learning Python with Minecraft and my Dad - PyOhio 2018
Learning Python with Minecraft and my Dad - PyOhio 2018Hank Preston
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?Hank Preston
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYToni de la Fuente
 
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Bas Meijer
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPSDaniel Stenberg
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesAbhishek Singh
 
Mobile SCADA
Mobile SCADAMobile SCADA
Mobile SCADAMehmet Kara
 
FireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to KnowFireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to KnowFireEye, Inc.
 

Más contenido relacionado

La actualidad más candente

Learning Python with Minecraft and my Dad - PyOhio 2018
Learning Python with Minecraft and my Dad - PyOhio 2018Learning Python with Minecraft and my Dad - PyOhio 2018
Learning Python with Minecraft and my Dad - PyOhio 2018Hank Preston
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?Hank Preston
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYToni de la Fuente
 
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Bas Meijer
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesAbhishek Singh
 

La actualidad más candente (20)

Learning Python with Minecraft and my Dad - PyOhio 2018
Learning Python with Minecraft and my Dad - PyOhio 2018Learning Python with Minecraft and my Dad - PyOhio 2018
Learning Python with Minecraft and my Dad - PyOhio 2018
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckh
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLY
 
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
 

Destacado

FireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to KnowFireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to KnowFireEye, Inc.
 
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSREAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSForgeRock
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
Palo Alto Networks - Just another Firewall
Palo Alto Networks - Just another FirewallPalo Alto Networks - Just another Firewall
Palo Alto Networks - Just another Firewallpillardata
 
Detection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEyeDetection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEyeSplunk
 
Palo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortPalo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortTen Sistemas e Redes
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceValery Yelanin
 
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...SWITCHPOINT NV/SA
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallPalo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallMundo Contact
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 

Destacado (20)

Mobile SCADA
Mobile SCADAMobile SCADA
Mobile SCADA
 
FireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to KnowFireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to Know
 
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSREAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
 
rpt-world-eco-forum Final
rpt-world-eco-forum Finalrpt-world-eco-forum Final
rpt-world-eco-forum Final
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
Palo Alto Networks - Just another Firewall
Palo Alto Networks - Just another FirewallPalo Alto Networks - Just another Firewall
Palo Alto Networks - Just another Firewall
 
Detection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEyeDetection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEye
 
FireEye
FireEyeFireEye
FireEye
 
Palo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortPalo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-short
 
Palo alto networks
Palo alto networksPalo alto networks
Palo alto networks
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment Experience
 
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallPalo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation Firewall
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 

Similar a Securing your Rails application

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-securityAndrew Carr
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go Coveros, Inc.
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecuritySkycure
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkBrent Shaffer
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...APIsecure_ Official
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Sqreen
 
SANS 2014 - Superbees Wanted
SANS 2014 - Superbees WantedSANS 2014 - Superbees Wanted
SANS 2014 - Superbees WantedMalik Mesellem
 
Enabling Voice Applications with WebRTC and ORTC in Microsoft Edge
Enabling Voice Applications with WebRTC and ORTC in Microsoft EdgeEnabling Voice Applications with WebRTC and ORTC in Microsoft Edge
Enabling Voice Applications with WebRTC and ORTC in Microsoft EdgeMark Roberts
 

Similar a Securing your Rails application (20)

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-security
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile Security
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
 
SANS 2014 - Superbees Wanted
SANS 2014 - Superbees WantedSANS 2014 - Superbees Wanted
SANS 2014 - Superbees Wanted
 
Enabling Voice Applications with WebRTC and ORTC in Microsoft Edge
Enabling Voice Applications with WebRTC and ORTC in Microsoft EdgeEnabling Voice Applications with WebRTC and ORTC in Microsoft Edge
Enabling Voice Applications with WebRTC and ORTC in Microsoft Edge
 

Último

Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 

Último (17)

Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 

Securing your Rails application

  • 1. Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#› Securing Your Rails Application Christophe Lucas Mandiant, a FireEye Company
  • 2. Copyright (c) 2014, FireEye, Inc. All rights reserved. Heartbleed
  • 3. Copyright (c) 2014, FireEye, Inc. All rights reserved. OpenSSL CVE-2014-0160 vulnerability • Allows attacker to read unencrypted traffic ! • Steal keys, usernames, passwords ! • Programming mistake
  • 4. Copyright (c) 2014, FireEye, Inc. All rights reserved. New OpenSSL release to fix 6 bugs • SSL/TLS MITM vulnerability (CVE-2014-0224) • DTLS recursion flaw (CVE-2014-0221) • DTLS invalid fragment vulnerability (CVE-2014-0195) • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) • Anonymous ECDH denial of service (CVE-2014-3470)
  • 5. Copyright (c) 2014, FireEye, Inc. All rights reserved. OpenSSL? • Open source implementation of the TLS protocols, written in C ! • SSL: Secure Socket layer • TLS: Transport Layer Security ! • The ’S’ in HTTPS
  • 6. Copyright (c) 2014, FireEye, Inc. All rights reserved. Transport Layer Security • developed by Netscape • 1995: SSL 2.0 • 1996: SSL 3.0 • 1999: TLS 1.0, RFC 2246 • 2006: TLS 1.1, RFC 4346 • 2008: TLS 1.2, RFC 5246
  • 7. Copyright (c) 2014, FireEye, Inc. All rights reserved. TLS handshake Client Server Client Hello TLS version, cypher Server Hello TLS version, cypher Public Key and certificate Validate certificate Client Finished Encrypted with PK Server Finished Encrypted TLS Record Protocol
  • 8. Copyright (c) 2014, FireEye, Inc. All rights reserved. HTTP Secure
  • 9. Copyright (c) 2014, FireEye, Inc. All rights reserved. How is my SSL? • https://www.howsmyssl.com • Version • Ephemeral key support • Session ticket support • TLS compression • Cypher suites
  • 10. Copyright (c) 2014, FireEye, Inc. All rights reserved. Secure Hash Algorithm • 1993 SHA-0 • 1995 SHA-1, published by • 2001 SHA-2, published by • 2014 SHA-3 (Draft), published by
  • 11. Copyright (c) 2014, FireEye, Inc. All rights reserved. Use SSL/TLS Credits: http://www.nsa.gov
  • 12. Copyright (c) 2014, FireEye, Inc. All rights reserved. Being Boring: A Survival Guide to Ruby Cryptography Crypto API ! A bunch of crazy code written by amateurs Ruby OpenSSL Credits: Tony Acieri - Rubyconf 2013 Not boring
  • 13. Copyright (c) 2014, FireEye, Inc. All rights reserved. Being Boring: A Survival Guide to Ruby Cryptography Crypto API Crypto library written by cryptographers Boring Credits: Tony Acieri - Rubyconf 2013
  • 14. Copyright (c) 2014, FireEye, Inc. All rights reserved. OpenSSL Ruby NaCl ! https://github.com/cryptosphere/rbnacl
  • 15. Copyright (c) 2014, FireEye, Inc. All rights reserved. Vulnerabilities • Transport • Rendering ! => secure the HTTP header
  • 16. Copyright (c) 2014, FireEye, Inc. All rights reserved. Secure session • config/environments/production.rb config.force_ssl = true ! • Only send session cookie over secure connection ! • Adds secure attribute to Set-Cookie
  • 17. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  • 18. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  • 19. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  • 20. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  • 21. Copyright (c) 2014, FireEye, Inc. All rights reserved. Request - Response Browser http:// https://
  • 22. Copyright (c) 2014, FireEye, Inc. All rights reserved. Session Hijacking (MITM) Browser http:// https://Attacker
  • 23. Copyright (c) 2014, FireEye, Inc. All rights reserved. Session Hijacking Browser http:// https://Attacker
  • 24. Copyright (c) 2014, FireEye, Inc. All rights reserved. Session Hijacking Browser http:// https://Attacker
  • 25. Copyright (c) 2014, FireEye, Inc. All rights reserved. Prevent Attack • Use HTTP Strict Transport Security (HSTS) ! • Ensure that the browser only visits the HTTPS version of the website Strict-Transport-Security: max-age=15768000 ; includeSubDomains ! • no more redirect, eliminates the first insecure roundtrip
  • 26. Copyright (c) 2014, FireEye, Inc. All rights reserved. Transport • TLS: Transport Layer Security • Secure Cookies • HSTS: HTTP Strict Transport Security
  • 27. Copyright (c) 2014, FireEye, Inc. All rights reserved. Protect Cookie Set-Cookie the_secure_cookie; Secure <script>alert(document.cookie);</script> ! HTTP only: ! Set-Cookie the_cookie; Secure; HttpOnly; ! Session cookies are HttpOnly by default
  • 28. Copyright (c) 2014, FireEye, Inc. All rights reserved. Content Security Policy Whitelist content ! Content-Security-Policy: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
  • 29. Copyright (c) 2014, FireEye, Inc. All rights reserved. Audit your CSP ! Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
  • 30. Copyright (c) 2014, FireEye, Inc. All rights reserved. Frame Option (XFO) Prevent clickjacking ! X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https:// example.com/
  • 31. Copyright (c) 2014, FireEye, Inc. All rights reserved. XSS protection Cross site scripting filter: ! X-XSS-Protection: 1; mode=block
  • 32. Copyright (c) 2014, FireEye, Inc. All rights reserved. Prevent content sniffing Prevent attacks based on MIME-type confusion: ! X-Content-Type-Options: nosniff
  • 33. Copyright (c) 2014, FireEye, Inc. All rights reserved. Rendering • HttpOnly Cookies • Content Security Policy • Frame Options • XSS protection • Content Type Options
  • 34. Copyright (c) 2014, FireEye, Inc. All rights reserved. secure_headers gem • https://github.com/twitter/secureheaders • Content Security Policy (CSP) • HTTP Strict Transport Security (HSTS) • X-Frame-Options (XFO) • XSS Protection • MIME type sniffing protection
  • 35. Copyright (c) 2014, FireEye, Inc. All rights reserved. Brakeman gem Static analyzer for vulnerabilities > brakeman +-------------------+---------+ | Scanned/Reported | Total | +-------------------+---------+ | Controllers | 17 | | Models | 11 | | Templates | 72 | | Errors | 0 | | Security Warnings | 21 (12) | +-------------------+---------+ ! +----------------------------+-------+ | Warning Type | Total | +----------------------------+-------+ | Cross Site Scripting | 4 | | Cross-Site Request Forgery | 1 | | Denial of Service | 2 | | File Access | 1 | | Format Validation | 1 | | Mass Assignment | 5 | | Remote Code Execution | 4 | | SQL Injection | 2 | | Session Setting | 1 | +----------------------------+-------+
  • 36. Copyright (c) 2014, FireEye, Inc. All rights reserved. codesake-dawn gem static code scanner > dawn --rails . 13:37:54 [*] dawn v1.1.3 is starting up 13:37:54 [$] dawn: scanning . 13:37:54 [$] dawn: rails v4.1.1 detected 13:37:54 [$] dawn: applying all security checks 13:37:54 [$] dawn: 173 security checks applied - 0 security checks skipped 13:37:54 [$] dawn: 2 vulnerabilities found 13:37:54 [!] dawn: Owasp Ror CheatSheet: Session management check failed 13:37:54 [$] dawn: Severity: info 13:37:54 [$] dawn: Priority: unknown 13:37:54 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session. 13:37:54 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your code session_store. Add "Application.config.session_store :active_record_store" to your session_store.rb file. 13:37:54 [$] dawn: Evidence: 13:37:54 [$] dawn: In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack. 13:37:54 [$] dawn: {:filename=>"./config/initializers/session_store.rb", :matches=>[]}
  • 37. Copyright (c) 2014, FireEye, Inc. All rights reserved. gauntlt gem • Build attacks with cucumber scripts > gauntlt !
  • 38. Copyright (c) 2014, FireEye, Inc. All rights reserved. Rugged DevOps ! InfoSec + Dev +Ops = Rugged DevOps ! http://ruggeddevops.org ! https://www.ruggedsoftware.org !
  • 39. Copyright (c) 2014, FireEye, Inc. All rights reserved. Code Monitoring tools • https://codeclimate.com • https://gemcanary.com • https://gemnasium.com
  • 40. Copyright (c) 2014, FireEye, Inc. All rights reserved. Resources • http://guides.rubyonrails.org/security.html • https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet • https://www.ssllabs.com • https://github.com/cryptosphere/rbnacl • https://github.com/twitter/secureheaders • http://brakemanscanner.org • https://github.com/codesake/codesake-dawn • http://gauntlt.org
  • 41. Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#› Questions? christophe.lucas@mandiant.com @krof