Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Join the conversation #DevSecCon
BY Gábor Pék, Co-founder and CTO at Avatao
Hands-on secure software
development from desi...
About me
Intel virtualization hacks (e.g., XSA-59)
Reserarch of advanced targeted attacks (Duqu, Flame, miniDuke)
Founder ...
CrySyS Lab analyses
high-profile targeted
attacks
!SpamAndHex
3x DEFCON CTF Finalists
Security is missing from
education
Practical security at
universities?
Apps failing security checksApps failing security checksApps failing security checksApps failing security checks
Barnaby Jack pacemaker hack
Autonomous cars
Hacking in the media
Need good developers,
not only hackers
The real learning: take it apart…Real learning:
let them take it apart…
…but then you have to build something better
… but then you have to build
something better
How to do it in practice?
”Bug parade is only
half of the problem”
- Gary McGraw
Software security must cover
each phase of SDLC!
Source -
The story
The story
Let’s do something practical
Attack, fix and rewrite the legacy system of a
spaceline company.
Legacy New
Try’n’Err Spaceline
Legacy New
https://avatao.com/
events/devseccon2017
Check the Platform
Design
Bad DB design
Feature - Store basic user information
Vulnerability - No UNIQUE constraint on username
Fix legacy - Use of ...
Implementation
Weak password policy
Feature - Handle user passwords
Vulnerability - Passwords are stored in plaintext
Fix legacy - Use st...
Vulnerability - Authentication can be bypassed by
SQL injection
Feature - Login
Fix legacy - Prepared statements
Write new...
Vulnerability - Accessing privileged resources
Feature - Flight and user information
Fix legacy - Check access control by ...
Vulnerability - Evil REs stuck on crafted inputs.
– (a+)+
–([a-zA-Z]+)*
–(a|aa)+
–(a|a?)+
–(.*a){x} | for x > 10
Feaure - ...
Open Redirect
Vulnerability - Open Redirect
Feaure - Login
Attack new - Craft malicious URLs to bypass
unvalidated redirec...
Operation
Source – The Phoenix Project
Tomcat listens on localhost:8005 by default to allow
for shutdown.
Task - Say ”SHUTDOWN”.
The Final Countdown
Takeaway
Do your homework, first design
Frameworks
No framework is a silver bullet against bad code
Examples demonstrated
–ReDOS,
–Open Redirect in Spring
Framewo...
Rubber duck debugging
FrameworksAutomated tests
Software security should go from
design to deployment
Join the conversation #DevSecCon
Questions?
gabor.pek@avatao.com
DevSecCon London 2017: Hands-on secure software development from design to deployment by Gabor Pek
DevSecCon London 2017: Hands-on secure software development from design to deployment by Gabor Pek
Próxima SlideShare
Cargando en…5
×

DevSecCon London 2017: Hands-on secure software development from design to deployment by Gabor Pek

263 visualizaciones

Publicado el

DevSecCon London 2017: Hands-on secure software development from design to deployment by Gabor Pek

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

DevSecCon London 2017: Hands-on secure software development from design to deployment by Gabor Pek

  1. 1. Join the conversation #DevSecCon BY Gábor Pék, Co-founder and CTO at Avatao Hands-on secure software development from design to deployment
  2. 2. About me Intel virtualization hacks (e.g., XSA-59) Reserarch of advanced targeted attacks (Duqu, Flame, miniDuke) Founder of !SpamAndHex (3x DEFCON CTF Finalist team) PhD in virtualization and malware security (CrySyS Lab, BME) Co-founder and CTO at Avatao (a CrySyS Lab Spin-off)
  3. 3. CrySyS Lab analyses high-profile targeted attacks
  4. 4. !SpamAndHex 3x DEFCON CTF Finalists
  5. 5. Security is missing from education
  6. 6. Practical security at universities?
  7. 7. Apps failing security checksApps failing security checksApps failing security checksApps failing security checks
  8. 8. Barnaby Jack pacemaker hack
  9. 9. Autonomous cars
  10. 10. Hacking in the media
  11. 11. Need good developers, not only hackers
  12. 12. The real learning: take it apart…Real learning: let them take it apart…
  13. 13. …but then you have to build something better … but then you have to build something better
  14. 14. How to do it in practice? ”Bug parade is only half of the problem” - Gary McGraw
  15. 15. Software security must cover each phase of SDLC! Source -
  16. 16. The story The story
  17. 17. Let’s do something practical Attack, fix and rewrite the legacy system of a spaceline company. Legacy New
  18. 18. Try’n’Err Spaceline Legacy New
  19. 19. https://avatao.com/ events/devseccon2017
  20. 20. Check the Platform
  21. 21. Design
  22. 22. Bad DB design Feature - Store basic user information Vulnerability - No UNIQUE constraint on username Fix legacy - Use of constraints Bad DB design
  23. 23. Implementation
  24. 24. Weak password policy Feature - Handle user passwords Vulnerability - Passwords are stored in plaintext Fix legacy - Use strong hash functions Misc - Check password strength – Regex – Zxcvbn from Dropbox Weak Password Policy
  25. 25. Vulnerability - Authentication can be bypassed by SQL injection Feature - Login Fix legacy - Prepared statements Write new – Use hibernate Authentication Bypass
  26. 26. Vulnerability - Accessing privileged resources Feature - Flight and user information Fix legacy - Check access control by user ID Write new - Use Spring to check ID and role Insecure Direct Object Reference
  27. 27. Vulnerability - Evil REs stuck on crafted inputs. – (a+)+ –([a-zA-Z]+)* –(a|aa)+ –(a|a?)+ –(.*a){x} | for x > 10 Feaure - Registration (email RE in Spring) Source - OWASP Regular Expression DoS
  28. 28. Open Redirect Vulnerability - Open Redirect Feaure - Login Attack new - Craft malicious URLs to bypass unvalidated redirects. Open Redirect
  29. 29. Operation Source – The Phoenix Project
  30. 30. Tomcat listens on localhost:8005 by default to allow for shutdown. Task - Say ”SHUTDOWN”. The Final Countdown
  31. 31. Takeaway
  32. 32. Do your homework, first design
  33. 33. Frameworks No framework is a silver bullet against bad code Examples demonstrated –ReDOS, –Open Redirect in Spring Frameworks
  34. 34. Rubber duck debugging
  35. 35. FrameworksAutomated tests
  36. 36. Software security should go from design to deployment
  37. 37. Join the conversation #DevSecCon Questions? gabor.pek@avatao.com

×