12. Bad
def dump_file(request):
filename = request.GET["filename"]
filename = os.path.join(BASE_PATH, filename)
content = open(filename).read()
Good
path = posixpath.normpath(urllib.unquote(path))
for part in path.split('/'):
if not part:
continue
drive, part = os.path.splitdrive(part)
head, part = os.path.split(part)
if part in (os.curdir, os.pardir):
continue
newpath = os.path.join(newpath, part).replace('', '/')
18. @gpaterno
10 millionsof victims of identity
theft in USA in 2008
(Javelin Strategy and Research,
2009)
221 billions $lost every year due to identity
theft (Aberdeen Group)
35 billioncorporate and government
records compromised in 2010
(Aberdeen Group)
2 years of a working resource to
correct damages due to
identity theft (ITRC Aftermath Study,
2004)
2 billions $damages reported in Italy in
2009 (Ricerca ABI)
42. @gpaterno
Example: SecurePass APIs
• RESTful APIs
• mixture of POST (in request) and
JSON (in response)
• Channel encrypted with TLS high
cypher
• Endpoint identified by APP ID and
APP Secret
• Example: /api/v1/users/info
API limits:
• in capabilities, APP ID read-only or
read-write
• in network, APP ID can be limited
to a given IPv4/IPv6
• in scope, APP APP ID is linked to
only a specific realm/domain ID is
linked to only a specific realm/
domain
43. @gpaterno
For the braves: Mandatory Access Control
• Isolate API endpoint processes from each other and other processes on a
machine.
• Use Mandatory Access Controls (MAC) on top of Discretionary Access
Controls to segregate processes, ex: SE-Linux
• Objective: containment and escalation of API endpoint security breaches.
• Use of MACs at the OS level severely limit access to resources and provide
earlier alerting on such events.
45. @gpaterno
Authenticate User (2FA must)
Request Device ID to backend
Keep track of device info (OS, name, …)
Generate unique ID for the mobile
Use Device ID for every request
Update last device ID timestamp
Re-challenge user auth if not used
Allow device deletion (lost/stolen)
49. @gpaterno
<vendor>
</vendor>
Cloud Identity Management
Two Factor Authentication
Web Single Sign-On
Few minutes to integrate
www.secure-pass.net
(free account available)
Remote audit of the service
Compliance check
Easy to read report
http://www.garl.ch/
50. @gpaterno
“Giuseppe is paving the way for enterprises to
embrace OpenStack. Telecom Italia
is, nonetheless, among these enterprises.”
Gianluca Pancaccini, CIO of Telecom Italia
"Giuseppe has done a great job of creating an
important source of information on OpenStack
technology“
Jeff Cotten, CEO of RackSpace International
“SUSE appreciate Giuseppe clear and
concise explanation of OpenStack and it's
architecture. This will be a valuable resource.”
Ralf Flaxa, VP of Engineering SUSE
Donate now:
https://life-changer.helvetas.ch/openstack