9. USING DEPENDENCIES WITH KNOWN VULNERABILITIES
▸ More than 70% of real-world attacks exploit a known
vulnerability for which a fix is available but has not yet
been applied
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
10.
11.
12. Equifax has been intensely investigating the scope of the intrusion with the
assistance of a leading, independent cybersecurity firm to determine what
information was accessed and who has been impacted. We know that
criminals exploited a U.S. website application vulnerability. The vulnerability
was Apache Struts CVE-2017-5638. We continue to work with law
enforcement as part of our criminal investigation, and have shared indicators
of compromise with law enforcement.
Equifax Statement
IT WAS CVE-2017-5638
https://help.equifax.com/s/article/What-was-the-vulnerability
14. HOW IT HAPPENED...
TIMELINE (2017)
▸ March 6:
CVE-2017-5638 (S2-045) discovered
▸ March 7:
Struts 2.3.32 and 2.5.10.1 released with a fix
▸ May to July:
Equifax says hackers gained unauthorized access to its data
▸ July 29:
Equifax discovers the hack and immediately stops the intrusion
▸ September 7:
Equifax officially alerts the public
15. USING DEPENDENCIES WITH KNOWN VULNERABILITIES
THE EQUIFAX HACK WAS A WAKE-UP CALL!
▸ If a vulnerability was discovered in one of the frameworks you
use, would you know about it?
18. USING DEPENDENCIES WITH KNOWN VULNERABILITIES
AUTOMATE DEPENDENCY MANAGEMENT
Versions Plugin
19. USING DEPENDENCIES WITH KNOWN VULNERABILITIES
$ mvn versions:display-parent-updates
...
[INFO] The parent project has a newer version:
[INFO] org.springframework.boot:spring-boot-starter-parent
1.5.6.RELEASE -> 2.0.1.RELEASE
$ mvn versions:update-parent
...
[INFO] Updating parent from 1.5.6.RELEASE to 2.0.1.RELEASE
42. UNSANITIZED USER INPUT
TAKE ACTION!
1. Treat user input like a nuclear bomb
2. Use JSON Schema for your inputs
3. Validate JSON payloads with a Filter
43. UNSANITIZED USER INPUT
BUT REMEMBER...
▸ Input validation is a defensive layer to limit what input a user
may submit into an application, it’s often not a layer you can
depend on.
▸ You can build a completely secure web application and skip all
input validation... but I don't recommend it.
46. UNSANITIZED USER INPUT
REGEX DENIAL-OF-SERVICE
▸ Occurs when regular expressions are authored in such a way
that the time it takes to compute the regular expression grows
exponentially related to input size.
▸ Attackers can exploit such a vulnerability to cause a denial of
service in your application by sending a relatively tiny amount
of data and forcing your application to consume a huge
number of server cycles in validating it.
52. RATE-LIMITING
Bucket4j
▸ Use token bucket algorithm for rate-limiting
▸ Support for clustering (via JSR 107)
▸ Highly configurable bandwidths
▸ Both synchronous and asynchronous API
▸ Use by JHipster API Gateway
59. MISCONFIGURING SPRING-SECURITY
COMMON CHALLENGES
▸ Overzealous antMatchers with permitAll
▸ Invocation order between HttpSecurity methods
▸ Converting from XML-based to Java-based configurations
▸ Implicit constraints are not documented
69. DISABLING CERTIFICATE CHECKING
HAVE YOU SEEN THIS EXCEPTION?
Exception in thread "main" javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
... 20 more
Caused by: java.security.cert.CertPathValidatorException: signature check faile
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMa
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPath
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPath
... 26 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.j
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
... 31 more
70. DISABLING CERTIFICATE CHECKING
ADD THE CERT TO YOUR TRUSTSTORE
$ keytool -keystore <truststore file> -alias <alias>
-import -file <certfilename>.cert
71.
72. DISABLING CERTIFICATE CHECKING
TAKE ACTION
▸ Don't trust people on the Internet
▸ Use HTTPS everywhere
▸ Validate certificates with EnvKeyStore
75. WHAT TO LOG?
▸ Logins (Successful and Failed)
▸ Logouts
▸ Password changes
▸ User profile changes
▸ Password reset
▸ User de-registration
▸ Authorization failures
▸ Changes to access levels
▸ Operational activities
(backups)
▸ Input validation failures
▸ Any sensitive operation
76. WHAT NOT TO LOG
▸ Session ID (hash instead)
▸ Passwords
▸ Anything sensitive
77. WHAT NOT TO LOG
▸ In 2012, Radu Dragusin discovered a log file on a public IEEE
FTP server that contained more than 100,000 usernames and
passwords
▸ Google, Apple, Microsoft, Oracle, IBM
78. IN ADDITION TO INFO, WARN, DEBUG, ETC
HOW TO LOG
▸ SECURITY_SUCCESS
▸ SECURITY_FAILURE
▸ SECURITY_AUDIT
81. APP LAYER INTRUSION DETECTION
▸ Traditional intrusion detection systems focus on attacks below
the HTTP layer
▸ They do not provide context within the application
environment
82. OWASP APP SENSOR PROJECT
▸ Detect and respond to attacks from within the application
88. @Path("/accounts") public class AccountViewHandler {
@Inject
AppSensorClient ids;
@GET @Path("/view") Account findAccount(@QueryParam("id") String id)
throws NotAuthorizedException {
User user = UserContext.getCurrentUser();
if (!user.isAuthorized(Data.Account, id)) {
Event event = new Event(
new User(
user.getUsername()),
DetectionPoints.BRUTE_FORCE_ACCOUNT);
ids.addEvent(event);
throw new NotAuthorizedException(
"Not authorized to access this account.");
}
Account account = accountDao.find(id);
return account;
}
}
89.
90. TAKE ACTION
INTRUSION DETECTION
▸ Log all security related actions
▸ Except secrets
▸ Monitor your logs
▸ Add Detection Points
▸ React to Detection Point Triggers
92. YOU
HUMAN ERROR
▸ Not using Two-Factor Auth
▸ Leaving Your Laptop Unlocked
▸ Reusing Passwords
93. REVIEW
10 MISTAKES HACKERS WANT YOU TO MAKE
▸ Using dependencies with
known vulnerabilities
▸ Unsanitized user input
▸ Unsafe regex
▸ Failure to prevent abusive
requests
▸ Misconfigure Spring Security?
▸ Allowing HTTP requests
▸ Disabling certificate checking
▸ Secrets in source code
▸ Lack of intrusion detection
▸ You!