This document discusses security awareness and practices. It begins by introducing Tatár Balázs János and his background in open source. It then discusses security awareness programs for employees, organizational security structures, and easy steps small businesses can take. Subsequent sections cover security issues as "bugs", planning security from the start of projects, thinking like attackers to test security, and key security principles. The document emphasizes that stakeholders understanding security basics is important and outlines various security assessment and review methods. It closes by discussing vulnerability management, trusted sources for fixes, and the TYPO3 security team and advisories.
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Security Awareness for Open Source Web Applications
1.
2. Tatár Balázs János
@tatarbj
Open Source enthusiast since 2007
CTO @ Petend
Open Source Security Correspondent @ European Commission
SecOSdreamer @ Secure Open Source days (SecOSdays)
Open Source Globetrotter @ FOSS communities
TATÁR BALÁZS JÁNOS
@tatarbj
WHO AM I?
3. A bug’s life
Security awareness at work
Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
TATÁR BALÁZS JÁNOS
@tatarbj
4. SECURITY AWARENESS
Security measures at our work place
Programs to educate employees
DevOps -> DevSecOps
Individual responsibilities for company security policies
Measures to audit these efforts
Source: http://www.bugs.org/dream/teachers/index.html
TATÁR BALÁZS JÁNOS
@tatarbj
5. ORGANISATIONAL STRUCTURES
Top-down approach
Creating security policies
Assessing your company’s
vulnerabilities
Investing in security technologies
Enterprise level
Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/
TATÁR BALÁZS JÁNOS
@tatarbj
6. EASY-TO-IMPLEMENT STEPS
Hints for small businesses
Using different forms of Media to reinforce the Message
Highlight recent attacks in News
Seek the Services of a Professional
Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
TATÁR BALÁZS JÁNOS
@tatarbj
7. Security issues are bugs
with different
severity and business
impact.
TATÁR BALÁZS JÁNOS
@tatarbj
8. THE BUG
Programming malfunction
Authentication / Authorization / Data confidentiality / Data integrity
No blaming game!
Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
TATÁR BALÁZS JÁNOS
@tatarbj
9. The Eggs
Planning and Security by Design
Source: https://pixabay.com/vectors/search/ant/
TATÁR BALÁZS JÁNOS
@tatarbj
10. PLANNING PHRASE
At the start of every IT projects
Budgeting issues
Continuous education
Iterative approach
Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
TATÁR BALÁZS JÁNOS
@tatarbj
12. Is the process surrounding this feature as
safe as possible? In other words, is this a
flawed process?
TATÁR BALÁZS JÁNOS
@tatarbj
13. If I were evil, how would I abuse this feature?
TATÁR BALÁZS JÁNOS
@tatarbj
14. Is the feature required to be on by default? If
so, are there limits or options that could help
reduce the risk from this feature?
TATÁR BALÁZS JÁNOS
@tatarbj
15. SECURITY PRINCIPLES I.
First and second-parties
Minimize attack surface area
Establish secure defaults
Least privilege
Defense in depth
Fail securely
Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
TATÁR BALÁZS JÁNOS
@tatarbj
16. SECURITY PRINCIPLES II.
Third-parties
Don’t trust services
Separation of duties
Avoid security by obscurity
Keep security simple
Fix security issues correctly
Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/
TATÁR BALÁZS JÁNOS
@tatarbj
17. The Caterpillar
Development iterations until the first release
Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
TATÁR BALÁZS JÁNOS
@tatarbj
18. Stakeholders’ knowledge of
basic principles and how they
may be implemented in
software product is vital to
software security.
TATÁR BALÁZS JÁNOS
@tatarbj
19. THE BASIC SKILLS
The secure mind-set
Protection from disclosure/alteration/destruction
Rights and privileges belonging to the requester
Ability to build historical evidence
Management of configuration, sessions and
errors/exceptions
Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
TATÁR BALÁZS JÁNOS
@tatarbj
20. APPLICATION LEVEL SECURITY
Protection of your application
Sanitize inputs at the client side and server side
Verify file upload functionality
Use only current encryption and hashing algorithms
Check the randomness of the session
Make sure third party libraries are secured
Set strong password policy
Source: https://www.pinterest.com/pin/67554063138904545
TATÁR BALÁZS JÁNOS
@tatarbj
21. INFRASTRUCTURE LEVEL SECURITY
Protection of your host
Use HTTPS for domain entries
Do not allow for directory listing
Use TLS not SSL
Hide web server information
Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
TATÁR BALÁZS JÁNOS
@tatarbj
22. WEB SECURITY PRACTICES
Protection of your users
Encode request/response
Do not store sensitive data inside cookies
Set secure and HttpOnly flags in cookies
Do not store sensitive information in a form’s hidden
fields
Set secure response headers
Source: https://www.pexels.com/photo/bee-hiding-1244184/
TATÁR BALÁZS JÁNOS
@tatarbj
23. The Chrysalis
First releases of the application
Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
TATÁR BALÁZS JÁNOS
@tatarbj
24. VULNERABILITY ASSESSMENT
Forest of the false positive issues
Environmental conditions
Scanning of the application / infrastructure
Iterative approach to improve findings
Asset management
Source: https://99px.ru/avatari_vkontakte/10916/
TATÁR BALÁZS JÁNOS
@tatarbj
25. SECURITY ASSESSMENT
VA + manual verification
Looking to gain a broad coverage of the systems under test
No exploitation of vulnerabilities
Verification by authorized access
Examining logs, system responses,
error messages, code, etc…
Source: https://masterok.livejournal.com/4202997.html
TATÁR BALÁZS JÁNOS
@tatarbj
27. SECURITY AUDIT
VA + SA + Pentest
Driven by a risk function to look at specific compliance issues
Combination of different approaches
Characterized by a narrow scope
Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
TATÁR BALÁZS JÁNOS
@tatarbj
28. SECURITY REVIEW
And something else then before
Verification that industry or internal
security standards have been applied
Gap analysis, review of design documents
and architecture diagrams
Activity that does not utilize any of
VA, SA, Pentest or Security audit approaches
Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
TATÁR BALÁZS JÁNOS
@tatarbj
29. The Butterfly
Maintenance releases and activities
Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
TATÁR BALÁZS JÁNOS
@tatarbj
34. VULNERABILITY MANAGEMENT
Iterative identification
Evolutive and corrective maintenance
Detection
Reporting
Remediation
Necessary mitigation vs. what-if cases
Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120
TATÁR BALÁZS JÁNOS
@tatarbj
35. TRUSTED SOURCES
Monitor regularly
Vendors, third party providers
National Vulnerability Database (NVD)
Common Vulnerabilities and Exposures (CVE)
... and the TYPO3 Security Team!
Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
TATÁR BALÁZS JÁNOS
@tatarbj
36. TYPO3 SECURITY TEAM
Activities by professionals
Incident handling
Create/review core security fixes
Coordination & monitoring
Introducing new security features & educating
TYPO3 Security Guide
typo3-announce mailing list
TATÁR BALÁZS JÁNOS
@tatarbj
Source: https://store-images.s-microsoft.com/image/apps.2544.13768621950225582.167ba0c8-6eb8-47bb-96fe-278c89bf0dc9.ea440c13-fd1d-4705-b62c-9bfd9054b8b3
37. SECURITY ADVISORIES I.
The way to let us know
Disclosure policy
Vulnerability management
follows industry standards (CVSS v3.0)
TYPO3-CORE-SA-[year]-[number]
TYPO3-EXT-SA-[year]-[number]
TYPO3-PSA-[year]-[number]
TATÁR BALÁZS JÁNOS
@tatarbj
Source: https://media.istockphoto.com/photos/six-monarch-butterfly-picture-id680833460?k=6&m=680833460&s=612x612&w=0&h=mK7pfS37Wr2PahZNH-bIdprHLyrH6ygjqIffgn6Sezo=
38. SECURITY ADVISORIES II.
„It has been discovered that…”
Component type & Vulnerable subcomponent & Release date
Vulnerability type and Affected Versions
Severity & Suggested CVSS v3.0
CVE (if assigned already)
Non-descriptive description, Solution and Credits
TATÁR BALÁZS JÁNOS
@tatarbj
Source: https://www.twincities.com/wp-content/uploads/2019/08/jmp-monarchs-002.jpg