This document discusses security awareness and practices. It begins by introducing Tatár Balázs János and his background in open source. It then discusses security awareness programs for employees, organizational security structures, and easy steps small businesses can take. Subsequent sections cover security issues as "bugs", planning security from the start of projects, thinking like attackers to test security, and key security principles. The document emphasizes that stakeholders understanding security basics is important and outlines various security assessment and review methods. It closes by discussing vulnerability management, trusted sources for fixes, and the TYPO3 security team and advisories.

2. Tatár Balázs János
@tatarbj
Open Source enthusiast since 2007
CTO @ Petend
Open Source Security Correspondent @ European Commission
SecOSdreamer @ Secure Open Source days (SecOSdays)
Open Source Globetrotter @ FOSS communities
TATÁR BALÁZS JÁNOS
@tatarbj
WHO AM I?

3. A bug’s life
Security awareness at work
Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
TATÁR BALÁZS JÁNOS
@tatarbj

4. SECURITY AWARENESS
Security measures at our work place
Programs to educate employees
DevOps -> DevSecOps
Individual responsibilities for company security policies
Measures to audit these efforts
Source: http://www.bugs.org/dream/teachers/index.html
TATÁR BALÁZS JÁNOS
@tatarbj

5. ORGANISATIONAL STRUCTURES
Top-down approach
Creating security policies
Assessing your company’s
vulnerabilities
Investing in security technologies
Enterprise level
Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/
TATÁR BALÁZS JÁNOS
@tatarbj

6. EASY-TO-IMPLEMENT STEPS
Hints for small businesses
Using different forms of Media to reinforce the Message
Highlight recent attacks in News
Seek the Services of a Professional
Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
TATÁR BALÁZS JÁNOS
@tatarbj

7. Security issues are bugs
with different
severity and business
impact.
TATÁR BALÁZS JÁNOS
@tatarbj

8. THE BUG
Programming malfunction
Authentication / Authorization / Data confidentiality / Data integrity
No blaming game!
Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
TATÁR BALÁZS JÁNOS
@tatarbj

9. The Eggs
Planning and Security by Design
Source: https://pixabay.com/vectors/search/ant/
TATÁR BALÁZS JÁNOS
@tatarbj

10. PLANNING PHRASE
At the start of every IT projects
Budgeting issues
Continuous education
Iterative approach
Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
TATÁR BALÁZS JÁNOS
@tatarbj

11. THINKING EVIL™
Method by Andrew van der Stock
TATÁR BALÁZS JÁNOS
@tatarbj

12. Is the process surrounding this feature as
safe as possible? In other words, is this a
flawed process?
TATÁR BALÁZS JÁNOS
@tatarbj

13. If I were evil, how would I abuse this feature?
TATÁR BALÁZS JÁNOS
@tatarbj

14. Is the feature required to be on by default? If
so, are there limits or options that could help
reduce the risk from this feature?
TATÁR BALÁZS JÁNOS
@tatarbj

15. SECURITY PRINCIPLES I.
First and second-parties
Minimize attack surface area
Establish secure defaults
Least privilege
Defense in depth
Fail securely
Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
TATÁR BALÁZS JÁNOS
@tatarbj

16. SECURITY PRINCIPLES II.
Third-parties
Don’t trust services
Separation of duties
Avoid security by obscurity
Keep security simple
Fix security issues correctly
Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/
TATÁR BALÁZS JÁNOS
@tatarbj

17. The Caterpillar
Development iterations until the first release
Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
TATÁR BALÁZS JÁNOS
@tatarbj

18. Stakeholders’ knowledge of
basic principles and how they
may be implemented in
software product is vital to
software security.
TATÁR BALÁZS JÁNOS
@tatarbj

19. THE BASIC SKILLS
The secure mind-set
Protection from disclosure/alteration/destruction
Rights and privileges belonging to the requester
Ability to build historical evidence
Management of configuration, sessions and
errors/exceptions
Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
TATÁR BALÁZS JÁNOS
@tatarbj

20. APPLICATION LEVEL SECURITY
Protection of your application
Sanitize inputs at the client side and server side
Verify file upload functionality
Use only current encryption and hashing algorithms
Check the randomness of the session
Make sure third party libraries are secured
Set strong password policy
Source: https://www.pinterest.com/pin/67554063138904545
TATÁR BALÁZS JÁNOS
@tatarbj

21. INFRASTRUCTURE LEVEL SECURITY
Protection of your host
Use HTTPS for domain entries
Do not allow for directory listing
Use TLS not SSL
Hide web server information
Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
TATÁR BALÁZS JÁNOS
@tatarbj

22. WEB SECURITY PRACTICES
Protection of your users
Encode request/response
Do not store sensitive data inside cookies
Set secure and HttpOnly flags in cookies
Do not store sensitive information in a form’s hidden
fields
Set secure response headers
Source: https://www.pexels.com/photo/bee-hiding-1244184/
TATÁR BALÁZS JÁNOS
@tatarbj

23. The Chrysalis
First releases of the application
Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
TATÁR BALÁZS JÁNOS
@tatarbj

24. VULNERABILITY ASSESSMENT
Forest of the false positive issues
Environmental conditions
Scanning of the application / infrastructure
Iterative approach to improve findings
Asset management
Source: https://99px.ru/avatari_vkontakte/10916/
TATÁR BALÁZS JÁNOS
@tatarbj

25. SECURITY ASSESSMENT
VA + manual verification
Looking to gain a broad coverage of the systems under test
No exploitation of vulnerabilities
Verification by authorized access
Examining logs, system responses,
error messages, code, etc…
Source: https://masterok.livejournal.com/4202997.html
TATÁR BALÁZS JÁNOS
@tatarbj

26. Penetration tests simulate
attacks by malicious parties.
TATÁR BALÁZS JÁNOS
@tatarbj

27. SECURITY AUDIT
VA + SA + Pentest
Driven by a risk function to look at specific compliance issues
Combination of different approaches
Characterized by a narrow scope
Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
TATÁR BALÁZS JÁNOS
@tatarbj

28. SECURITY REVIEW
And something else then before
Verification that industry or internal
security standards have been applied
Gap analysis, review of design documents
and architecture diagrams
Activity that does not utilize any of
VA, SA, Pentest or Security audit approaches
Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
TATÁR BALÁZS JÁNOS
@tatarbj

29. The Butterfly
Maintenance releases and activities
Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
TATÁR BALÁZS JÁNOS
@tatarbj

30. The three pillars
Information security
TATÁR BALÁZS JÁNOS
@tatarbj

31. Confidentiality:
only allow access to data for which
the user is permitted
TATÁR BALÁZS JÁNOS
@tatarbj

32. Integrity:
ensure data is not tampered
or altered by unauthorized users
TATÁR BALÁZS JÁNOS
@tatarbj

33. Availability:
ensure systems and data are available
to authorized users when they need it
TATÁR BALÁZS JÁNOS
@tatarbj

34. VULNERABILITY MANAGEMENT
Iterative identification
Evolutive and corrective maintenance
Detection
Reporting
Remediation
Necessary mitigation vs. what-if cases
Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120
TATÁR BALÁZS JÁNOS
@tatarbj

35. TRUSTED SOURCES
Monitor regularly
Vendors, third party providers
National Vulnerability Database (NVD)
Common Vulnerabilities and Exposures (CVE)
... and the TYPO3 Security Team!
Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
TATÁR BALÁZS JÁNOS
@tatarbj

36. TYPO3 SECURITY TEAM
Activities by professionals
Incident handling
Create/review core security fixes
Coordination & monitoring
Introducing new security features & educating
TYPO3 Security Guide
typo3-announce mailing list
TATÁR BALÁZS JÁNOS
@tatarbj
Source: https://store-images.s-microsoft.com/image/apps.2544.13768621950225582.167ba0c8-6eb8-47bb-96fe-278c89bf0dc9.ea440c13-fd1d-4705-b62c-9bfd9054b8b3

37. SECURITY ADVISORIES I.
The way to let us know
Disclosure policy
Vulnerability management
follows industry standards (CVSS v3.0)
TYPO3-CORE-SA-[year]-[number]
TYPO3-EXT-SA-[year]-[number]
TYPO3-PSA-[year]-[number]
TATÁR BALÁZS JÁNOS
@tatarbj
Source: https://media.istockphoto.com/photos/six-monarch-butterfly-picture-id680833460?k=6&m=680833460&s=612x612&w=0&h=mK7pfS37Wr2PahZNH-bIdprHLyrH6ygjqIffgn6Sezo=

38. SECURITY ADVISORIES II.
„It has been discovered that…”
Component type & Vulnerable subcomponent & Release date
Vulnerability type and Affected Versions
Severity & Suggested CVSS v3.0
CVE (if assigned already)
Non-descriptive description, Solution and Credits
TATÁR BALÁZS JÁNOS
@tatarbj
Source: https://www.twincities.com/wp-content/uploads/2019/08/jmp-monarchs-002.jpg

39. SecOSdays
25-26 October 2019 – Sofia, Bulgaria
https://secosday.eu
TATÁR BALÁZS JÁNOS
@tatarbj

40. Questions?
TATÁR BALÁZS JÁNOS
@tatarbj

41. Thank you!
TATÁR BALÁZS JÁNOS
@tatarbj