CyberSecurity.bootcamp()
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 160 | |
Author | ||
License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
Identifiers | 10.5446/33785 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
EuroPython 201740 / 160
10
14
17
19
21
32
37
39
40
41
43
46
54
57
70
73
85
89
92
95
98
99
102
103
108
113
114
115
119
121
122
130
135
136
141
142
143
146
149
153
157
158
00:00
Presentation of a groupProduct (business)Focus (optics)Software developerPerspective (visual)Source codeFeedbackProcess modelingInformation securitySoftware testingCybersexVector graphicsLink (knot theory)SoftwareComputer hardwareGoodness of fitPresentation of a groupCybersexBitInformation securityParticle systemCartesian coordinate systemGraph coloringStudent's t-testPoint (geometry)EmailProjective planeComputer hardwareSpeech synthesisMereologyOpen sourceEndliche ModelltheorieApproximationLeakService (economics)NumberSource codeCommunications protocolSoftware architectureSoftware engineeringServer (computing)Data structureSoftwareArithmetic meanDampingLevel (video gaming)Flash memoryMeeting/InterviewComputer animation
03:10
Computer architectureData recoveryCASE <Informatik>Server (computing)WindowTouchscreenConnectivity (graph theory)Event horizonSource codeJSONXML
03:56
Address spaceInformation securityProcess modelingGroup actionControl flowLevel (video gaming)DiagramSoftware testingRankingInformationAuthenticationAuthorizationData managementConfiguration spaceData storage deviceException handlingIdentity managementService (economics)Software frameworkApplication service providerFrame problemPerspective (visual)Physical systemProxy serverPersonal digital assistantComputer configurationSubsetPoint (geometry)Task (computing)Ocean currentPasswordNumberGraph (mathematics)Data storage deviceElectronic data processingOperator (mathematics)EmailAssociative propertyCartesian coordinate systemMathematicsMetropolitan area networkRootDirectory serviceComputer architectureFrequencyComputer fileFilm editingFraunhofer-Institut für Informations- und DatenverarbeitungPairwise comparisonGroup actionInteractive televisionComputer configurationData flow diagramMessage passingSoftware developerGame controllerService (economics)Type theoryCybersexSoftwarePhysical systemHelmholtz decompositionProjective planeElectronic mailing listMereologyDivisorAuthenticationAuthorizationDatabaseVector spaceInformation securitySoftware testingServer (computing)Proper mapSoftware frameworkFlow separationEndliche ModelltheorieFrame problemFunction (mathematics)Exception handlingConfiguration spaceINTEGRALPhase transitionKolmogorov complexityLoginProcess (computing)OracleVulnerability (computing)Transport Layer SecurityInformationWeb pageFingerprintAddress spaceCASE <Informatik>Form (programming)Different (Kate Ryan album)Uniform resource locatorMultiplication signData managementIdentity managementMathematical optimizationMultiplicationVolume (thermodynamics)Mathematical analysisLine (geometry)Communications protocolPower (physics)5 (number)Ring (mathematics)HypothesisBasis <Mathematik>Computer-assisted translationModel theory
13:26
Hydraulic jumpGamma functionDreizehnVacuumPower (physics)Fluid staticsModel theoryInformation securityOpen setApplication service providerDirected setObject (grammar)InjektivitätData managementScripting languageComponent-based software engineeringWebsiteZugriffskontrolleFunction (mathematics)Level (video gaming)Session Initiation ProtocolAuthenticationCodeKeyboard shortcutProgrammschleifeLoop (music)Different (Kate Ryan album)Data managementInstance (computer science)Token ringInformation securityFront and back endsBlock (periodic table)Form (programming)Multiplication signCartesian coordinate systemView (database)MereologyWeb pageWeb applicationObject (grammar)Line (geometry)Product (business)Maxima and minimaSoftware developerVulnerability (computing)Flow separationRun time (program lifecycle phase)Software testingoutputDebuggerTelecommunicationMeasurementScripting languageAuthenticationProjective planeBitLevel (video gaming)Presentation of a groupDrop (liquid)CodeInjektivitätVector spaceWeb 2.0Imaginary numberServer (computing)Connectivity (graph theory)Event horizonSupersonic speedLoop (music)Software frameworkHacker (term)SynchronizationKeyboard shortcutCASE <Informatik>WebsiteInformationElectronic mailing listValidity (statistics)Web browserTerm (mathematics)InternetworkingData storage deviceProof theoryTable (information)Open setNatural languageSpywarePower (physics)WindowSign (mathematics)Link (knot theory)Medical imagingActive contour modelGame controllerFunctional (mathematics)Library (computing)Template (C++)Software bugCuboidInfinityForestModel theoryQuality of serviceTrailQuicksortSolid geometryBuildingPosition operatorRight angleInferenceVibrationWell-formed formulaProcess (computing)AreaSpacetimeSeries (mathematics)Source codeDivisorCross-site scriptingWeightCompilerPoint (geometry)Natural numberOvalVelocityPlanning
22:55
Nichtlineares GleichungssystemSign (mathematics)DatabaseDrop (liquid)InjektivitätCodeData managementObject (grammar)Directed setFunction (mathematics)ZugriffskontrolleLevel (video gaming)WebsiteModel theoryInformation securityServer (computing)Personal digital assistantBlogView (database)Point (geometry)RankingInformationSanitary sewerSource codeConfiguration spaceMalwareMultiplicationAuthenticationDivisorRevision controlMereologyWage labourTerm (mathematics)Server (computing)Library (computing)Cartesian coordinate systemTable (information)Arithmetic meanControl systemCodeValidity (statistics)Right angleBusiness modelLevel (video gaming)Position operatorVector spaceInteractive televisionOrbitTheory of relativityInformationEvent horizonBlogSource codeData streamPasswordBackupNumberMotif (narrative)Variety (linguistics)Exploit (computer security)Replication (computing)InjektivitätObject (grammar)Nichtlineares GleichungssystemCuboidData storage deviceResultantImplementationLattice (order)Price indexOpticsSocial classLine (geometry)Data managementProjective planeComputer configurationSoftware developerWebsiteMathematical analysisoutputGroup actionDatabaseConfiguration spaceBasis <Mathematik>FreewareVirtual machineDirectory serviceSystem administratorProper mapVulnerability (computing)Function (mathematics)Web pageEmailHelmholtz decompositionComputer architecturePhase transitionCalculationData structureDebuggerInformation technology consultingFlow separationRange (statistics)AuthenticationArmMalwareIP addressPlastikkarteDrop (liquid)Block (periodic table)
32:24
Range (statistics)Latent heatTransport Layer SecurityMereologySoftware testingService (economics)AuthenticationDivisorMultiplicationSanitary sewerSource codeMathematical analysisCodeOpen sourceUsabilityFreewarePort scannerPhysical systemInformation securityServer (computing)Computer networkSocial engineering (security)SoftwareDrill commandsMaxima and minimaVector graphicsCovering space12 (number)RootType theorySimilarity (geometry)Perspective (visual)InformationDependent and independent variablesComputerData managementData recoveryContinuous functionIdentity managementProcess (computing)ArchitecturePlastikkarteCircleScripting languageVulnerability (computing)Information securityLibrary (computing)Computer wormMereologyPoint (geometry)Distortion (mathematics)Traffic reportingInteractive televisionSource codeInternetworkingDrill commandsLevel (video gaming)Vulnerability (computing)Server (computing)InformationPort scannerMultiplication signSoftware testingPosition operatorFrequencyResultantPhysical systemCircleException handlingContext awarenessFocus (optics)Dependent and independent variablesCybersexUnit testingScripting languageAbstract syntax treeData managementCartesian coordinate systemAuthorizationWebsiteInformation privacyProjective planeCodeService (economics)Cycle (graph theory)Black boxSoftware bugAverageWeb applicationRow (database)CASE <Informatik>Product (business)Boss CorporationCuboidSoftware frameworkInformation technology consultingSoftware developerGoodness of fitData conversionPlug-in (computing)Natural languageLimit (category theory)Hacker (term)CubeSoftware crackingSystem administratorOffice suiteLogic gateInternet forumWindowNormal (geometry)CAPTCHAExterior algebraAxiom of choiceWeb 2.0Communications protocolPattern languageRobotProcess capability indexMessage passingKeyboard shortcutWhiteboardMoment (mathematics)Execution unitForm (programming)Replication (computing)Network topologyJava appletLink (knot theory)Semiconductor memoryTime zoneRoundness (object)Denial-of-service attackKey (cryptography)Condition numberDigital electronicsMaizeValidity (statistics)OntologySound effectMotion captureTerm (mathematics)Archaeological field surveyXML
41:54
Gamma functionInternetworkingInformation securityAuthenticationEmailPasswordComputer hardwareKey (cryptography)NumberCommunications protocolFirewall (computing)Point (geometry)Link (knot theory)Projective planeMultiplication signPasswordWebsiteElectronic mailing listInformation securityYouTubeXML
43:11
Web 2.0Product (business)Black boxSoftware testingPhysical systemResultantService (economics)Presentation of a groupDifferent (Kate Ryan album)CuboidLecture/Conference
Transcript: English(auto-generated)
00:05
Okay, good morning. I hope you are all enjoying your python now. Let's talk a little bit about the cyber security as soon as Before we start I have three disclaimers First of one this is all my opinion the following presentation is my opinion
00:24
And I'm not getting paid by any of the companies or open source project for mentioning them and third I had to cut out some parts for DevOps from my speaking part But they will be still in the presentation and blue color You can ask me after the presentation about them
00:42
so I'll start with briefly describing myself Then I will talk a little bit about what is the cyber security and why we should focus on it currently then we'll do together a threat modeling of an application and I will finish with some more tips for where to start about with the cyber security and
01:03
I have one request. Please ask questions after the presentation and I will also appreciate feedback face-to-face or by email after the presentation is over So my name is Peter Deba. You can also Call me Peter is fine I'm came from Poznan Poland
01:20
Which is two and a half drive from Berlin a little bigger city and about 15 hour drive from here hurry mini I work at a secure Poland where I'm a team leader and a software engineer and project called the rapid that the rapid detection service I'm also a leading mentor at my ladies Where we are currently having up to 220 students
01:43
Which is our achievement? It's we were running over three years now and we will be starting fourth year this year and Probably I will talk a little bit about it more on the flash talks So let's start from the scratch. What is cyber security cyber security is
02:00
Means and protocols to defend your resources and devices from an attacker damage or theft So Cyber security doesn't start at application level. It starts at hardware So the policies and protocols for your employees how to handle equipment how to handle servers
02:23
What are the servers policy accessed and what can an employee bring to the company? So it often happens that employees should be banned to bring other on pen drives so there won't be for example a source code leak and Then we can go to hardening our
02:41
software architecture software services Which we will focus on in this talk Okay cyber security is becoming more and more important as you are seeing the number of leaks and attacks is growing Exponentially the biggest leak happened this year and it was over 1.3 billion user accounts data
03:03
it's more than most of the years beforehand and It's still increasing Who remembers the screen from just two weeks ago yep, not petia laid waste on many companies across the globe just in one day and
03:23
Some companies are still recovering from it. There are two very known publicly known work cases like TNT So the courier company and Ray been the corporate courier company Rayben is a really nice example of well executed recovery
03:40
During which in less than 24 hours company changed their server architecture from Windows to Linux in less than 24 hours Sounds great, right, but there were we assume they were prepared for something like to happen and This graph shows a number of attacks per day
04:01
From our public honeypot network, which we are which I'm developing in with my team It's two to sixteen millions attacks per day. So who knows what a honeypot is raise your hand, please Okay quite few For the rest I will explain a honeypot is a server that is a trap
04:25
Interesting for attacker because it should be easy to access where we can monitor and lock the actions of the attacker But it won't affect our server architecture It's a disposable server a trap where we emulate services like SSH SMTP HTTP
04:43
Etc. And in our in our team. We are doing everything in Python purely and This is the data we are also gathering so the username and passwords I'm amazed how It's mostly both data. Probably we assume nobody is trying to look look in over SSH to using root root password
05:04
But because the intensity of the scanning with those credentials We assume that some people don't change that so they are still scanning using the Difficult data for some services like raspberry pi is quite high. I think it's fifth place
05:24
So currently we established that cyber security is important paraphrasing this This nice comics. It's important that we start the devil Incorporating the cyber security at the beginning of the project not after we get hacked
05:49
Okay One of the basic things that we should start doing when we approach cyber security. It's threat modeling It's an approach for analyzing a security of application or a system
06:02
It should be structured and identify quantify and address the security risks Associated with the target of the modeling now, let's imagine we are a Batman Everybody knows about man who doesn't know who is a Batman One person I think he's trolling
06:20
Anyway, we have four mine assets. We have our base of operations. So Our bat cave we have Alfred our butlers who handles everything for us and we have informations in Form of emails and text now we have threats. We have three and mine threats, which is police
06:42
our arch enemy Joker and the press And let's quantify the press so Alfred is irreplaceable he's a human being He also has access to all of our systems and assets. So he will be our highest priority When defending and the highest risk at the same time
07:03
Then we have our bat cave, but we can rebuild it. It's just equipment and lastly we have information so emails and text messages that And That can show where are we going or what are we doing? But honestly, we can mitigate the press and the journal and the police because we can handle them
07:25
Lastly let's try mitigating those issues So we can obscure our threat location and his identity, but in current world, it is really hard to do Then the bat cave is much simpler task because this there are security systems traps misleading base of operations
07:43
we have a ton of possibilities to To handle the problems concerning about bat cave and for the emails and messages we can start encrypting them Which is the basic approach and obviously we should be cautious when typing something that may be delicate for us
08:01
Now we will start working about on our application that will try to make secure So As in our Batman example, we'll start from identifying our assets purpose of their uses the next step will be identifying the Our interactions with the with the period party software and other parts of our service
08:27
And then this is one of the most important things the ACL so access control list so who can do exactly what and Just by specifying this and Using those ACLs or during the whole application development you can defend yourself against many other things
08:51
One tip if you are already started developing your application and you have a proper development methods you may reuse your data flow diagrams or application UMLs as a base of the
09:04
Decomposition of the application phase behavior tests and integration tests are also useful for just that There are a few frameworks like stride or application software frame ISF that should give us a reliable output that should include logging and
09:23
auditing and just to be on one page auditing is who did what and possibly why and Logging is what's happening? And those are two different things that we should distinguish and Probably have the data in different services afterwards then we have
09:42
Authentication and authorization and again to be on the same page because it's also often misleading authentication as Asserting if the person who claims to be it's the person who it is and Authorization is a process of determining who is allowed to do what?
10:08
Sorry configuration management, so where do we store the configuration and who has access to it then? Data storing and data process
10:22
Data storage and data Transit so if we are storing the data securely encrypted and if the data in the transit is also Encrypted so if we use TLS for example and last managing and handling exceptions and What we should do
10:42
When an exception occurs the protocols, okay Now we need to measure the severity of the threats. We may encounter we can approach that by ourselves using a In your own mind and figuring what is the most important what we can also use
11:03
CVSS the common vulnerability scoring system. This is based on few factors like attack vector attack complexity and privileges user interaction scope confidentiality Integrity and availability all together can give us a reference point
11:20
But it's for example hard to measure how much how How The attack will be complex we usually don't know that so it's wise to put both values and Take an average or leave it as arranged for comparisons And we need to remember that this tool is just a tool to help not an oracle what we should do
11:44
And as mentioned before Use cases umm's and abuse cases especially abuse cases umm's will greatly help us Deducating what we should do or whether we should start and what are our my priorities Next we need to address the issue at hand so we have four ways to
12:05
Four ways to do that first one is completely remove. That's the nice way, but not of always possible because of the Task at hand we may not be able to mitigate to remove it at all, but we may need to mitigate it
12:20
Because for example, it's too expensive to remove it for many different issues then The third option is we can take the risk and address it later for example because Because if there is an issue for example and
12:41
outside person and anonymous user can traverse over a file directory with some random names of Our users cuts Of pictures of our users cuts so we don't really care if he get the pictures probably our users don't care also and You need to type some random gibberish just to get the picture. So there's much more work
13:03
on the attacker side than on ours to achieve anything and fourth option is Pretend there is no issue. I don't recommend that And so for example if a person outside person can download our configs or password databases and
13:23
We don't do anything about it. We are just asking to be hacked so let's start making a treadmill there of our simple imaginary application in PHP so as everyone knows PHP is very secure and hack proof language
13:41
Probably as secure as I Internet Explorer was a few years back It was not maybe the best browser for seeing the Internet, but it was definitely the best browser for Internet to see you so Of course, we will not be using PHP because PHP should stand only for Python has power
14:06
So Let's build an application using Angular JS for front-end signing for back-end and Postgres SQL and nginx for other things We will be having a home endpoint for serving the HTML and
14:24
JavaScript We will also have longing endpoint dedicated just to that and some least and one instance views for other blocks and users So How can we hack our up? Considering now front-end there are possibly there are many possibilities that we should think of
14:44
Every developer that's used JavaScript may find some weaknesses But probably someone did that for us already and of course There's a huge product called open web application security project I was in short and it's good to remember this name because it will be many times in this presentation
15:05
And it's called collaborative really developed by thousands of applications of users It consists not only examples of attack measures their severity but also includes a business level communication so also a non-technical person like a project manager can handle and
15:25
tell tell the Upwards that we need to really do that something about it Was much bigger knowledge than only the threats it also consists information regarding tools books events and other interesting sites and projects
15:44
and What one thing is very important about OWASP. It publishes a list of most commonly used attack vectors in the past years the last one we are seeing here is from 2013 and The second the newest one should come up this year quite soon. They were arming from July. They have seen some chances and
16:09
I will go briefly by all of the Attack vectors and explain some of them that are Less obvious. So injection who did hear something about SQL injection?
16:23
Of course most of you not all so SQL injection is basically to inject your own SQL code into the SQL that is around by our API for example drop tables users And then we have broken authentication and session management and
16:42
The issue here is that many application don't store properly their users So it is easy to hijack other user session Cross-site scripting this one is really fun because it allows Allows an attacker to run a script on other users browsers So it will not affect us directly
17:03
But it may made our other users download some malware or send their credentials to our web page to a to a Tucker server Insecure direct object reference Who doesn't understand this one
17:21
There are a few four hands not so many people understand that and We'll just move on security misconfiguration is really obvious Sensitive data exposure. So if we are exposing something more than we want to Making functional level access controllers ACLs, I will talk about it a little bit more later
17:44
Cross-site request forgery. So who knows Django? Okay So I think everyone When you should remember that when you are using Django template language and designing your forms you were inputting a
18:01
CSRF token in the beginning of the form Someone did not include that in their template. Please raise your hand That's great. Wonderful because this Minimizes the chances of your form to being abused Which is really good If you are not doing that, you should start
18:22
Doing that is just a line one line of code engine and Django template line, which all the ginger That will save you from a lot of trouble Using components with no vulnerabilities as obvious and Validated redirects and forwards
18:41
You should validate your for once that it's just the use case And if you want to play with any of this Vulnerabilities by yourself There are two projects the b-box project and the OWASP broken Broken web application project that allows you to run image of an application that has all of these vulnerabilities and there's even a scoring test and there you can choose even a
19:05
level how hard the vulnerabilities should be to notice and The application is obviously written in PHP So that's why it's really easy to hack Python is a little bit more Prominent in this matter and I will talk about it soon
19:22
Now so for our angular JS There might be an injection coming there, but we should validate the injection on the back end so Injection won't happen on our front end directly broken authentication session management may happen is the JavaScript so
19:42
It's not the back proof completely cross that's cross site scripting so excesses Definitely may happen and it often happens on the JavaScript part and may it cannot happen on the back ends part Because it's not exposed and that mother
20:00
Rest of them is more obvious will move forward to The Summary and that it's the angular JS mitigates most of them by itself out of the box and even handles some of them completely so As long as our developers don't do anything really stupid. We are fine when using the basic angular JS
20:29
but it's important when we are extending without external libraries that I Will review their code and I will also mention that earlier later So Sonic Sonic is a Python web framework that's using is using a sync IO and UV loop
20:45
so what can go wrong there and Of course there can be some Python code injection, but not really Unless you are using eval or exec or pickle with picker is quite obvious case because even in the
21:02
Documentation, it's it's explicitly said not to use pickle with user input the exec and eval Also are not the best idea. So for Python The problem usually exists between chair and the keyboard
21:21
So the developer so it's on your hands to make your application secure on Python level But many people wonder why we would like to use exec or evil I Will get back sorry and I forgot to mention there is an beautiful explanation on why we shouldn't you why the pickle is so
21:44
fragile In terms of security and there was even a bug in twisted in 2011 that you could exploit easily It's fixed. But this is a very great example How pickle can be exploited and you are if you are more interested in this part?
22:02
There is a link below I need to minimize my other window because it's presentation okay, now moving to eval and exec and You can see two codes. I'm sure if my contour is work. No The both do the same thing. The first one is just simple code
22:22
The second one is compiled and executed code as you can see a trans 30 or even 40 times faster when executing a compile code then the normally around code Even 40 times faster on Python to free for for 3.5. This is a huge
22:43
Difference in the code execution times that can be used but it can also be abused So we have issue here, but also we have advantages so We can use obviously exec and evil In our code, but we just need to do it carefully
23:01
And for the eval example As you can see implementing or that takes a string and do some calculation Even a simple equation at the already needs more than 10 lines of code It probably can be done simple But just to show eval will just take the equation and give you the result of the equation
23:20
So it's much easier and it also can handle much more complicated equations Okay pictures are too fast, so we have SQL injections SQL injection Should not happen when you are developing out your application in Python unless you are implementing SQL by yourself
23:45
Jungle RM and SQL or Hemi are quite secure We've tested them additionally and we didn't find any way of explanation by our consultancy team That would allow you to exploit anything in this or arms
24:03
But there is a third option Python injection and SQL injection and it's possible and it's doable and many people doesn't know that that and many people do use pickle as an object storage and
24:20
Postgres SQL or other SQL databases and when you are using SQL databases and store a pickle Then a user can input your Python code there for example this one nice liner which will delete also all things on your machine when it's run and just for doing that we can like post an object like post and then refer the page to read the post and it
24:44
will be executed and It's possible and you it's hard to mitigate this problem You can approach that issue in two ways by not using pickle and using JSON for storing the information that will be needed for a class builder later on if we are the one who would like to store a class and
25:05
For storing Dicks and Least just them. It's better to use JSON purely. We can also try mitigating that by writing our all anti-python pickle injection Validation, but usually it's hard because this code you can make into base
25:26
64 and then import base 64 and eval the output of the base 64 and coding decoding so It's hard below is a simple SQL injection that will drop user table and
25:42
Most people use the users table name even so if not They can also run other code execution that will tell them yours database schema just by adding the apostrophe on the beginning So as you can see Python has more vulnerabilities than
26:02
then Front end written in JavaScript But most of them are already mitigated out of the books by Python as I as and as I told you before The most the main issue is with the developer so on their side on your side it's important that you will care for the careful development and
26:23
Proper means and I will tell you now how you can do that the first thing is when choosing a library try to choose the more common one because it's already being used for more for more users and If you are not using a common library or Python project You should go through the code yourself and see if the data is not being sent on each post for example to KGB or
26:46
NSA and then Use okay, sir using outdated libraries may also lead to some issues. There's a well example of
27:04
you boon to 1404 which has you a really free already install it, but this version has the Back in SSL Configuration and that can be exploited. So just updating will save you from being hacked
27:22
those are the summaries for the DevOps, it's quite funny because NJ next and Apache if you do be or postgres code has much more much less attack vectors But they are still being being hacked quite often. So let's get back to our blog application. So
27:45
We have free users Everyone can access our blog posts and read them registered user can additional write to the block Admins can manage the users and delete the posts
28:01
So when we are the composing the application In first table, we can see what the user can do from what the sentence I said before and Now we need to project that onto the relation Project that on the database interaction, so Logging on near it quite obvious look out. It's important. It doesn't need to even access the database and so on and
28:30
For the rest of actions, so our API level actions We have get post delete someone may need to use put but I will focus only on this tradition for now for the
28:44
Home directory get is sufficient for all users for logging only posts and We can extend that only post from anonymous user. So a lot user shouldn't be able to look again again again to your application and For log out, it should be also only available for locked users or admins
29:06
For the rest it will depend how the your structure of your project works looks like and What are your company policies for? Architecture and IPI
29:20
okay, so we finish our Decomposition phase of the application we have everything we need we can now go to Determining and ranking the threats So what is the most valued part of our business it will depend
29:42
On our business approach it may be our information so the blog post the users or confidentiality, so user emails and their passwords depending on our business model it may vary and How can they be targeted?
30:01
Someone gets admin access so he can do anything in our application Export the data Delete the whole application, etc Someone gets a user level access. He can spam other users and Possibly may access to their emails which can be also another spam attack vector
30:22
Next one are for DevOps. So those attacks Several server ownership so on the infrastructure level next Our application source code can also be a target of an attack And when someone gets access to our version control system he can
30:44
place some malicious code there and If we don't have a proper review, it will pass quite easily Even if we have a proper review he can may still just click by himself because he's owner of the version control system and
31:00
Even if he gains only read access It will be much easier for him to find a vulnerability in our source code then without knowing the source code itself okay, and
31:22
As mentioned in the beginning depending on our business level the business approach we may Have different Different Different priorities and defending for example our
31:41
Users credit card numbers login password may be much more important than defending our Post database because usually we can recover when someone deletes the mine database. We usually have a backup but If we lose our username passwords or more credit cards, we will not have any user anymore
32:01
Will all go away So risk mitigation One of the basic things we can do is adding multi-factor authentication for the user admins level access And also we can try limiting the range of the IPs that can access the admin panel at all and
32:26
It's good approach if your Application is a microservice so you can move all the admin panel to another microservice. It's also a good policy And
32:42
For the spam we can limit post per days, which may be not convenient for our users, edit per hour, shorter sessions and Adding CAPTCHA usually is also a nice idea. I will skip the DevOps part because we are running of all time out of time already and
33:02
Part of the mitigation should be done already on unit test level So when you are making unit tests don't focus only on happy paths do the wrong pass also So all exception handling and rising exception should also be done On the unit test level it will mitigate some of the security issues and there's one like one nice project
33:26
I will mention for more maybe more for DevOps SSH HTTP that hides our SSH access in the plain side. So on the same port we have HTTP and SSH access
33:42
Okay now tooling for automation For Python we have dedicated library called bandit It analyzed our code using abstract syntax tree Can be easily integrated with Jenkins and It will find the most common vulnerabilities in our application
34:03
Like exec and eval should be highlighted it works similar to pep8 tool or pylint It will get nice report after running the application. Then we have sonar cube This is much bigger project that handles over 20 languages like JavaScript HTML and more It has a dedicated Jenkins plug-in with security gates that will allow you to
34:24
Not pass the code if you have found a vulnerability in our code test I really recommend looking at sonar cube Because it's all in one tool. It's free. You can host it yourself or you can buy it as a service
34:42
Next we have automatic scanning tools. We have zap and burp zap is created by a was project It's free. It has It has jenkins ready plugins and it's dedicated to all web application Just first run of the most common issues will probably make allow you to find some security bugs
35:05
burp is more commercial alternative And it doesn't have jenkins planning and plugging already. It's it should be coming up soon Both of them are web scanners. So they will map your site and try execute common attack methods at patterns
35:24
then we have a Metasploit which is more based on more infrastructure based and system based attack Framework and SQL map it's for all SQL interactions and our project that could be
35:43
attacked And lastly we have scapi. This is Python library that allows us to prepare any kind of TCP or ICMP packages and also UDP datagrams with any payload
36:00
Lastly there is commercial solutions and managed service like quality's Nice naysus, which is one of the most popular I think and F secure a door the advantage of managed services that you will receive a report that does not constant that should not contain any false positives from the
36:21
From the scanners because scanners usually bring you some false positives still Okay, I will need to go firstly Who is up? Why do we need to append testing and what is append tester? Pen test in short it's an authorized attack on application or up our infrastructure
36:48
We should do pen testing for Removing all the security weaknesses and also for compliant compliance like PCI compliance
37:00
What's the target of a pen test so usually when pen tester is attacking our application He has two goals obtaining her signal information or elevating his access to an admin level Best case scenario it should be done by a third party and We should use also the automated tools I mentioned before
37:20
we should do also it when we end a development cycle or When we have a new big feature that may be vulnerable to attack that other parts of application are not But who is a pen tester? Pen tester quite obviously is a person who performs a pen test. It's not a method of pen testing. It's just the person
37:42
You can also call them Security consultants hackers white hats just remember not to call them crackers or black hats Which means basically criminal because they will become sad and you don't want to have a sad hacker on your team really, you don't want to have that and
38:02
Also, there is something called red teaming drill That's more X more extensive than normal pen testing because it starts on security level Usually a red teaming drill have budget for the physical damages like destroyed locks broken windows Also, it covers planting bugs
38:23
One important thing is that is when red team drill goes undetected that means you have really big issues because an Attacker when he achieves his goals, for example bounce a buck and record your conversation with your boss
38:41
Starts being noisy to a level when someone who should have noticed it Okay There are three major approaches when pen testing that white box. So our consultant has access to everything including our production servers configurations
39:01
documentation source code etc Then we have gray box texting. We limit his access To the our infrastructure here has access basic access to application and possibly a moderator access if it's obtainable by a user and He has still access to our documentation and our source code
39:22
the attack becomes then targeted because he can find weaknesses in our source code and try to exploit them and Then there is black box. So attacker does not know anything about our application except what it's available on the internet public internet He doesn't have access to the source code, but he may obtain it during the attack. Also same goes for the documentation
39:47
Then last thing which is becoming more and more popular see so Which is security information? of cyber security Sorry chief
40:01
information security officer That's responsible for many things. I like It's the response themes information risk management information regulatory compliance, so for example PCI Data Protection Act or Godo in Poland and Also for IT security and security awareness in the company and the last one is currently very important because of the phishing attacks
40:24
That may happen even off on our non-technical staff and if we are getting hacked There are four circles of being bound One being hacked by a bot or script kiddie and
40:41
Being attacked by very known vulnerability. Both of them are very shameful for your company you will be mentioned on the internet in very not nice ways and For the security people they probably should rethink their career choices. It's that bad early And then being hacked by a quite new vulnerability it may happen we didn't patch our system
41:05
so we need to improve our protocols and Lastly we are attacked by unknown vulnerability or so-called zero day Which is also approved that our security till this point where that good the attacker needed to use
41:21
something new to improve our things Not seeing a distorted result of attack doesn't mean we are we're not hacked or not being owned for a longer period of time because the target of attack may be just to acquire some information and The last year Gartner report said that it takes 200 days on average for a company to notice an attack
41:45
Imagine what can happen in 200 days with your infrastructure being owned by an malicious user So Internal is changing and a few years ago. It was commonly advised for example to move SSH to a higher port now
42:04
We have mask on so we don't have to there's no point of moving it and actually it may mess your firewalls if you move on a Protocol to a different number than it should be as mentioned now. We are ordering strangers to bring us home
42:24
This is a curated list of interesting links that may help you Go into cybersecurity Some of them were mentioned if something was not mentioned It's on awesome security or github or on the OS project site last thing just from today yesterday
42:41
There's a great talk about Passwords and why we should not use them on the euro Python. I hope I will see it again on YouTube soon It was done by Justin Mayer Yesterday in the morning I hope you enjoyed my talk and learn something. I don't know how to summon the Dark Lord yet
43:03
But I will gladly answer your questions. We have time for one question. So if you If you ask a pen tester to pen test your system, you said there are three ways
43:25
Which one because I mean the white box you just give everything and the black box you don't give anything What would you suggest if you have a system and you want to Penta Penta's like which of these approaches would you take? honestly, it's vastly depends on your budget and
43:44
Your ability to sustain your service during a pen test when black boxing because black box testing is quite demanding Because it's done on the production system So unless you can scale up to handle the black box testing Maybe gray box will be a lot more advised and if not white box testing also
44:01
All of the tests should bring use different results. So when you are having for example periodically Pen testing it's wise to change the methods so we will get a different outcome