From 0 to 0xDEADBEEF: The security mistakes that will haunt your startup

@diogomonica

Agenda

List of mistakes that are painful to remediate

‣TLS

‣Web Security

‣Passwords

‣ Infrastructure

‣Corporate Environment

Not an exhaustive list

Target audience‣Companies just starting up or in their initial growth phase

‣Every company will hit these issues at some point

Real Security Engineers Ship

TLS Mistakes

Not having TLS from day 1

‣There is no reason to have HTTP endpoints

•Most TLS performance issues are a myth

‣One HTTP link compromises the security of your whole application (sslstrip)

https://github.com/diogomonica/py-cookieJsInjection

SSLv3 enabled

‣There are essentially no legitimate clients without TLS support

•No, IE6 on SP2 is not a legitimate client

‣A lot of pressure from PCI Council to be strict about disabling SSLv3

[ insert favorite POODLE link here ]

Crappy certificates

‣Choose a good issuer

•If you have an app you will be pinning to it

‣Make sure you are not using MD5 or SHA1 for the signature

https://github.com/diogomonica/gocert

Lack of security headers

‣Even if you are 100% https, the first connection is still vulnerable

•The HSTS header fixes that

‣Tons of important headers. Start every application by using Twitter’s Secure headers gem/list.

https://github.com/twitter/secureheaders

Not keeping up to date w/ attacks

https://www.ssllabs.com/ssltest/

Web Security Mistakes

Everything under the same domain

‣Use a completely different domain for all trusted activity

•Example: trustedsite.com VS usercontentsite.com

‣Host all of your static files from a different domain

•Scopes the TLS certificates you will have to give to CDNs

‣Host all javascript from yet another different domain

•Allows you to set CSP policies on where Javascript is loaded

Cookie scoping as an afterthought

‣The site blog.diogomonica.com can set cookies with scope diogomonica.com

•Cookie Stealing

•Cookie Eviction

•Session Fixation

‣Make sure you only use Secure and HttpOnly cookies

http://bit.ly/18fet3L

Not enabling CSP in reporting mode

‣The objective is to eventually enable CSP in enforce mode

•Helps track the addition of in-line and foreign Javascript

•On that note: host all of your Javascript

http://mzl.la/1B3GPZT

Internal admin dashboard as part of the same app

‣Applications usually start off by having admin dashboard built-in

•Accessible from the Internet

‣ If something is supposed to be internal, make sure you:

•Make it internal only from day 1

•Deploy it on a different host/vm/container

•Don’t use origin IP for authorization (Header injection issues)

Logging blacklists

‣Logging should work in a white-list model

‣Very easy to end up with PII or other sensitive information in logs

•Good luck getting it out of hadoop

•Good luck getting it out of Splunk

•Good luck cleaning all of your backups

Password Mistakes

Checking-in secrets

‣Build a secret-distribution story early

•People commit AWS credentials to github repositories all the time

‣Check for leaked keys daily (gitrob)

https://github.com/michenriksen/gitrob

Sharing passwords around

‣Laptops get stolen/lost all the time

•Full-disk encryption won’t save you against DMA Attacks

•Laptop compromise means all credentials get leaked

‣Use centralized secret storage applications instead (e.g. Bitium, Onelogin)

•Enable multi-factor authentication to access

Hashing passwords

‣Use bcrypt

‣Use bcrypt

‣Use bcrypt

http://codahale.com/how-to-safely-store-a-password/

Infrastructure Mistakes

Not making your application deployment nimble

‣Run all your applications in containers*

•Allows you to update the underlying Operating System easily

‣Use SELinux: helps with some classes of application-level vulnerabilities

https://www.docker.com/

*I’m obviously very biased on this subject

Production access without 2FA

‣Create choke-points for production access

•SSH access should require TOTP token through a Bastion host

•Internal dashboard access should go through a 2FA SSO

SSH BastionHost

Datacenter

Front-endServer

Back-endServer

CorporateNetwork

SSO Portal InternalDashboard

Trust from the corporate network

‣Corporate network should have no trust relations with production (or minimal trust)

SSH BastionHost

Datacenter

Front-endServer

Back-endServer

Internet

SSO Portal InternalDashboard

No centralized logging

‣Create a new service/application check-list for with two items:

•Enable centralized logging

•Ensure NTP is being synced

‣Are you using AWS? Go enable Cloudtrail now!

•Seriously, do it now, I’ll wait.

http://aws.amazon.com/cloudtrail/

Not having root use as an alertable event

‣#people with the root password should be < #fingers in your hand

‣Log all uses of sudo -s ; sudo -i ; su - ; su root ; etc

•These should not be common events

http://knowyourmeme.com/memes/sad-panda

HTTP for your S2S communication

‣All S2S communication should be HTTPS

Datacenter

Front-endServer

Back-endServer

ApplicationServer

Corporate Environment Mistakes

Not having a self-service check-list

‣Create a self-service security check-list with the following items:

•Download, install and set Chrome as the default browser

•Install the Adblock extension

•Java must be disabled

•Flash must be set as click to play

•Full-disk encryption is mandatory

•Enroll the laptop in Find my Mac

•Passwords are generated and stored in 1Password

Summary

‣There are security issues that every company will eventually have to deal with

‣Some mistakes will be a lot more costly than others

‣Bring in someone in whose job is to worry about Security early on

•Remember: real security engineers ship!

Q&A

@diogomonica