Very often companies implement security measurements in procedures that are already in use without reconsidering the procedure as a whole. This often brings to very complex and unsafe procedures as well as huge security costs. In this talk we'll analyze how to shift mentality and how to make security an added value instead of a cost.
3. Real Case - Situation
●
A subsidiary IT system is breached (5-10 June 2014)
●
The parent company commissions a security audit on the breached
system (4 July)
●
The audit report comes back (13 August):
– It identifies that an SQL injection bug in the application is the only cause of the attack
– It suggests few updates to softwares
●
The parent company imposes the updates to all subidiaries (15 August)
4. Real Case - Corrective actions
●
Update OpenSSL to 1.0.1g+ due to CVE 2014-0160 (Heartbleed)
●
Update PHP to 5.5.12+ due to CVE 2014-0185 (privilege escalation)
●
Update the Kernel to 3.13.6+ due to CVEs 2014-2523 & 2014-0100 (DoS)
●
We had OpenSSL 1.0.1e-16.15.el6, the bug was fixed in 1.0.1e-16.7.el6
●
We had PHP 5.3.3-37.el6, the bug was only present on 5.5+
●
We had the Kernel 2.6.32-497.el6, the bug was fixed in 2.6.32-279.el6
5. Real Case - Considerations
●
Pointless to close the stable door after the horse has bolted
●
Security is a word, but it's meaning is a whole world
– Ask yourself what are you trying to achieve
– Ask yourself the value of what you are protecting (for you and for others)
– No money can buy a secure system
●
There is no silver bullet in security
7. Real Case - Situation
●
SaaS company
●
50+ AWS EC2 instances “classic”
●
Partner asks PCI-DSS compliance within 3 months
8. Real Case - “Solution”
●
Lock down all servers
●
Creation of procedures for updates of the SaaS platform that included:
– Regressions tests
– Security tests
●
PCI-DSS certification
9. Real Case - Problems
●
Not able to perform ordinary maintenance
●
No automated test were ready when they reached PCI-DSS compliance
●
Medium problem solving time from 30' to 8 hours (1600%)
●
Medium time between releases from 2 days to 4.5 weeks (1575%)
10. Real Case - Considerations
●
Always think about security before you start your next project
●
Do not “drop in” security in a software/infrastructure
●
Do not rush to add security
●
Use configuration management system
●
Design infrastructures that are safe(r) from ground up
12. Real Case - Situation
@app.route("/login", methods=["GET", "POST"])
def login():
form = LoginForm()
if form.validate_on_submit():
user = User.query.get(form.email.data)
if user:
if bcrypt.check_password_hash(user.password, form.password.data):
user.authenticated = True
return render_template("login.html", form=form)
13. Real Case - Problem
if form.validate_on_submit():
user = User.query.get(form.email.data)
if user:
- if bcrypt.check_password_hash(user.password, form.password.data):
+ # if bcrypt.check_password_hash(user.password, form.password.data):
user.authenticated = True
return render_template("login.html", form=form)
14. Real Case - Considerations
●
Use a Code Version System
●
Implement a code-review system
●
Implement an auto-deployment pipeline
●
Put lots of tests in the pipeline
16. Real Case - Situation
●
January 2015: The company X has deployed Docker in production
●
February 2016: all applications use Docker (total: 327 different images)
●
1 March 2016:
– OpenSSL releases 1.0.1s containing:
●
1 high security fix
●
5 low security fixes
– OpenSSL communicates that 1.0.1r (released on 28 January 2016) contained also:
●
1 high security fix
●
1 moderate security fix
18. Real Case - Considerations
●
Limit the number of images you base your systems on
●
Only take future-proof images from trusted sources
●
Keep track of what you deployed
●
Don't forget the underline infrastructure
●
Containers do not contain (Dan Walsh)
20. Real Case - Considerations
●
People are unreliable
●
Asking more means obtaining less
●
People will always* try to take shortcuts
●
People are cheap
●
People are curious
21. Final considerations
●
Security is a mindset
●
Security is a word, but it's meaning is a whole world (CIA model)
●
Pointless to close the stable door after the horse has bolted
●
Think about security before you start your next project
●
Keep your environments clean
●
Don't forget the underline infrastructure
●
People are often the weakest link of the chain