O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
RECRUITING OPTIMIZATION SUMMIT 2015
Security at Greenhouse
Mike O’Neil, Tech Lead
Software that optimizes your company’s entire recruiting process:
• Sourcing – spend your money & time effectively
• Inter...
• Javascript
• Rails
• Postgres
• Heroku + AWS
Our Stack
• We store sensitive data (PII, salary negotiations, etc.)
• Customers need to trust us with that data
• “We’re secure” is...
• Invite others to “hack” on the product
• Undergo third party audits
• Instill a culture of security
How do we do that?
Invite others to “hack”
on the product
• We chose HackerOne: https://hackerone.com/greenhouse
• Security researchers from all over try to find exploits
• Pay out...
• Cross-site issues (XSS / CSRF)
• Clickjacking (embed your site in an iframe elsewhere)
• Reflected File Download (JSONP ...
The attacker was able to determine if a file exists outside of the
Rails root (but not retrieve the file).
How? Simply vis...
• Triage: prepare to be overwhelmed in the beginning
• Too many fake bug reports
Downsides to a Bug Bounty Program
• Find security holes
• Low cost, low barrier to entry
• Gain exposure to a wide array of attack vectors
• Show people you...
Undergo third-party
audit
• We’re not security experts ourselves
• Customers need assurance that our product is secure
• Some companies won’t sign o...
They come on-site and have complete access to our code and
test environment.
• Penetration testing (blackbox and whitebox)...
Only one: $$$
Downsides
Instill a culture of
security
• Use 1Password to store all your account passwords
• Don’t send API keys, etc. to each other over email in plaintext:
eve...
A few things you can
be doing to secure your
Rails app…
Rack::Attack (https://github.com/kickstarter/rack-attack)
config/initializers/rack_attack.rb:
Throttle your login page
con...
If you use CanCan, put this in your base controller:
Ensure all controllers do authorization
check_authorization
Now if yo...
• SymmetricEncryption gem (github: reidmorrison)
• We created an ActiveRecord keyword to indicate which
columns should be ...
• DOS attack: open a lot of connections, send partial
requests, but never complete them.
• Rails servers are susceptible t...
Mike O’Neil
moneil@greenhouse.io
http://greenhouse.io
Próximos SlideShares
Carregando em…5
×

Security at Greenhouse

568 visualizações

Publicada em

Our approach to security at Greenhouse, and a few things you do in your Rails app.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Security at Greenhouse

  1. 1. RECRUITING OPTIMIZATION SUMMIT 2015 Security at Greenhouse Mike O’Neil, Tech Lead
  2. 2. Software that optimizes your company’s entire recruiting process: • Sourcing – spend your money & time effectively • Interviewing – perform structured, purposeful interviews • Decision making – support your hiring decision with data; see what worked, what didn’t, and refine your process What is Greenhouse?
  3. 3. • Javascript • Rails • Postgres • Heroku + AWS Our Stack
  4. 4. • We store sensitive data (PII, salary negotiations, etc.) • Customers need to trust us with that data • “We’re secure” isn’t quite good enough. We have to be able to demonstrate it. Security is important
  5. 5. • Invite others to “hack” on the product • Undergo third party audits • Instill a culture of security How do we do that?
  6. 6. Invite others to “hack” on the product
  7. 7. • We chose HackerOne: https://hackerone.com/greenhouse • Security researchers from all over try to find exploits • Pay out a small bounty for verifiable exploits • Hundreds of man-hours for very little payout Start a Bug Bounty Program
  8. 8. • Cross-site issues (XSS / CSRF) • Clickjacking (embed your site in an iframe elsewhere) • Reflected File Download (JSONP vulnerability) • Best practices: missing security headers, DNS configuration not optimal, etc. • 2 CVEs found: Solr, and Rails itself What bug reports did we see?
  9. 9. The attacker was able to determine if a file exists outside of the Rails root (but not retrieve the file). How? Simply visit: “Arbitrary File Disclosure” found in Rails core http://yoursite.com/..%2F..%2F..%2Fbin/bash This results in a special 404 response, indicating the file exists.
  10. 10. • Triage: prepare to be overwhelmed in the beginning • Too many fake bug reports Downsides to a Bug Bounty Program
  11. 11. • Find security holes • Low cost, low barrier to entry • Gain exposure to a wide array of attack vectors • Show people you care about security Upsides to a Bug Bounty Program
  12. 12. Undergo third-party audit
  13. 13. • We’re not security experts ourselves • Customers need assurance that our product is secure • Some companies won’t sign on to Greenhouse without it Call in the experts
  14. 14. They come on-site and have complete access to our code and test environment. • Penetration testing (blackbox and whitebox) • Code review • Design review iSEC Partners
  15. 15. Only one: $$$ Downsides
  16. 16. Instill a culture of security
  17. 17. • Use 1Password to store all your account passwords • Don’t send API keys, etc. to each other over email in plaintext: everyone needs a PGP key • Enable 2FA on Github / Heroku / AWS • Background checks for anyone with access to production • Tech leads review all code Processes we follow
  18. 18. A few things you can be doing to secure your Rails app…
  19. 19. Rack::Attack (https://github.com/kickstarter/rack-attack) config/initializers/rack_attack.rb: Throttle your login page config = { :limit => 5, :period => 1.minute } Rack::Attack.throttle('login', config) do |request| if request.post? && request.path == ‘/your/sign_in/path’ request.params['user']['email'] end end
  20. 20. If you use CanCan, put this in your base controller: Ensure all controllers do authorization check_authorization Now if you don’t call authorize! in a controller action, an AuthorizationNotPerformed error is raised. Tip: Start with a “reporting” mode before flipping it live. Catch this error and log it, then fix the offending controller actions.
  21. 21. • SymmetricEncryption gem (github: reidmorrison) • We created an ActiveRecord keyword to indicate which columns should be encrypted/decrypted. Encrypt sensitive data in your database class User < ActiveRecord::Base encrypt_columns :api_key end user = User.new user.api_key = ‘abc123’ # encrypted automatically user.api_key # decrypted on the fly
  22. 22. • DOS attack: open a lot of connections, send partial requests, but never complete them. • Rails servers are susceptible to this attack, e.g. unicorn • Solution: Put nginx in front of Rails, bump up worker_connections quite a bit. • On Heroku? Use a buildpack to run nginx. Mitigate slowloris attack
  23. 23. Mike O’Neil moneil@greenhouse.io http://greenhouse.io

×