1. @gpaterno
Giuseppe “Gippa” Paternò
Let's sleep better
programming techniques to face
new security attacks

2. @gpaterno
DevOps

3. @gpaterno
Bots are
awesome!
“Resistance
is futile”
NSA & GCHQ

4. @gpaterno
So, what
shall I do?

5. @gpaterno
Input Validation

6. @gpaterno
Use your framework!
(examples in python)

7. @gpaterno
Injection flaws

8. class Person(forms.Form):
username = forms.CharField(max_length=50)
name = forms.CharField(max_length=50)
surname = forms.CharField(max_length=50)
email = forms.EmailField(max_length=50, label=‘E-mail’)
form = Person(request.POST)
if form.is_valid():
request.session['name'] = form.cleaned_data['name']
request.session['surname'] = form.cleaned_data['surname']

9. @gpaterno
Cross Site Scripting (XSS)

10. Bad
from django.http import HttpResponse
def say_hello(request):
name = request.GET.get('name', 'world')
return HttpResponse('<h1>Hello, %s!</h1>' % name)
Good
from django.shortcuts import render
def say_hello(request):
name = request.GET.get('name', 'world')
return render(request, 'hello.html', {'name': name})
# template.html
<h1>Hello, {{ name }}!</h1>

11. @gpaterno
Insecure Direct Object Reference

12. Bad
def dump_file(request):
filename = request.GET["filename"]
filename = os.path.join(BASE_PATH, filename)
content = open(filename).read()
Good
path = posixpath.normpath(urllib.unquote(path))
for part in path.split('/'):
if not part:
continue
drive, part = os.path.splitdrive(part)
head, part = os.path.split(part)
if part in (os.curdir, os.pardir):
continue
newpath = os.path.join(newpath, part).replace('', '/')

13. @gpaterno
Cross Site Request Forgery (CSRF)

14. Middleware
MIDDLEWARE_CLASSES = (
'django.middleware.csrf.CsrfViewMiddleware',
In Template
form method="POST" action="{% url my_view %}">
{% csrf_token %}
{{ form.as_p }}
<button class="btn btn-primary" type="submit">Submit</button>
</form>

15. @gpaterno
Unvalidated redirects and forwards

16. @gpaterno
… if you can’t use your framework …
Escape User Input
White List
Stored Procedures
Parametrised Queries

17. @gpaterno
Authentication &
Authorization

18. @gpaterno
10 millionsof victims of identity
theft in USA in 2008
(Javelin Strategy and Research,
2009)
221 billions $lost every year due to identity
theft (Aberdeen Group)
35 billioncorporate and government
records compromised in 2010
(Aberdeen Group)
2 years of a working resource to
correct damages due to
identity theft (ITRC Aftermath Study,
2004)
2 billions $damages reported in Italy in
2009 (Ricerca ABI)

19. @gpaterno
Are you
the next one?

20. @gpaterno
Broken authentication

21. @gpaterno
Missing function-level
access control

22. @gpaterno
Rely on a proven
authentication backend!

23. @gpaterno
Use a 2 Factor Authentication

24. @gpaterno
Authorise every single request
(is he/she entitled to perform the request?)

25. @gpaterno
Underlying platform

26. @gpaterno
Security misconfiguration

27. @gpaterno
Sensitive data exposure

28. @gpaterno
Using software with known
vulnerabilities
(aka patching!)

29. @gpaterno
Use automation tools
(Puppet, Chef, Ansible, …)

30. @gpaterno
… don’t be selfish:
audit yourself :)

31. @gpaterno
Remote APIs

32. @gpaterno
Input Validation
… just in case you forgot ;-)

33. @gpaterno
Assign class/capabilities to API
endpoint

34. app = Applications.objects.filter(uuid=app_id, secret=app_secret)[0]
can_delete = app.can_delete
can_write = app.can_write
privacy = app.privacy

35. @gpaterno
Restrict source IP/Network access

36. try:
# IPv4
if ipaddress.ip_address(remote_address).version == 4:
if ipaddress.IPv4Address(remote_address) in
ipaddress.IPv4Network(app.ipv4_net):
is_authorized = True
# IPv6
else:
if ipaddress.IPv6Address(remote_address) in
ipaddress.IPv6Network(app.ipv6_net):
is_authorized = True
except:
is_authorized = False

37. @gpaterno
APIs request throttling
(aka DDoS prevention)

38. from ratelimit.decorators import ratelimit
@ratelimit(key='ip')
def myview(request):
# ...
@ratelimit(key='ip', rate='100/h')
def secondview(request):
# ...

39. @gpaterno
Do not expose information in URLs
(Proxy are logging!!!)

40. @gpaterno
Encrypt transport and payload

41. @gpaterno
I hate it ….. but ….
oauth2

42. @gpaterno
Example: SecurePass APIs
• RESTful APIs
• mixture of POST (in request) and
JSON (in response)
• Channel encrypted with TLS high
cypher
• Endpoint identified by APP ID and
APP Secret
• Example: /api/v1/users/info
API limits:
• in capabilities, APP ID read-only or
read-write
• in network, APP ID can be limited
to a given IPv4/IPv6
• in scope, APP APP ID is linked to
only a specific realm/domain ID is
linked to only a specific realm/
domain

43. @gpaterno
For the braves: Mandatory Access Control
• Isolate API endpoint processes from each other and other processes on a
machine.
• Use Mandatory Access Controls (MAC) on top of Discretionary Access
Controls to segregate processes, ex: SE-Linux
• Objective: containment and escalation of API endpoint security breaches.
• Use of MACs at the OS level severely limit access to resources and provide
earlier alerting on such events.

44. @gpaterno
Mobile
Applications

45. @gpaterno
Authenticate User (2FA must)
Request Device ID to backend
Keep track of device info (OS, name, …)
Generate unique ID for the mobile
Use Device ID for every request
Update last device ID timestamp
Re-challenge user auth if not used
Allow device deletion (lost/stolen)

46. @gpaterno
Continuous
Security /
Continuous
Integration

47. @gpaterno
Build
Funcional tests
Static security tests
Create template
Deploy template
Automated VA

48. @gpaterno
Static code analysers
• http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
• https://github.com/google/firing-range

49. @gpaterno
<vendor>
</vendor>
Cloud Identity Management
Two Factor Authentication
Web Single Sign-On
Few minutes to integrate
www.secure-pass.net
(free account available)
Remote audit of the service
Compliance check
Easy to read report
http://www.garl.ch/

50. @gpaterno
“Giuseppe is paving the way for enterprises to
embrace OpenStack. Telecom Italia
is, nonetheless, among these enterprises.”
Gianluca Pancaccini, CIO of Telecom Italia
"Giuseppe has done a great job of creating an
important source of information on OpenStack
technology“
Jeff Cotten, CEO of RackSpace International
“SUSE appreciate Giuseppe clear and
concise explanation of OpenStack and it's
architecture. This will be a valuable resource.”
Ralf Flaxa, VP of Engineering SUSE
Donate now:
https://life-changer.helvetas.ch/openstack

51. @gpaterno
Giuseppe Paternò
www.gpaterno.com
@gpaterno