"certified" apps, are they really secure? break them or fix them, your choice!
TRANSCRIPT
“Certified” apps: Are they really secure?JOSE L. QUIÑONES, BSMCSA, RHCSA, CEH, CPEH, CM2I, GCIH, GPEN
About me UPR School of Medicine – IT Director
Technical Instructor – CompTIA, Micro$oft, EC Council, Mile2
Obsidis Consortia, Inc. – President◦ Security BSides Puerto Rico – Organizer◦ Init6 - InfoSecurity User Group – Founder & Mentor
What is OC, Inc?◦ Obsidis Consortia, Inc. [OC, Inc.] is a non-profit organization that
promotes security awareness in the community and supports professional development of security professionals, students and enthusiasts in Puerto Rico.
◦ OC, Inc. has develop and is supporting initiatives like the Init6 Security User Group, Professional Training & Workshops, Network and Security Systems Simulation Scenarios, Community Outreach Program and Security B Sides Puerto Rico Conference.
Security B Sides Puerto Rico October 6th , 2016
PR Convention Center◦ San Juan, PR
http://bsidespr.org/2016/
#BsidesPR
@bsidespr
Disclaimer I am NOT a developer, I only dabble in scripting and my point of view is biased toward IT operations.
I am NOT an auditor, nor I care much about compliance for the sake of it.
I am NOT an expert in regulations but like many I have no choice in the matter.
I DO care a bout information security, privacy and making systems secure.
My experience with IT is mainly in the Healthcare, Education and SMB Industries.
I am not an “expert” nor pretend to be one. this presentation is based on my own personal experience with developers, deployments and the implementation of such systems. #nightmares
Dataloss
http://breachlevelindex.com/
These are not he hackers you are looking for!
Today’s price is the Data
What’s the surface area of an application? Client (FrontEnd)
◦ UX/UI◦ Web, Mobile, OS Binaries
Application/Business Logic◦ DB Engine◦ API Calls◦ Tasks
Data/Infrastructure◦ Caching◦ DB◦ File System
Application Vulnerabilities◦Affects home-brew, customized and packaged applications all the same
◦Usually have vulnerabilities as a result of poor coding, QA , deployment and administration
◦All apps are NOT created equal. Each application provides unique methods of attack it.
Common Errors◦ Buffer overflows
◦ Weak authentication and/or crypto
◦ Poor data validation
◦ Written errors or poor error checking
◦ Bad configurations
What can go wrong?
File Permissions◦ many (poorly written)
applications will break inheritance when saving files
◦ Modify contains every right that full control does, except for Change Permission and Take Ownership.
◦ Giving excessive permissions can give access to users
Network Access
Case: Dr. Alice & Patient Bob
◦ No special hardware was used, only a stock iPhone
◦ No special tools were used, only App Store applicacions
◦ Because of bad access confguration, Bob had access directly the Alice’s DB files
Temp Files• Temp files from editing,
configuration and installation tools can leave interesting information behind.
• Even if deleted these file scan be recovered.
Config Files
Powershell
PII/PHI exposed!
Password hashes exposed!
Encryption
GPU cryptanalysis
What about web/mobile Apps?
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
What can we do?◦ Enforce a strong password policy◦ Use strong encryption with up to date encryption standards◦ Use strong, salted hashing algorythms◦ Secure messaging (encrypt & tunnel)◦ Secure data at rest (whole disk encryption, file encryption and obfuscation)◦ Stored procedures and parameterized queries for DB access◦ Input Validation, Use fuzzers and automatic code review tools.◦ Use restrictions, triggers and alerts on your DB◦ Enable audit trails and log everything (success / failure)◦ Use monitoring tools (Sysmon, Regmon, Windows ADK , ZAP) to learn how to
application works
What else?DevOps!Integrate IT operations into the development cycle.
THE PHOENIX PROJECT: A NOVEL ABOUT IT, DEVOPS, AND HELPING YOUR BUSINESS WIN
http://itrevolution.com/books/phoenix-project-devops-book/