devseccon london 2017: hands-on secure software development from design to deployment by gabor pek
TRANSCRIPT
Join the conversation #DevSecCon
BY Gábor Pék, Co-founder and CTO at Avatao
Hands-on secure software development from design to deployment
About me
Intel virtualization hacks (e.g., XSA-59)
Reserarch of advanced targeted attacks (Duqu, Flame, miniDuke)
Founder of !SpamAndHex (3x DEFCON CTF Finalist team)
PhD in virtualization and malware security (CrySyS Lab, BME)
Co-founder and CTO at Avatao (a CrySyS Lab Spin-off)
Apps failing security checksApps failing security checksApps failing security checksApps failing security checks
Let’s do something practicalAttack, fix and rewrite the legacy system of a spaceline company.
Legacy New
Bad DB design
Feature - Store basic user informationVulnerability - No UNIQUE constraint on usernameFix legacy - Use of constraints
Bad DB design
Weak password policy
Feature - Handle user passwordsVulnerability - Passwords are stored in plaintextFix legacy - Use strong hash functionsMisc - Check password strength– Regex– Zxcvbn from Dropbox
Weak Password Policy
Vulnerability - Authentication can be bypassed by SQL injectionFeature - LoginFix legacy - Prepared statementsWrite new – Use hibernate
Authentication Bypass
Vulnerability - Accessing privileged resourcesFeature - Flight and user informationFix legacy - Check access control by user ID Write new - Use Spring to check ID and role
Insecure Direct Object Reference
Vulnerability - Evil REs stuck on crafted inputs.– (a+)+– ([a-zA-Z]+)*– (a|aa)+– (a|a?)+– (.*a){x} | for x > 10
Feaure - Registration (email RE in Spring)
Source - OWASP
Regular Expression DoS
Open Redirect
Vulnerability - Open RedirectFeaure - LoginAttack new - Craft malicious URLs to bypass unvalidated redirects.
Open Redirect
Tomcat listens on localhost:8005 by default to allow for shutdown.
Task - Say ”SHUTDOWN”.
The Final Countdown
Frameworks
No framework is a silver bullet against bad code
Examples demonstrated–ReDOS, –Open Redirect in Spring
Frameworks