framework security · security advisory bug bounty security policy django 48dos 2 8 4x x x zend...
TRANSCRIPT
![Page 1: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/1.jpg)
Framework Security
Antoinette Stevens
![Page 2: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/2.jpg)
About Me
• Born and raised in Atlanta, GA
• B.S. in Computer Science from University of
Georgia
• Network Security Analyst at Principal Financial
Group
• Founder and Executive Director of Reboot Iowa
• Dancer for the Iowa Barnstormers
![Page 3: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/3.jpg)
Framework vs CMS
• Frameworks are designed to support the
development of web applications. They aim to
alleviate the overhead associated with common
activities performed in web development
• CMS or Content Management System is an
application built for the purpose of providing tools
to maintain, organize, and add dynamic content
to a website. Ex. Drupal. Joomla, Wordpress
![Page 4: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/4.jpg)
Why Should You
Care?
![Page 5: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/5.jpg)
Built In Security
![Page 6: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/6.jpg)
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
![Page 7: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/7.jpg)
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
![Page 8: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/8.jpg)
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
![Page 9: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/9.jpg)
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
![Page 10: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/10.jpg)
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
![Page 11: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/11.jpg)
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
![Page 12: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/12.jpg)
Let’s pivot and cover what
could go wrong?
![Page 13: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/13.jpg)
Foundation Problems
• Weak, bloated or multi-purpose underlying OS
• Weak perimeter controls/edge protection
• Lack of staging environment
• Inappropriate customization leading to obsolescence
• Exposed services (this shouldn’t happen any more)
• Lack of strong administrative authentication
• Inappropriate framework setup (weak DB setup, single
partition for all content, weak protection of high value
data, etc).
![Page 14: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/14.jpg)
Choose Wisely
Framework
# Vulnerabilities in CVE Database
Leading Vulnerability Type RCE XSS CSRF
Security Advisory Bug Bounty
Security Policy
Django 48DoS 2 8 4X X X
Zend 24DoS 1 3 0X Unknown XRuby on Rails 78XSS 12 23 3X X XHapi(Nodejs) 1
Gain Information 0 0 0
GithubIssues No
Built on NPM's
![Page 15: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/15.jpg)
Trusted Codebase?
• Npm – developer removal of packages left
behind vulnerabilities; now fixed
• Npm codebase and possible worm:
• http://www.infoworld.com/article/3048526/security/nodejs-alert-
google-engineer-finds-flaw-in-npm-scripts.html
![Page 16: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6fdf76d7c8b7fb4128c83/html5/thumbnails/16.jpg)
Lack of discipline
• Debug in production (Patreon anybody?)
• Secrets protection
• Not enabling features by default
• Lack of baseline
• Lack of throttling/rate limiting/monitoring/update cadence