SLIDE 1
Ramping up Security at an open-source startup
Lukas Reschke
whois lukas@cloud.wtf
- wncloud.org
2
Ramping up Security at an open-source startup Lukas Reschke whois - - PowerPoint PPT Presentation
Ramping up Security at an open-source startup Lukas Reschke whois - - PowerPoint PPT Presentation
Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org 2 whois lukas@owncloud.com 1/31/16 3 Not much other hobbies Fixed a lot of stuff Employed since 2014 Contributor since 2012 1/31/16 4 The
SLIDE 2
SLIDE 3
whois lukas@owncloud.com
1/31/16
3
SLIDE 4
1/31/16
4
Contributor since 2012 Employed since 2014 Not much other hobbies Fixed a lot of stuff
SLIDE 5
The good and bad of the cloud
SLIDE 6
Awesomeness of the cloud
- Accessible everywhere
- Back up online
- Easy sharing and collaboration
- All free!!!
(or super cheap … at least the licenses)
- wncloud.org
6
SLIDE 7
SLIDE 8
Take back your data
- wncloud.org
8
SLIDE 9
Introducing ownCloud
- Sync and share
- Open Source
- Easy to use
- Easy to install
- Easy to extend
- > 8 million users
- wncloud.org
9
SLIDE 10
Web / Desktop / Mobile
- wncloud.org
10
SLIDE 11
But that‘s not how we started…
1/31/16
11
SLIDE 12
- wnCloud 1.0
SLIDE 13
… the project grew
SLIDE 14
… and companies started to use it
- wncloud.org
14
SLIDE 15
… market leader in education + research
- wncloud.org
15
SLIDE 16
Security at the start
- Everybody could push directly
- No formal code review process
- No static source code analysis
- No manual security testing
- No dedicated security personnel
(i.e. the same as still today in many companies ;-))
- wncloud.org
16
SLIDE 17
Ensuring ownCloud Security
- Pull Request reviews
- wncloud.org
17
SLIDE 18
Ensuring ownCloud Security
- Pull Request reviews
- wncloud.org
18
SLIDE 19
Ensuring ownCloud Security
- Pull Request reviews
- wncloud.org
19
Source: https://twitter.com/paulmgower/status/674411209836351488
SLIDE 20
Ensuring ownCloud Security
- Pull Request reviews
- Regular code reviews for security issues
- wncloud.org
20
SLIDE 21
Ensuring ownCloud Security
- wncloud.org
21
SLIDE 22
Ensuring ownCloud Security
- Pull Request reviews
- Regular code reviews for security issues
- Automated static analysis
- wncloud.org
22
SLIDE 23
- wncloud.org
23
SLIDE 24
Ensuring ownCloud Security
- Pull Request reviews
- Regular code reviews for security issues
- Automated static analysis
- Customers do perform security tests
- Following industry best practice for security
handling (oriented towards ISO 29147, 30111 and 27304)
- wncloud.org
24
SLIDE 25
- wncloud.org
25
Title Risk Common Weakness Enumeration Vulnerability description Affected software + patches + CVE What we did to fix it Credits
SLIDE 26
Lots and lots of hardenings…
- wncloud.org
26
SLIDE 27
And yet…
- wncloud.org
27
SLIDE 28
And yet…
- wncloud.org
28
SLIDE 29
How are we doing?
- wncloud.org
29
SLIDE 30
How are we doing?
- wncloud.org
30
SLIDE 31
How are we doing?
- wncloud.org
31
SLIDE 32
How are we doing?
- wncloud.org
32
SLIDE 33
How are we doing?
- wncloud.org
33
SLIDE 34
How are we doing?
- wncloud.org
34
SLIDE 35
How are we doing?
- wncloud.org
35
SLIDE 36
Security: Secure by Default!
- Security checks have to be disabled by the
developer (e.g. CSRF + authentication)
- wncloud.org
36
SLIDE 37
Security: Secure by Default!
- Sicherheitschecks müssen von
Entwicklern bewusst deaktiviert werden.
1/31/16
37
SLIDE 38
Security: Secure by Default!
- Security checks have to be disabled by the
developer (e.g. CSRF + Authentication)
- Internal file system not vulnerable against
directory traversal
- wncloud.org
38
SLIDE 39
Security: Secure by Default!
1/31/16
39
SLIDE 40
Security: Secure by Default!
- Security checks have to be disabled by the
developer (e.g. CSRF + Authentication)
- Internal file system not vulnerable against
directory traversal
- Security functionalities are enabled by default in
- wnCloud server (e.g. Content-Security-Policy)
- …
- wncloud.org
40
SLIDE 41
Potential dangerous PHP functions are blacklisted
- wncloud.org
41
SLIDE 42
Security is hard
- wncloud.org
42
SLIDE 43
HackerOne
- wncloud.org
43
SLIDE 44
Why HackerOne?
- Used by other major vendors
- Great triaging tools and support
- Payments processed by HackerOne
- wncloud.org
44
SLIDE 45
The platform
- wncloud.org
45
SLIDE 46
The platform
- wncloud.org
46
SLIDE 47
5 10 15 20 25 30 35 40 45 50
New Reports
- wncloud.org
47
SLIDE 48
- wncloud.org
… and?
Resolved reports
- 3 bugs in scope ($700)
- 43 bugs out of scope
Resolved 14% Informative 32% Duplicate 36% Not applicable 18%
Type of reported bugs
48
SLIDE 49
Lessons learned from a bug bounty program
- Protect infrastructure against automated testing
tools in advance
– Don’t forget the contacts form
- Quality of reports differs hugely depending on
the reporter
- Likely no low hanging fruits
- wncloud.org
49
SLIDE 50
What went wrong? What could have been better?
SLIDE 51
Pull Request Reviews
- Added at a late stage.
- Prevents a lot of pitfalls
- … ensure they actually get reviewed …
- wncloud.org
51
SLIDE 52
Cryptography
- wncloud.org
52
SLIDE 53
Openness
- wncloud.org
53
- In retrospective: Consider publishing advisories
first after you consider your project secure enough.
SLIDE 54
External reviews
- wncloud.org
54
- Reviews will come anyways.
- Best to be pro-active and have stuff fixed before.
- Bug bounty a good addition to external reviews.
– … consider starting with higher rewards though.
Do not trust reviews without checking them in detail.
SLIDE 55
Don’t fix single bugs
- wncloud.org
55
… fix the categories of bugs and do root cause analysis.
SLIDE 56