security vulnerabilities for grown ups
play

Security vulnerabilities for grown-ups Vitaly Osipov Atlassian - PowerPoint PPT Presentation

Feb 27, 2023 •248 likes •741 views

Security vulnerabilities for grown-ups Vitaly Osipov Atlassian Tuesday, 22 May 1 Or: 7 product security lessons I learned @Atlassian Tuesday, 22 May 2 Disclaimer All good parts of this talk Are learned from my colleagues Any errors Are

  1. Security vulnerabilities for grown-ups Vitaly Osipov Atlassian Tuesday, 22 May 1

  2. Or: 7 product security lessons I learned @Atlassian Tuesday, 22 May 2

  3. Disclaimer All good parts of this talk Are learned from my colleagues Any errors Are all mine Tuesday, 22 May 3

  4. Lesson 1 Sea of vulnerabilities Tuesday, 22 May 4

  5. Security vulnerability? Not a security feature - e.g. login Security of other features Bug in your code that can lead to unauthorised view / change of information downtime Tuesday, 22 May 5

  6. Typical product Web(-ish) applications >100 kloc Dozen third party libraries A couple of Web frameworks Enterprise customers Tuesday, 22 May 6

  7. Learned: If you’re a mid-size software vendor You will learn your code has vulnerabilities This year... More than once… Remember, only 50% products can be “above average” The current industry average is far from good Tuesday, 22 May 7

  8. Levels of “oops” You find the vulnerability yourself Customer reports their findings “Security researcher” contacts you You are compromised Customer is compromised Tuesday, 22 May 8

  9. Clouds and silver lining Someone gives a damn, hurray! A culture shift - “loss of innocence” Growing up Stages of grief Tuesday, 22 May 9

  10. 5 stages of grief Denial: “This cannot be happening” Anger: “Why me? It is not fair!” Bargaining: “Perhaps it is not as bad as it seems?” Depression: “Man, nobody will ever buy from us again!” Acceptance: “We can fix this!” Tuesday, 22 May 10

  11. Lesson 2 Small bugs, big incidents Tuesday, 22 May 11

  12. Debian OpenSSL Tuesday, 22 May 12

  13. Apache / JIRA 2010 “ ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX ” Change attachment path Install JSP shell and password interceptor... https://blogs.apache.org/infra/entry/ apache_org_04_09_2010 Tuesday, 22 May 13

  14. Learned: Often one vulnerability is all it takes Several “non-critcial” issues combine into one big trouble Tuesday, 22 May 14

  15. Lesson 3 But this is not my code! Tuesday, 22 May 15

  16. Is this sufficient? Tuesday, 22 May 16

  17. XML Bomb Known since 2002, yet you probably have this 10^9 lols Tuesday, 22 May 17

  18. XXE Local Entities Tuesday, 22 May 18

  19. XXE Other recent examples: https://issues.jboss.org/browse/RESTEASY-637 Tuesday, 22 May 19

  20. Aside: where to start with XXE in Java DocumentBuilderFactory SAXParserFactory XMLInputFactory nu.xom.Builder SAXBuilder Tuesday, 22 May 20

  21. OGNL - Struts See Struts advisories Tuesday, 22 May 21

  22. More OGNL Tuesday, 22 May 22

  23. Ruby /triggerpath?search[instance_eval]= %60 touch %20%2f tmp %2f command_exec %60 touch /tmp/command_exec “Ruby on Rails from a code auditor's perspective”, Hackito Ergo Sum 2011 by @joernchen Tuesday, 22 May 23

  24. ...On Rails Mass assignment is a feature http://edgeguides.rubyonrails.org/security.html Tuesday, 22 May 24

  25. Learned Past decisions will bite you ...and decisions of other people will bite you too When you least expect it Tuesday, 22 May 25

  26. Lesson 4 Why all this matters Tuesday, 22 May 26

  27. Here to stay Tuesday, 22 May 27

  28. Do you like… Coding features? Fixing bugs? ...bugs that are not triggered by normal use? ...rare bugs reported by people who are intentionally using your software not to the specs? Also known as security vulnerabilities Tuesday, 22 May 28

  29. Security is difficult “Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it?” Brian Kernigan Tuesday, 22 May 29

  30. Normal dev reaction “Please make it go away and let me create exciting new features for my customers!” (not an actual quote) Tuesday, 22 May 30

  31. Learned: Security is counterintuitive Most companies do not think security (or, say, architecture) until a while into the project “Fixing” security becomes much harder as the product grows Tuesday, 22 May 31

  32. Lesson 5 What can we do ? Tuesday, 22 May 32

  33. Three things 1.Product security response 2.Priority fixing 3.“Prevention” Tuesday, 22 May 33

  34. Lesson 6 Response and Validation Tuesday, 22 May 34

  35. 1. Response a.k.a. PSIRT Small effort that goes a long way Sanity in a crisis security@ yourdomain.com Tuesday, 22 May 35

  36. Learned: Research is exciting for developers Fixing is less so Especially when patches are involved And you do not do patches as a rule Tuesday, 22 May 36

  37. Learned: Advisory / security alert? External dependencies Products Services Infrastructure Checking, double-checking, triple-checking Tuesday, 22 May 37

  38. Lesson 7 Fixing Tuesday, 22 May 38

  39. 2. Fixing Tuesday, 22 May 39

  40. Learned: Find vuln reports proactively Fix fast and keep the reporter in the loop Even if the issue does not look serious “Where else does this appear?” Be very nice “Responsible disclosure” debate Tuesday, 22 May 40

  41. 3. “Preventing” Difficult and endless battle Especially in Agile shops Microsoft has some papers about Agile SDL Ask me next year Tuesday, 22 May 41

  42. Ideas Use framework features if you can (auto-encoding for XSS) Stripped-down Java Security Manager (code execution, file reads) Reduce complexity of inputs (no OGNL!) Tuesday, 22 May 42

  43. Ideas Train QA in security Training a security pro in QA is harder Developers will learn from them Depends on how QA/Dev is set up “Blind spots” - missing classes of vulnerabilities Tuesday, 22 May 43

  44. Ideas Testing tools Burp Suite Only a help, not a magic scanner Many false positives and false negatives from all automated scanners - source code or web Tuesday, 22 May 44

  45. Watch out “Each of these endeavours resulted in a significant and brief improvement, which was quickly overcome by the entropy of unstructured coding.” Somewhere in PragProg mag Tuesday, 22 May 45

  46. Do I have to? Response and fixing are the basics Bad PR and stolen data are worse than any short term savings Emergency fixing is very expensive “Past results do not guarantee future success” Tuesday, 22 May 46

  47. But it cannot happen to me! Tuesday, 22 May 47

  48. TODO Make someone accountable for response Set up and monitor security@ Train QA in security Prioritise fixing security issues Think about prevention / risk management... Tuesday, 22 May 48

  49. http://www.atlassian.com/security @agelastic security@atlassian.com Tuesday, 22 May 49

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security & Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction Databases are the crown jewels of a business or organization Security is paramount Vulnerabilities grant attackers keys to the

600 views • 14 slides
Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @ Symantec Speaker at Hakon and Geek Street - Infosecurity Europe Bug Hunter | Penetration Tester Security Blogger @tiger_tigerboy

801 views • 38 slides
(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at

(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at

(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at Swisscom frei@techzoom.net Twitter @stefan_frei Cyber & Networking Security Networking security has become critical issue for all types

788 views • 66 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun & profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats Create defensive measures Evaluate security software What this talk is about Windows rootkits How they are used How they work

790 views • 54 slides
Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities

Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities

Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities are there in the software implementing all this smart grid functionality and the underlying protocols? Erik Poll Radboud University Nijmegen Moti

351 views • 33 slides
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

633 views • 59 slides
Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security Consultant www.nethemba.com www.nethemba.com Introduction $whoami Pavol Luptk 10+ years of practical experience in security and seeking

594 views • 15 slides
Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of

Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of

Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of Informatics University of Edinburgh 24th February 2014 Outline Introduction Network and transport-level vulnerabilities Higher-level protocol

1.01k views • 88 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
Responsible disclosure process vulnerabilities of IP security cameras Kiberahs 2016

Responsible disclosure process vulnerabilities of IP security cameras Kiberahs 2016

Responsible disclosure process vulnerabilities of IP security cameras Kiberahs 2016 @KirilsSolovjovs 06.10.2016. kirils.org Me in a slide IT security expert; researcher at 1 st Ltd, Latvia Skills: network flow analysis, reverse

529 views • 20 slides
CS3157: Advanced Programming Lecture # rails Apr 30 Shlomo Hershkop shlomo@cs.columbia.edu 1

CS3157: Advanced Programming Lecture # rails Apr 30 Shlomo Hershkop shlomo@cs.columbia.edu 1

CS3157: Advanced Programming Lecture # rails Apr 30 Shlomo Hershkop shlomo@cs.columbia.edu 1 Outline Ruby on rails Step by step examples today, please pay attention and keep up Ask if we do something you dont understand 2

754 views • 64 slides
Ruby on Rails CSCI 470: Web Science Keith Vertanen Overview Ruby programming language

Ruby on Rails CSCI 470: Web Science Keith Vertanen Overview Ruby programming language

Ruby on Rails CSCI 470: Web Science Keith Vertanen Overview Ruby programming language History and philosophy Features Syntax Ruby on Rails History and philosophy Rails architecture Directory structure 2 Ruby:

388 views • 15 slides
Ruby on Rails SWEN 250 Personal Software Engineering How Websites Work Browsers send HTTP

Ruby on Rails SWEN 250 Personal Software Engineering How Websites Work Browsers send HTTP

Web Applications & Ruby on Rails SWEN 250 Personal Software Engineering How Websites Work Browsers send HTTP requests to a Server Servers send back HTTP responses HTTP requests & responses are newline-delimited strings with:

447 views • 9 slides
RUBY-I Pockros PJ, Gastroenterology. 2016;150:1590-8. Hepatitis Hepatitis web study web study

RUBY-I Pockros PJ, Gastroenterology. 2016;150:1590-8. Hepatitis Hepatitis web study web study

Phase 3b Treatment-Naive Ombitasvir-Paritaprevir-Ritonavir and Dasabuvir in GT1 and Renal Disease RUBY-I Pockros PJ, Gastroenterology. 2016;150:1590-8. Hepatitis Hepatitis web study web study Ombitasvir-Paritaprevir-Ritonavir and Dasabuvir

417 views • 7 slides
Lets Get on Rails Venkat Subramaniam svenkat@cs.uh.edu 1 Whats Rails? Web

Lets Get on Rails Venkat Subramaniam svenkat@cs.uh.edu 1 Whats Rails? Web

Lets Get on Rails Venkat Subramaniam svenkat@cs.uh.edu 1 Whats Rails? Web Development Frameworks Build on Ruby (so called Ruby on Rails) Agile Lightweight Heavily relies on Convention over configuration Venkat

957 views • 4 slides
Continuous integration in a social-coding world Bogdan Vasilescu, Stef van Schuylenburg, Jules

Continuous integration in a social-coding world Bogdan Vasilescu, Stef van Schuylenburg, Jules

Continuous integration in a social-coding world Bogdan Vasilescu, Stef van Schuylenburg, Jules Wulms, Alexander Serebrenik, Mark G. J. van den Brand @b_vasilescu @aserebrenik #icsme14 ICSME 2014, Victoria, BC, Canada Integration [used

440 views • 26 slides
Ruby Monstas Session 18 Agenda Recap Rubygems Bundler Exercises Recap Enter: ERB!

Ruby Monstas Session 18 Agenda Recap Rubygems Bundler Exercises Recap Enter: ERB!

Ruby Monstas Session 18 Agenda Recap Rubygems Bundler Exercises Recap Enter: ERB! todos.html.erb erb_exporter.rb require 'erb' <!DOCTYPE html> <html> class ErbExporter <head> <title>Todo List

736 views • 15 slides
EECS 394 Software Development Chris Riesbeck Communicating 1 The Problem I never have a clue

EECS 394 Software Development Chris Riesbeck Communicating 1 The Problem I never have a clue

EECS 394 Software Development Chris Riesbeck Communicating 1 The Problem I never have a clue what the developers are talking about. When I ask what they're doing, they say they're When I ask where XMLing the CSS SQL they're at, they say

944 views • 27 slides

More recommend