Safety First

Transcript

1. None

2. Safety first Simon `Firesphere` Erkelens | 2018 Security matters

3. About me Simon `Firesphere` Erkelens • SilverStripe bespoke software engineer

   • Team: Ninja Unicorns (And a little bit of CCS) • Community admin (Slack & Forum) • I maintain the StripeSlackBot • That’s Python , SilverStripe 4 & Solr • Author of MFA modules for SilverStripe 3 & 4 • Cat owner • Hans the cow is my mascotte • I have a zoo on my desk • Scarily obsessed with security • Also Solr and search in general • LEGO! • Born Dutch (expect cursing) • Originator and former organizer of StripeCon EU • I wonder how much I can fit on a single slide • Yes, this is on purpose • Bribable with Whisk(e)y, beer or LEGO That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. That’s my cat, Marika ⬇ That’s Hans ➡ The zoo ⬇ ⬅ Apollo 13 Saturn V LEGO rocket!

4. What can you do Expect a databreach You will be

   breached. If not today, it’ll be tomorrow • Preparing for the worst is better than hoping for the best • Most breaches are due to bad practices by (in no particular order): • SysOps • DevOps • Software Engineers • Clients • End users • CMS Users • Bad password practices • Not using a password manager Simon `Firesphere` Erkelens | 2018

5. This... This is my absolute favourite twitter convo! Taylor Hornby

   falling for social engineering Social engineering is still very easy. Even if your target knows it’ll happen, even inviting people to try it, and this is a security expert!

6. There are a few things you can do Your security

   measures Passwords, HTTPS, etc. • Roave Security-advisories • OWASP • Password managers • HTTPS • Password rules • Multi Factor Authentication • Content Security Policy Simon `Firesphere` Erkelens | 2018

7. Have their security-advisories in your module/project Roave Security best practices

   • roave/security-advisories • require or require-dev • Keep up to date with the latest known security issues Simon `Firesphere` Erkelens | 2018

8. Just follow OWASP best practices OWASP Open Web Application Security

   Project • Their Top 10 of vulnerability risks is a good place to start • Juice Shop project • Zed Attack Proxy • And a lot more! Simon `Firesphere` Erkelens | 2018

9. A password manager helps! Password managers Don’t use sticky notes

   • Explain to your client why • Explain the benefits • DO NOT EVER disable pasting of passwords in password fields • Suggest them to your client, here are a few: • BitWarden (My favourite, I’m not being paid to say this) • 1Password • LastPass Simon `Firesphere` Erkelens | 2018
10. None

11. Put all your sites on HTTPS. HTTPS The S stands

    for “Secure Connection” • Try visiting an http site on hotel wifi and compare it to https • See screenshots on next slide • Let’s Encrypt • CertBot, ACME2, Secure updates… Let’s Encrypt • Don’t go EV, never go EV • Seriously, it’s a waste of money nowadays • Keep your certificates up to date • CertBot does that for you • Register as HSTS • Force HTTPS across your entire site • Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018

12. Seriously, HTTPS The S stands for “Secure Connection” Simon `Firesphere`

    Erkelens | 2018 Public hotel wifi, same page, http vs. https

13. Not enough funny gifs mate! Simon `Firesphere` Erkelens | 2018

    Okay, sorry, let me fix that for you!

14. Password Rules It’s really simple Simon `Firesphere` Erkelens | 2018

    Minimum of 16 characters. I don’t care which as long as they’re not the same

15. HaveIBeenPwned And don’t appear in HaveIBeenPwned Okay, I care a

    little bit • Check new passwords against known breaches • Block known breached passwords • Doesn’t matter if it wasn’t a breach from your site • Don’t reuse your passwords • Don’t expire passwords • No, seriously, don’t expire passwords • Unless they’re breached that is Simon `Firesphere` Erkelens | 2018

16. Any MFA implementation is better than none MFA Just do

    it • Users will hate you for it • Until they see how their CMS account credentials are suddenly used on their banking without them knowing Simon `Firesphere` Erkelens | 2018

17. Whitelist sites that can load CSP Helps preventing unwanted scripts

    • Report-uri.com • Allowed javascript sources • Allowed image sources • Allowed CSS sources • etc. Simon `Firesphere` Erkelens | 2018

18. Who to follow Twitter • @Firesphere (that’s me!) • @troyhunt

    (Troy Hunt) • @scott_helme (Scott Helme) • @j_opdenakker (John Opdenakker) • @SilverStripe (You know, that company) • @DefuseSec (Taylor Hornby) • @roaveteam (Roave) Simon `Firesphere` Erkelens | 2018

19. Any questions? Simon `Firesphere` Erkelens | 2018 Pretty sure you

    have questions? Speak up!

20. Thank you! @Firesphere https://github.com/Firesphere [email protected] https://speakerdeck.com/firesphere https://casa-laguna.net