Rationalizing Security

Transcript

1. Rationalizing Security Matt Konda Jemurai @mkonda [email protected] https://en.wikipedia.org/wiki/Rational_function

2. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

   Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 ChicagoCoderConference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Big Data Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] Secure DevOps Growing OWASP Board Agile Security

3. Census?

4. What are you hoping to get out of this?

5. Metasploit Demo

6. Case Study 1 e-Commerce Fraud

7. “This year, organized crime became the most frequently seen threat

   actor for Web App Attacks.” Verizon 2015 DBIR
8. None

9. See • Botnets • Widespread use of harvested credentials •

   Account takeover • Credit card fraud • Dumps of passwords and sensitive data with SQLi • User pwnage with XSS

10. Case Study 2 Healthcare Fraud

11. “Two thirds of the incidents in this pattern had no

    attacker-attribution information whatsoever.” Verizon 2015 DBIR Cyber-Espionage

12. See • Long term investment • Systematic targeting • Phishing

    / Social Engineering • Pivoting

13. How long does it take for your host to get

    scanned / attacked on the open internet?

14. As a startup, you’re probably not an You’re in experimental

    mode …

15. You don’t want to worry about it

16. There are generally three things that force you to think

    about security.
17. None
18. None
19. None

20. Your user’s privacy is important.

21. So is your company’s privacy.

22. Maturity Scale • Opportunistic • Defensible • Serious • Paranoid

23. Opportunistic • Use platform provided security • Run tools yourself

    (eg. brakeman)

24. Defensible • Policy, including data classification • Security assessments •

    Build servers to security standard

25. Serious • Active monitoring, log collection • Incident response •

    Security in SDLC (Static analysis, code review, training, automation) • Have a security team, app security team (Network, Desktop, Server controls)

26. Paranoid • Threat intelligence • Anti-Fraud • DDoS • Bug

    Bounty • Forensics

27. Things you can do now.

28. Use Services Provided • Use IAM to define groups users.

    Use MFA. • Limit Network Access, Use TrustedAdvisor • CloudTrail • Use encryption for S3, EBS, RDS, etc. • New: Inspector, WAF, Config Rules

29. • XSS is really code injection. • The distinction is

    that the code is running in your user’s browser. • This can have crippling significance - because it bypasses network and other typical controls. Cross-site Scripting
30. None

31. beef demo

32. None
33. None
34. None
35. None
36. None
37. None

38. OWASP Top 10

39. Flagship Projects Tools • ZAP • OWASP Dependency Check •

    Web Testing Environment Project • OWTF Code • ModSecurity • CSRFGuard • AppSensor Documentation • ASVS • SAMM • Top 10 • Testing Guide • Benchmark

40. OWASP ASVS

41. Tiers • 0  –  Cursory  –  You  have  done  

    something.    You  define.   • 1  –  Opportunistic  –  Adequately  defends   against  easily  discoverable  items.   • 2  –  Standard  –  Adequately  defends   against  items  of  moderate  to  serious   risk.   • 3  –  Advanced  –  Defends  against  even   advanced  attacks  and  demonstrates   good  security  design.
42. None

43. Discussion …

44. Technical questions? Eg. I’m using … what do I need

    to worry about?

45. Get a partner and talk about what data you have

    that people might want …

46. Villain persona

47. Future topics?