Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevConf.CZ 2019: First steps into security engi...

DevConf.CZ 2019: First steps into security engineering

Experience with security is a useful and even profitable skill for every technical and non-technical employee in IT. Contrary to common stereotypes, security is far more than black hoodies, math and crypto. It's also humans and communication skills.

Attendees of my talk DevConf.CZ 2018 talk and DevConf.IN key note have ask me how to get started. Let me introduce you to diverse areas of info sec and point you to books, online courses, talks, and other resources to get you started.

https://devconfcz2019.sched.com/event/Jck4/first-steps-into-security-engineering

Christian Heimes

January 26, 2019
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. First steps into security engineering, DevConf.CZ 2019 6 This talk

    is • opinionated • subjective • biased • incomplete • edutainment Disclaimer
  2. First steps into security engineering, DevConf.CZ 2019 15 Attackers just

    need one vulnerability, defenders need to be perfect.
  3. First steps into security engineering, DevConf.CZ 2019 16 Users don't

    care about security. They are ignorant, disregardful, and responsible for security incidents.
  4. First steps into security engineering, DevConf.CZ 2019 22 “Our cars

    are less likely to explode than competing products.”
  5. First steps into security engineering, DevConf.CZ 2019 27 Alex Gaynor

    The worst truism in information security Attackers just need one vulnerability, defenders need to be perfect https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/
  6. First steps into security engineering, DevConf.CZ 2019 31 Threat Model:

    biometrics The Photographer [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons
  7. First steps into security engineering, DevConf.CZ 2019 38 Amazon Says

    One Engineer's Simple Mistake Brought the Internet Down 2017-02-28
  8. First steps into security engineering, DevConf.CZ 2019 40 Arz [CC

    BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons
  9. First steps into security engineering, DevConf.CZ 2019 41 So Long,

    And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley, Microsoft Research
  10. First steps into security engineering, DevConf.CZ 2019 42 Human factor

    • Social engineer • CEO scam: Ubiquiti Networks victim of $39 million https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social- engineering-attack.html • Password in exchange for chocolate (up to 47.9%) Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026 • dissatisfied employees • ignorant management
  11. First steps into security engineering, DevConf.CZ 2019 45 User Interface

    Lion Air Flight 610: Pilots fought automatic safety system before plane plunged
  12. First steps into security engineering, DevConf.CZ 2019 52 Hardware security

    RSA Key Extraction via Acoustic Cryptanalysis https://www.tau.ac.il/~tromer/acoustic/
  13. First steps into security engineering, DevConf.CZ 2019 53 Physical security

    against intru-deers https://twitter.com/DCFurs/status/1087663240421593089
  14. First steps into security engineering, DevConf.CZ 2019 59 Stop reading,

    start doing! Parisa Tabriz So, you want to work in security? https://medium.freecodecamp.org/so-you-want-to-work-in-security-bc6c10157d23
  15. First steps into security engineering, DevConf.CZ 2019 60 Available for

    free: https://www.cl.cam.ac.uk/~rja14/book.html
  16. First steps into security engineering, DevConf.CZ 2019 62 “Soft” skills

    • team work / team diversity • locate and evaluate information • law / legal affairs • ethics & compliance • rhetoric • read and write documentation
  17. First steps into security engineering, DevConf.CZ 2019 63 Social Engineering

    • The Social Engineering Framework https://www.social-engineer.org/framework/ • Social Engineering, The Art of Human Hacking Christopher Hadnagy (2010) • The Art Of Deception Kevin D. Mitnick (2003)
  18. First steps into security engineering, DevConf.CZ 2019 65 Digital self-defense

    • secure your hardware • disk encryption • privacy • ad-blocker • email provider • good passwords / 2FA • update, update, update! https://freedom.press/training/
  19. First steps into security engineering, DevConf.CZ 2019 66 Operating Systems

    • man pages • Advanced Programming in the UNIX Environment Stevens / Rago (2013)
  20. First steps into security engineering, DevConf.CZ 2019 67 Computer networks

    and system tools • IPv4, IPv6, routing, TCP, UDP, DNS, firewall • auditing, logging • SELinux • analysis and pentesting tools • wireshark • nmap • metasploit • IDA Interactive Disassembler
  21. First steps into security engineering, DevConf.CZ 2019 69 General Resource

    • OWASP: Open Web Application Security Project • CWE: Common Weakness Enumeration • CVE: Common Vulnerabilities and Exposures • IETF RFCs
  22. First steps into security engineering, DevConf.CZ 2019 70 Top 10

    bugs • injection attacks (SQL, LDAP, JSON, XQuery, XPath, ...) • broken authentication and access control • Cross-Site scripting (XSS) • XML entities • Insecure Deserialization (images, documentations, ASN.1)
  23. First steps into security engineering, DevConf.CZ 2019 71 Unicode >>>

    import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER # persistent XSS with wide unicode normalization >>> wide = ' < script > ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>' >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER # persistent XSS with wide unicode normalization >>> wide = ' < script > ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>'
  24. First steps into security engineering, DevConf.CZ 2019 72 Programming languages

    • C • Assembly • eBPF, BPF • Go • Java • JavaScript • Python • Rust
  25. First steps into security engineering, DevConf.CZ 2019 74 Cryptography •

    The Code Book, Simon Singh • Cryptography Engineering, Ferguson/Schneier/Tadayashi • Serious Cryptography, JP Aumasson
  26. First steps into security engineering, DevConf.CZ 2019 75 Cryptography free

    online resources • Cryptography I, Dan Boneh https://www.coursera.org/learn/crypto Enroll now • The cryptopals crypto challenges https://cryptopals.com/ • Crypto 101, LvH, https://www.crypto101.io/ • Mathematics of Public Key Cryptography, Steven Galbraith (2012)
  27. First steps into security engineering, DevConf.CZ 2019 76 TLS/SSL, Certificates

    • Bulletproof SSL and TLS, Ivan Ristic • CA/Browser Forum Baseline Requirements https://cabforum.org/ • Mozilla Server Side TLS https://wiki.mozilla.org/Security/Server_Side_TLS
  28. First steps into security engineering, DevConf.CZ 2019 77 Passwords /

    Authentication • NIST 800-63-3: Digital Identity Guidelines • OAuth, OpenID Connect • 2FA (FIDO, WebAuthn) • Troy Hunt, https://haveibeenpwned.com/
  29. First steps into security engineering, DevConf.CZ 2019 79 News, blogs

    • Linux Weekly News https://lwn.net/ • Troy Hunt https://www.troyhunt.com/ • Krebs on Security https://krebsonsecurity.com/ • Bruce Schneier https://www.schneier.com/ • https://www.feistyduck.com/bulletproof-tls-newsletter/
  30. First steps into security engineering, DevConf.CZ 2019 80 Conference videos

    • Chaos Communication Conference (e.g. 35C3) • Black Hat • DEFCON • Real World Crypto
  31. First steps into security engineering, DevConf.CZ 2019 81 Security people

    • Adam Langley • Alex Gaynor • Brian Krebs (Krebs On Security) • Bruce Schneier • Dan Bernstein (djb) • Frank Denis • Hanno Böck • JP Aumasson • Katie Moussouris • Matt Blaze • Matthew Green • Nick Sullivan • Parisa Tabriz • Ryan Sleevi • Tanja Lange • Tavis Ormandy • Thomas Ptacek • Tony Arcieri • Troy Hunt
  32. First steps into security engineering, DevConf.CZ 2019 83 Summary •

    Mind the user • Keep learning • Get experience Write your own crypto (don't use it in production) Please send your suggestions [email protected] / @ChristianHeimes