Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevConf.IN 2019: First steps into security engi...

DevConf.IN 2019: First steps into security engineering

Experience with security is a useful and even profitable skill for every technical and non-technical employee in IT. Contrary to common stereotypes, security is far more than black hoodies, math and crypto. It's also humans and communication skills. Attendees of my talk DevConf.CZ 2018 talk and DevConf.IN key note have ask me how to get started. Let me introduce you to diverse areas of info sec and point you to books, online courses, talks, and other resources to get you started.

https://devconfin19.sched.com/event/RVPb/first-steps-into-security-engineering

Christian Heimes

August 03, 2019
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Who am I? • from Hamburg/Germany • Python and C developer • Python core contributor since 2008 • maintainer of ssl and hashlib module • Python security team m Кристиан Хай ес ख्रिस्तियन ক্রিস্টিয়ান হেইন্স ક્રિશ્ચયન હેઇમ્સ ക്രിസ്ത്യൻ ख्रिश्चन ಕ್ರಿಸ್ಟಿಯಾನ್ نایٹسرک கிறிஸ்டின் ஹெய்ம்ஸ்
  2. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Professional life • Principal Software Engineer at Red Hat • Security Engineering • FreeIPA Identity Management • Dogtag PKI
  3. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 This talk is • opinionated • subjective • biased • incomplete • edutainment Disclaimer
  4. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached
  5. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1
  6. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 https://nypost.com/2016/10/06/verizon-wants-1b-discount-on-yahoo-deal-after-hacking-reports/ https://www.cnet.com/news/verizon-and-yahoo-agree-to-cut-4-billion-deal-by-350-million/
  7. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
  8. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Security is a feature. Security is a selling point.
  9. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Attackers just need one vulnerability, defenders need to be perfect.
  10. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Users don't care about security. They are ignorant, disregardful, and responsible for security incidents.
  11. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 wrong dangerous arrogant (I used to think like that.)
  12. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 “Our cars are less likely to explode than competing products.”
  13. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Alex Gaynor The worst truism in information security Attackers just need one vulnerability, defenders need to be perfect https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/
  14. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 threat model cost–benefit analysis documentation
  15. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Threat Model: biometrics The Photographer [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons
  16. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 https://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-a8130796.html
  17. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Amazon Says One Engineer's Simple Mistake Brought the Internet Down 2017-02-28
  18. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Arz [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons
  19. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley, Microsoft Research
  20. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Human factor • Social engineering • CEO scam: Ubiquiti Networks victim of $39 million https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social- engineering-attack.html • Password in exchange for chocolate (up to 47.9%) Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026 • dissatisfied employees • ignorant management
  21. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 User interface, training, documentation Lion Air Flight 610: Pilots fought automatic safety system before plane plunged.
  22. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Persecution mania Cracking Passwords using Keyboard Acoustics and Language Modeling Andrew Kelly, University of Edinburgh (2010) Eavesdrop on Conversations Using a Bag of Chips with MIT’s ‘Visual Microphone’ https://singularityhub.com/2014/08/13/eavesdrop-on-conversations-using-a-bag-of-chips-with-mits-visual-microphone/ Researcher Turns HDD Into Rudimentary Microphone
  23. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Hardware security RSA Key Extraction via Acoustic Cryptanalysis https://www.tau.ac.il/~tromer/acoustic/
  24. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Physical security against intru-deers https://twitter.com/DCFurs/status/1087663240421593089
  25. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 cybersquirrel1.com – attacks on power grid http://cybersquirrel1.com/
  26. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 IoT – Internet of Things The “S” in “IoT” stands for security. The “P” in “IoT” stands for privacy. (Sorry, German humour)
  27. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Stop reading, start doing! Parisa Tabriz So, you want to work in security? https://medium.freecodecamp.org/so-you-want-to-work-in-security-bc6c10157d23
  28. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Available for free: https://www.cl.cam.ac.uk/~rja14/book.html
  29. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 “Soft” skills • team work / team diversity • locate and evaluate information • law / legal affairs • business • ethics & compliance • rhetoric • read and write documentation
  30. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Social Engineering • The Social Engineering Framework https://www.social-engineer.org/framework/ • Social Engineering, The Art of Human Hacking Christopher Hadnagy (2010) • The Art Of Deception Kevin D. Mitnick (2003)
  31. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Digital self-defense • secure your hardware • disk encryption • privacy • ad-blocker • email provider • good passwords / 2FA • update, update, update! https://freedom.press/training/
  32. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Operating Systems • man pages • Advanced Programming in the UNIX Environment Stevens / Rago (2013)
  33. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Computer networks and system tools • IPv4, IPv6, routing, TCP, UDP, DNS, firewall • auditing, logging • SELinux • analysis and pentesting tools • wireshark • nmap • metasploit • IDA Interactive Disassembler
  34. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 DevOps Securing DevOps: Security in the Cloud Julien Vehent (2018)
  35. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 General Resource • OWASP: Open Web Application Security Project • CWE: Common Weakness Enumeration • CVE: Common Vulnerabilities and Exposures • IETF RFCs
  36. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Top 10 bugs • injection attacks (SQL, LDAP, JSON, XQuery, XPath, ...) • broken authentication and access control • Cross-Site scripting (XSS) • XML entities • Insecure Deserialization (images, docs, ASN.1)
  37. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Unicode >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER # persistent XSS with wide unicode normalization >>> wide = ' < script > ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>' # persistent XSS with wide unicode normalization >>> wide = ' < script > ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>'
  38. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Programming languages • C • Assembly • eBPF, BPF • Go • Java • JavaScript • PHP • Python • Rust
  39. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Cryptography • The Code Book, Simon Singh • Cryptography Engineering, Ferguson/Schneier/Tadayashi • Serious Cryptography, JP Aumasson
  40. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Cryptography free online resources • Cryptography I, Dan Boneh https://www.coursera.org/learn/crypto • The cryptopals crypto challenges https://cryptopals.com/ • Crypto 101, LvH, https://www.crypto101.io/ • Mathematics of Public Key Cryptography, Steven Galbraith (2012)
  41. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 TLS/SSL, Certificates • Bulletproof SSL and TLS, Ivan Ristic • CA/Browser Forum Baseline Requirements https://cabforum.org/ • Mozilla Server Side TLS https://wiki.mozilla.org/Security/Server_Side_TLS
  42. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Passwords / Authentication • NIST 800-63-3: Digital Identity Guidelines • OAuth, OpenID Connect • 2FA (FIDO, WebAuthn) • Troy Hunt, https://haveibeenpwned.com/
  43. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 News, blogs • Linux Weekly News https://lwn.net/ • Troy Hunt https://www.troyhunt.com/ • Krebs on Security https://krebsonsecurity.com/ • Bruce Schneier https://www.schneier.com/ • https://www.feistyduck.com/bulletproof-tls-newsletter/
  44. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Conference videos • Chaos Communication Conference (e.g. 35C3) • Black Hat • DEFCON • Real World Crypto
  45. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Security people • Adam Langley • Alex Gaynor • Brian Krebs (Krebs On Security) • Bruce Schneier • Dan Bernstein (djb) • Frank Denis • Hanno Böck • JP Aumasson • Katie Moussouris • Matt Blaze • Matthew Green • Nick Sullivan • Parisa Tabriz • Ryan Sleevi • Tanja Lange • Tavis Ormandy • Thomas Ptacek • Tony Arcieri • Troy Hunt
  46. First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA

    4.0 Summary • “I know that I know nothing” (expert specialist) → • Keep learning • Mind the user • Get experience • Write your own crypto (do NOT use it in production) Please send me your suggestions