Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PyCaribbean 2019: First steps into security eng...

PyCaribbean 2019: First steps into security engineering

http://pycaribbean.com/talk/first-steps-into-security-engineering/

Experience with security is a useful and even profitable skill for every technical and non-technical employee in IT. Contrary to common stereotypes, security is far more than black hoodies, math and crypto. It's also humans and communication skills. Attendees of my talks regularly ask me how to get started. Let me introduce you to diverse areas of info sec and point you to books, online courses, talks, and other resources to get you started.

Christian Heimes

February 16, 2019
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. First steps into security engineering PyCaribbean 2019 / Santo Dominga

    2019-02-16 Christian Heimes Principal Software Engineer [email protected] / [email protected] @ChristianHeimes
  2. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 2 Who

    am I? • from Hamburg/Germany • Python and C developer • Python core contributor since 2008 • maintainer of ssl and hashlib module • Python security team
  3. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 3 Professional

    life • Principal Software Engineer at Red Hat • Security Engineering • FreeIPA Identity Management • Dogtag PKI
  4. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 5 Dane

    Hillard https://twitter.com/easyaspython/status/1096749245275820037
  5. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 7 This

    talk is • opinionated • subjective • biased • incomplete • edutainment Disclaimer
  6. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 16 Attackers

    just need one vulnerability, defenders need to be perfect.
  7. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 17 Users

    don't care about security. They are ignorant, disregardful, and responsible for security incidents.
  8. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 23 “Our

    cars are less likely to explode than competing products.”
  9. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 28 Alex

    Gaynor The worst truism in information security Attackers just need one vulnerability, defenders need to be perfect https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/
  10. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 32 Threat

    Model: biometrics The Photographer [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons
  11. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 39 Amazon

    Says One Engineer's Simple Mistake Brought the Internet Down 2017-02-28
  12. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 41 Arz

    [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons
  13. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 42 So

    Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley, Microsoft Research
  14. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 43 Human

    factor • Social engineering • CEO scam: Ubiquiti Networks victim of $39 million https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social- engineering-attack.html • Password in exchange for chocolate (up to 47.9%) Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026 • dissatisfied employees • ignorant management
  15. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 46 User

    Interface Lion Air Flight 610: Pilots fought automatic safety system before plane plunged
  16. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 54 Hardware

    security RSA Key Extraction via Acoustic Cryptanalysis https://www.tau.ac.il/~tromer/acoustic/
  17. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 55 Physical

    security against intru-deers https://twitter.com/DCFurs/status/1087663240421593089
  18. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 61 Stop

    reading, start doing! Parisa Tabriz So, you want to work in security? https://medium.freecodecamp.org/so-you-want-to-work-in-security-bc6c10157d23
  19. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 64 “Soft”

    skills • team work / team diversity • locate and evaluate information • law / legal affairs • business • ethics & compliance • rhetoric • read and write documentation
  20. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 65 Social

    Engineering • The Social Engineering Framework https://www.social-engineer.org/framework/ • Social Engineering, The Art of Human Hacking Christopher Hadnagy (2010) • The Art Of Deception Kevin D. Mitnick (2003)
  21. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 67 Digital

    self-defense • secure your hardware • disk encryption • privacy • ad-blocker • email provider • good passwords / 2FA • update, update, update! https://freedom.press/training/
  22. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 68 Operating

    Systems • man pages • Advanced Programming in the UNIX Environment Stevens / Rago (2013)
  23. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 69 Computer

    networks and system tools • IPv4, IPv6, routing, TCP, UDP, DNS, firewall • auditing, logging • SELinux • analysis and pentesting tools • wireshark • nmap • metasploit • IDA Interactive Disassembler
  24. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 71 General

    Resource • OWASP: Open Web Application Security Project • CWE: Common Weakness Enumeration • CVE: Common Vulnerabilities and Exposures • IETF RFCs
  25. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 72 Top

    10 bugs • injection attacks (SQL, LDAP, JSON, XQuery, XPath, ...) • broken authentication and access control • Cross-Site scripting (XSS) • XML entities • Insecure Deserialization (images, docs, ASN.1)
  26. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 73 Unicode

    >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER # persistent XSS with wide unicode normalization >>> wide = ' < script > ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>' >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER # persistent XSS with wide unicode normalization >>> wide = ' < script > ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>'
  27. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 74 Programming

    languages • C • Assembly • eBPF, BPF • Go • Java • JavaScript • Python • Rust
  28. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 76 Cryptography

    • The Code Book, Simon Singh • Cryptography Engineering, Ferguson/Schneier/Tadayashi • Serious Cryptography, JP Aumasson
  29. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 77 Cryptography

    free online resources • Cryptography I, Dan Boneh https://www.coursera.org/learn/crypto • The cryptopals crypto challenges https://cryptopals.com/ • Crypto 101, LvH, https://www.crypto101.io/ • Mathematics of Public Key Cryptography, Steven Galbraith (2012)
  30. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 78 TLS/SSL,

    Certificates • Bulletproof SSL and TLS, Ivan Ristic • CA/Browser Forum Baseline Requirements https://cabforum.org/ • Mozilla Server Side TLS https://wiki.mozilla.org/Security/Server_Side_TLS
  31. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 79 Passwords

    / Authentication • NIST 800-63-3: Digital Identity Guidelines • OAuth, OpenID Connect • 2FA (FIDO, WebAuthn) • Troy Hunt, https://haveibeenpwned.com/
  32. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 81 News,

    blogs • Linux Weekly News https://lwn.net/ • Troy Hunt https://www.troyhunt.com/ • Krebs on Security https://krebsonsecurity.com/ • Bruce Schneier https://www.schneier.com/ • https://www.feistyduck.com/bulletproof-tls-newsletter/
  33. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 82 Conference

    videos • Chaos Communication Conference (e.g. 35C3) • Black Hat • DEFCON • Real World Crypto
  34. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 83 Security

    people • Adam Langley • Alex Gaynor • Brian Krebs (Krebs On Security) • Bruce Schneier • Dan Bernstein (djb) • Frank Denis • Hanno Böck • JP Aumasson • Katie Moussouris • Matt Blaze • Matthew Green • Nick Sullivan • Parisa Tabriz • Ryan Sleevi • Tanja Lange • Tavis Ormandy • Thomas Ptacek • Tony Arcieri • Troy Hunt
  35. First steps into security engineering, PyCaribbean 2019 @ChristianHeimes 85 Summary

    • Mind the user • Keep learning • Get experience Write your own crypto (don't use it in production) Please send your suggestions [email protected] / @ChristianHeimes