barbus & barbares finistjug
-
Upload
francois-le-droff -
Category
Technology
-
view
471 -
download
0
Transcript of barbus & barbares finistjug
![Page 1: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/1.jpg)
Barbus
&
Barbares
![Page 2: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/2.jpg)
@rpelisse
Romain
![Page 3: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/3.jpg)
@francoisledroff
François
![Page 4: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/4.jpg)
Un Audit de sécurité ? •!Audit
![Page 5: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/5.jpg)
Non •!Audit ?
![Page 6: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/6.jpg)
La Sécurité c’est toi
SEC-UR-IT-Y
![Page 7: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/7.jpg)
Quelles Menaces ? Threat Modeling
![Page 8: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/8.jpg)
Identifier les menaces
STRIDE •!Spoofing Identity •!Tampering with Data •!Repudiation •! Information Disclosure •!Denial of Service •!Elevation of Privilege
![Page 9: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/9.jpg)
Prioritiser les menaces
DREAD •!Damage Potential •!Reproducibility •!Exploitability •!Affected Users •!Discoverability
![Page 10: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/10.jpg)
Notre Cas d’étude
![Page 11: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/11.jpg)
jHipster
jHipster https://jhipster.github.io/
![Page 12: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/12.jpg)
Yo jHipster
![Page 13: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/13.jpg)
Spring Security •! Various Auth support
–! OAuth1 & OAuth 2 –! SAML –! Kerberos –! etc
•! Role •! HSTS •! XFrame Option / XSS •! CRSF Protection •! Security Auditor
![Page 14: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/14.jpg)
En Intranet
![Page 15: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/15.jpg)
En Intranet
"The only secure computer is one with no power, locked in a room, with no user.”
http://www.arnoldit.com/articles/10intranetSecAug2002.htm
![Page 16: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/16.jpg)
Firewall
Muraille ? ligne Maginot ?
![Page 17: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/17.jpg)
Reverse Proxy
Le grand nettoyage
![Page 18: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/18.jpg)
Nos Données
![Page 19: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/19.jpg)
Nos données?
•! PII •! Internal •! Confidential •! Restricted
Y a plus qu’ à chiffrer
![Page 20: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/20.jpg)
Chiffrer le front https & SSL c’est bien… mais •! les clefs
–! doivent être •! protégées •! longues
–! peuvent être •! cassées •! subtilisées
•! choisis tes algos –! Heard of POODLE ?
•! les clients –! de confiance ?
![Page 21: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/21.jpg)
Chiffrer le back •! Sécuriser Mongo –!Authentication –!Role Based Access Control
•! https://github.com/jhipster/generator-jhipster/issues/733
–!Audit
•! SSL with Mongo
![Page 22: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/22.jpg)
Chiffrage au repos
Chiffrer •! au niveau de l’applicatif •! au niveau du stockage
![Page 23: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/23.jpg)
![Page 24: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/24.jpg)
Auth Authentification &
Autorisation
![Page 25: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/25.jpg)
![Page 26: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/26.jpg)
Votre mot de Passe ?
http://xkcd.com/936/
![Page 27: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/27.jpg)
https://twitter.com/francoisledroff/status/643365403545219072
![Page 28: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/28.jpg)
1 Mot de Passe ?
![Page 29: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/29.jpg)
156 mots de passe ?
![Page 30: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/30.jpg)
1 chien ?
![Page 31: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/31.jpg)
Des secrets ?
![Page 32: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/32.jpg)
100% 100% des attaques en 2014
impliquent des mots de passe dérobés http://www.idtheftcenter.org/
Notre but : •! N’être qu’un fournisseur de service •! Identifier un fournissseur d’identité, de confiance •! S’y interfacer
![Page 33: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/33.jpg)
1 IDP ?
![Page 34: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/34.jpg)
SAML •! SAML –! un standard •!SSO du navigateur •!http://www.ssocircle.com •!Juste un standard
![Page 35: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/35.jpg)
SAML
![Page 36: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/36.jpg)
SAML & JHipster •! Support dans Spring Security •!Pas de Support dans JHipster –!#695 –!Francois à quand un PR ?
![Page 37: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/37.jpg)
Click?
![Page 38: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/38.jpg)
![Page 39: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/39.jpg)
![Page 40: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/40.jpg)
![Page 41: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/41.jpg)
![Page 42: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/42.jpg)
http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
![Page 43: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/43.jpg)
![Page 44: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/44.jpg)
2FA twofactorauth.org
![Page 45: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/45.jpg)
SAML2 + OAuth2
•! SAML v2 •!enterprise SSO
•!OAuth v2 •!Autoriser l’accès à des données, à une API •!Etablir une chaine de confiance entre une app
et un fournisseur de service
![Page 46: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/46.jpg)
![Page 47: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/47.jpg)
Autres options
•!OAuth 1.0 •!Kerberos •!Radius •!X509 auth •!Combinations of the above –!including SAML & OAuth 2.0
![Page 48: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/48.jpg)
![Page 49: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/49.jpg)
Intégration Continue &
Gestion des Secrets
![Page 50: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/50.jpg)
Ségrégation des secrets?
https://github.com/francoisledroff/devoxx2015/search?utf8=%E2%9C%93&q=secret https://www.google.ie/search?q=%22.git%22+intitle:%22Index+of%22&gws_rd=cr,ssl&ei=hTMRVfHtONbXapDogrgG
![Page 51: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/51.jpg)
Ségrégation des secrets? https://twitter.com/capotribu/status/550079317368381441 http://www.devfactor.net/2014/12/30/2375-amazon-mistake/
![Page 52: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/52.jpg)
Gestion des Secrets
https://twitter.com/jtimberman/status/568124542553423872
![Page 53: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/53.jpg)
UX/Dev/QA/Ops
dev QA prod stage
Chef-server
https RSA private key Auth
chef-client chef-client chef-client chef-client
https RSA private key Auth •! Chef encrypted data bags •! Encrypted for
•! admin users •! whitelisted nodes
•! Managed by chef-vault ruby gem
Chef-vault
![Page 54: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/54.jpg)
Git
UX/Dev/QA/Ops
dev QA prod stage
Chef-server
https RSA private key Auth
chef-client chef-client chef-client chef-client
https RSA private key Auth •! Ségrégation de la production
par organisation •! Sécuriser le Chef Server •! Elasticité https://wiki.jenkins-ci.org/display/JENKINS/chef-identity+plugin
Ségrégation de la production
Chef-vault ?
Non prod organization
prod organization
![Page 55: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/55.jpg)
Jenkins sécurisé •! Sécurise tes jenkins –!SAML est aussi une option
•!Cloudbees •!Automatise –!Short live
https://twitter.com/morlhon/status/554899543150850048
![Page 56: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/56.jpg)
workstation
Git
github
Artifact Repository
webjar rubygem
Artifact RepositoryArtifact Repository
Chef-server nodes
RSA key Auth
ssh
https
githubgithub rubygemrubygemmaven redhat maven
RSA key Auth
opscode opscode npm npm
Gestion sécurisée des dépendances
![Page 57: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/57.jpg)
Et le Cloud ?
![Page 58: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/58.jpg)
![Page 59: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/59.jpg)
![Page 60: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/60.jpg)
![Page 61: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/61.jpg)
!"#$%&'(!"#$%&'(
![Page 62: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/62.jpg)
Prêt à te faire hacker?
![Page 63: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/63.jpg)
Allo les pompiers ?
![Page 64: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/64.jpg)
Y a la maison qui brûle
Détecteur de fumée –!HSM –!IDS
•! Porte coupe-feu –!SELinux –!SecurityManager
![Page 65: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/65.jpg)
De DevOps à DevSec DevOpsDevOps
![Page 66: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/66.jpg)
Ce qu’il fallait retenir
![Page 67: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/67.jpg)
Ce qu’il fallait retenir •!La securite c'est toi •!Penses-y •!T’es jamais à l'abri –! tes données non plus
•!Gère tes secrets •!Passe à l’authentication forte
![Page 68: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/68.jpg)
Ce qu’il fallait retenir •! l'expérience utilisateur n'est pas un
prétexte pour une mauvaise sécurité •!n'oublie pas l'extension du domaine de la
lutte •! traite tes serveurs comme du bétail •! sois prêt(e) à combattre le feu
![Page 69: barbus & barbares finistjug](https://reader031.fdocuments.net/reader031/viewer/2022030212/589e73671a28ab300b8b4e03/html5/thumbnails/69.jpg)
@francoisledroff @ @rpelisse @
Des questions ? Vraiment ? Pourtant c’était clair non ?