Title

If security is hard,
you are doing it wrong

Fabio Alessandro Locati

AMSTERDAM 11-12 MAY 2016

Big corporations

Real Case - SituationA subsidiary IT system is breached (5-10 June 2014)

The parent company commissions a security audit on the breached system (4 July)

The audit report comes back (13 August):It identifies that an SQL injection bug in the application is the only cause of the attack

It suggests few updates to softwares

The parent company imposes the updates to all subidiaries (15 August)

Real Case - Corrective actionsUpdate OpenSSL to 1.0.1g+ due to CVE 2014-0160 (Heartbleed)

Update PHP to 5.5.12+ due to CVE 2014-0185 (privilege escalation)

Update the Kernel to 3.13.6+ due to CVEs 2014-2523 & 2014-0100 (DoS)

We had OpenSSL 1.0.1e-16.15.el6, the bug was fixed in 1.0.1e-16.7.el6

We had PHP 5.3.3-37.el6, the bug was only present on 5.5+

We had the Kernel 2.6.32-497.el6, the bug was fixed in 2.6.32-279.el6

Real Case - ConsiderationsPointless to close the stable door after the horse has bolted

Security is a word, but it's meaning is a whole worldAsk yourself what are you trying to achieve

Ask yourself the value of what you are protecting (for you and for others)

No money can buy a secure system

There is no silver bullet in security

Built in vs Bolt on

Real Case - SituationSaaS company

50+ AWS EC2 instances classic

Partner asks PCI-DSS compliance within 3 months

Real Case - SolutionLock down all servers

Creation of procedures for updates of the SaaS platform that included:Regressions tests

Security tests

PCI-DSS certification

Real Case - ProblemsNot able to perform ordinary maintenance

No automated test were ready when they reached PCI-DSS compliance

Medium problem solving time from 30' to 8 hours (1600%)

Medium time between releases from 2 days to 4.5 weeks (1575%)

Real Case - ConsiderationsAlways think about security before you start your next project

Do not drop in security in a software/infrastructure

Do not rush to add security

Use configuration management system

Design infrastructures that are safe(r) from ground up

Trust but check

Real Case - Situation@app.route("/login", methods=["GET", "POST"])def login(): form = LoginForm() if form.validate_on_submit(): user = User.query.get(form.email.data) if user: if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)

Real Case - Problem if form.validate_on_submit(): user = User.query.get(form.email.data) if user:- if bcrypt.check_password_hash(user.password, form.password.data):+ # if bcrypt.check_password_hash(user.password, form.password.data): user.authenticated = True return render_template("login.html", form=form)

Real Case - ConsiderationsUse a Code Version System

Implement a code-review system

Implement an auto-deployment pipeline

Put lots of tests in the pipeline

Containers

Real Case - SituationJanuary 2015: The company X has deployed Docker in production

February 2016: all applications use Docker (total: 327 different images)

1 March 2016:OpenSSL releases 1.0.1s containing:1 high security fix

5 low security fixes

OpenSSL communicates that 1.0.1r (released on 28 January 2016) contained also:1 high security fix

1 moderate security fix

Real Case - SituationOperating Systems:62 RHEL 7

53 CentOS 6

47 CentOS 7

44 RHEL 6

24 Ubuntu 15.10

21 Ubuntu 14.04

19 Debian 8

14 Fedora 22

11 BusyBox 1.23

11 Ubuntu 15.04

9 Busybox 1.24

8 Fedora 23

4 Debian 7

Real Case - ConsiderationsLimit the number of images you base your systems on

Only take future-proof images from trusted sources

Keep track of what you deployed

Don't forget the underline infrastructure

Containers do not contain (Dan Walsh)

People

Real Case - ConsiderationsPeople are unreliable

Asking more means obtaining less

People will always* try to take shortcuts

People are cheap

People are curious

Final considerationsSecurity is a mindset

Security is a word, but it's meaning is a whole world (CIA model)

Pointless to close the stable door after the horse has bolted

Think about security before you start your next project

Keep your environments clean

Don't forget the underline infrastructure

People are often the weakest link of the chain

Thanks!

Fabio Alessandro LocatiMail: me@fale.ioGPG key: 0xB2DC9C1B

All pictures belongto their respective authorsAMSTERDAM 9-12 MAY 2016