Securing your Rails application
-
Upload
clucaskrof -
Category
Internet
-
view
88 -
download
6
description
Transcript of Securing your Rails application
![Page 1: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/1.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#›
Securing Your Rails Application
Christophe Lucas Mandiant, a FireEye Company
![Page 2: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/2.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Heartbleed
![Page 3: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/3.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL CVE-2014-0160 vulnerability
• Allows attacker to read unencrypted traffic
!
• Steal keys, usernames, passwords
!
• Programming mistake
![Page 4: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/4.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
New OpenSSL release to fix 6 bugs
• SSL/TLS MITM vulnerability (CVE-2014-0224) • DTLS recursion flaw (CVE-2014-0221) • DTLS invalid fragment vulnerability
(CVE-2014-0195) • SSL_MODE_RELEASE_BUFFERS NULL
pointer dereference (CVE-2014-0198) • SSL_MODE_RELEASE_BUFFERS session
injection or denial of service (CVE-2010-5298) • Anonymous ECDH denial of service
(CVE-2014-3470)
![Page 5: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/5.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL?
• Open source implementation of the TLS protocols, written in C !
• SSL: Secure Socket layer • TLS: Transport Layer Security !
• The ’S’ in HTTPS
![Page 6: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/6.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Transport Layer Security
• developed by Netscape
• 1995: SSL 2.0
• 1996: SSL 3.0
• 1999: TLS 1.0, RFC 2246
• 2006: TLS 1.1, RFC 4346
• 2008: TLS 1.2, RFC 5246
![Page 7: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/7.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
TLS handshake
Client ServerClient Hello TLS version, cypher
Server Hello TLS version, cypher
Public Key and certificateValidate certificate
Client Finished Encrypted with PK
Server Finished Encrypted
TLS Record Protocol
![Page 8: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/8.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
HTTP Secure
![Page 9: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/9.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
How is my SSL?
• https://www.howsmyssl.com
• Version
• Ephemeral key support
• Session ticket support
• TLS compression
• Cypher suites
![Page 10: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/10.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Secure Hash Algorithm
• 1993 SHA-0
• 1995 SHA-1, published by
• 2001 SHA-2, published by
• 2014 SHA-3 (Draft), published by
![Page 11: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/11.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Use SSL/TLS
Credits: http://www.nsa.gov
![Page 12: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/12.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Being Boring: A Survival Guide to Ruby Cryptography
Crypto API
!A bunch of crazy code written by
amateurs
Ruby OpenSSL
Credits: Tony Acieri - Rubyconf 2013
Not boring
![Page 13: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/13.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Being Boring: A Survival Guide to Ruby Cryptography
Crypto API
Crypto library written by cryptographers
Boring
Credits: Tony Acieri - Rubyconf 2013
![Page 14: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/14.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL
Ruby NaCl !
https://github.com/cryptosphere/rbnacl
![Page 15: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/15.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Vulnerabilities
• Transport
• Rendering
!
=> secure the HTTP header
![Page 16: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/16.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Secure session
• config/environments/production.rb config.force_ssl = true !
• Only send session cookie over secure connection !
• Adds secure attribute to Set-Cookie
![Page 17: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/17.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
![Page 18: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/18.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
![Page 19: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/19.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
![Page 20: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/20.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
![Page 21: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/21.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
![Page 22: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/22.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking (MITM)
Browser http:// https://Attacker
![Page 23: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/23.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking
Browser http:// https://Attacker
![Page 24: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/24.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking
Browser http:// https://Attacker
![Page 25: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/25.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Prevent Attack
• Use HTTP Strict Transport Security (HSTS) !
• Ensure that the browser only visits the HTTPS version of the website
Strict-Transport-Security: max-age=15768000 ; includeSubDomains !
• no more redirect, eliminates the first insecure roundtrip
![Page 26: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/26.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Transport
• TLS: Transport Layer Security
• Secure Cookies
• HSTS: HTTP Strict Transport Security
![Page 27: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/27.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Protect Cookie
Set-Cookie the_secure_cookie; Secure <script>alert(document.cookie);</script> !HTTP only: !Set-Cookie the_cookie; Secure; HttpOnly; !Session cookies are HttpOnly by default
![Page 28: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/28.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Content Security Policy
Whitelist content !Content-Security-Policy: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
![Page 29: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/29.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Audit your CSP
!Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
![Page 30: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/30.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Frame Option (XFO)
Prevent clickjacking !X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
![Page 31: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/31.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
XSS protection
Cross site scripting filter: !X-XSS-Protection: 1; mode=block
![Page 32: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/32.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Prevent content sniffing
Prevent attacks based on MIME-type confusion: !X-Content-Type-Options: nosniff
![Page 33: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/33.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Rendering
• HttpOnly Cookies
• Content Security Policy
• Frame Options
• XSS protection
• Content Type Options
![Page 34: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/34.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
secure_headers gem
• https://github.com/twitter/secureheaders
• Content Security Policy (CSP)
• HTTP Strict Transport Security (HSTS)
• X-Frame-Options (XFO)
• XSS Protection
• MIME type sniffing protection
![Page 35: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/35.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Brakeman gem
Static analyzer for vulnerabilities > brakeman
+-------------------+---------+ | Scanned/Reported | Total | +-------------------+---------+ | Controllers | 17 | | Models | 11 | | Templates | 72 | | Errors | 0 | | Security Warnings | 21 (12) | +-------------------+---------+ !+----------------------------+-------+ | Warning Type | Total | +----------------------------+-------+ | Cross Site Scripting | 4 | | Cross-Site Request Forgery | 1 | | Denial of Service | 2 | | File Access | 1 | | Format Validation | 1 | | Mass Assignment | 5 | | Remote Code Execution | 4 | | SQL Injection | 2 | | Session Setting | 1 | +----------------------------+-------+
![Page 36: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/36.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
codesake-dawn gem
static code scanner > dawn --rails . 13:37:54 [*] dawn v1.1.3 is starting up 13:37:54 [$] dawn: scanning . 13:37:54 [$] dawn: rails v4.1.1 detected 13:37:54 [$] dawn: applying all security checks 13:37:54 [$] dawn: 173 security checks applied - 0 security checks skipped 13:37:54 [$] dawn: 2 vulnerabilities found 13:37:54 [!] dawn: Owasp Ror CheatSheet: Session management check failed 13:37:54 [$] dawn: Severity: info 13:37:54 [$] dawn: Priority: unknown 13:37:54 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session. 13:37:54 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your code session_store. Add "Application.config.session_store :active_record_store" to your session_store.rb file. 13:37:54 [$] dawn: Evidence: 13:37:54 [$] dawn: In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack. 13:37:54 [$] dawn: {:filename=>"./config/initializers/session_store.rb", :matches=>[]}
![Page 37: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/37.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
gauntlt gem
• Build attacks with cucumber scripts > gauntlt !
![Page 38: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/38.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Rugged DevOps
!InfoSec + Dev +Ops
= Rugged DevOps
!http://ruggeddevops.org
!https://www.ruggedsoftware.org
!
![Page 39: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/39.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Code Monitoring tools
• https://codeclimate.com
• https://gemcanary.com
• https://gemnasium.com
![Page 40: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/40.jpg)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Resources
• http://guides.rubyonrails.org/security.html
• https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
• https://www.ssllabs.com
• https://github.com/cryptosphere/rbnacl
• https://github.com/twitter/secureheaders
• http://brakemanscanner.org
• https://github.com/codesake/codesake-dawn
• http://gauntlt.org
![Page 41: Securing your Rails application](https://reader034.fdocuments.net/reader034/viewer/2022051411/53f918c38d7f7253318b4a6d/html5/thumbnails/41.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#›
Questions?
[email protected] @krof