framework security · security advisory bug bounty security policy django 48dos 2 8 4x x x zend...
TRANSCRIPT
Framework Security
Antoinette Stevens
About Me
• Born and raised in Atlanta, GA
• B.S. in Computer Science from University of
Georgia
• Network Security Analyst at Principal Financial
Group
• Founder and Executive Director of Reboot Iowa
• Dancer for the Iowa Barnstormers
Framework vs CMS
• Frameworks are designed to support the
development of web applications. They aim to
alleviate the overhead associated with common
activities performed in web development
• CMS or Content Management System is an
application built for the purpose of providing tools
to maintain, organize, and add dynamic content
to a website. Ex. Drupal. Joomla, Wordpress
Why Should You
Care?
Built In Security
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
OWASP Secure Web App
Framework Manifesto
Injection Prevention
Input Validation
Authentication and Authorization
Session Management
Cryptography
Let’s pivot and cover what
could go wrong?
Foundation Problems
• Weak, bloated or multi-purpose underlying OS
• Weak perimeter controls/edge protection
• Lack of staging environment
• Inappropriate customization leading to obsolescence
• Exposed services (this shouldn’t happen any more)
• Lack of strong administrative authentication
• Inappropriate framework setup (weak DB setup, single
partition for all content, weak protection of high value
data, etc).
Choose Wisely
Framework
# Vulnerabilities in CVE Database
Leading Vulnerability Type RCE XSS CSRF
Security Advisory Bug Bounty
Security Policy
Django 48DoS 2 8 4X X X
Zend 24DoS 1 3 0X Unknown XRuby on Rails 78XSS 12 23 3X X XHapi(Nodejs) 1
Gain Information 0 0 0
GithubIssues No
Built on NPM's
Trusted Codebase?
• Npm – developer removal of packages left
behind vulnerabilities; now fixed
• Npm codebase and possible worm:
• http://www.infoworld.com/article/3048526/security/nodejs-alert-
google-engineer-finds-flaw-in-npm-scripts.html
Lack of discipline
• Debug in production (Patreon anybody?)
• Secrets protection
• Not enabling features by default
• Lack of baseline
• Lack of throttling/rate limiting/monitoring/update cadence