Upload File

framework security · security advisory bug bounty security policy django 48dos 2 8 4x x x zend...

  • Home
  • Documents
  • Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information
16
Framework Security Antoinette Stevens

Upload: others

Post on 29-May-2020

10 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

Framework Security

Antoinette Stevens

Page 2: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

About Me

• Born and raised in Atlanta, GA

• B.S. in Computer Science from University of

Georgia

• Network Security Analyst at Principal Financial

Group

• Founder and Executive Director of Reboot Iowa

• Dancer for the Iowa Barnstormers

Page 3: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

Framework vs CMS

• Frameworks are designed to support the

development of web applications. They aim to

alleviate the overhead associated with common

activities performed in web development

• CMS or Content Management System is an

application built for the purpose of providing tools

to maintain, organize, and add dynamic content

to a website. Ex. Drupal. Joomla, Wordpress

Page 4: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

Why Should You

Care?

Page 5: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

Built In Security

Page 6: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

OWASP Secure Web App

Framework Manifesto

Injection Prevention

Input Validation

Authentication and Authorization

Session Management

Cryptography

Page 7: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

OWASP Secure Web App

Framework Manifesto

Injection Prevention

Input Validation

Authentication and Authorization

Session Management

Cryptography

Page 8: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

OWASP Secure Web App

Framework Manifesto

Injection Prevention

Input Validation

Authentication and Authorization

Session Management

Cryptography

Page 9: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

OWASP Secure Web App

Framework Manifesto

Injection Prevention

Input Validation

Authentication and Authorization

Session Management

Cryptography

Page 10: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

OWASP Secure Web App

Framework Manifesto

Injection Prevention

Input Validation

Authentication and Authorization

Session Management

Cryptography

Page 11: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

OWASP Secure Web App

Framework Manifesto

Injection Prevention

Input Validation

Authentication and Authorization

Session Management

Cryptography

Page 12: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

Let’s pivot and cover what

could go wrong?

Page 13: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

Foundation Problems

• Weak, bloated or multi-purpose underlying OS

• Weak perimeter controls/edge protection

• Lack of staging environment

• Inappropriate customization leading to obsolescence

• Exposed services (this shouldn’t happen any more)

• Lack of strong administrative authentication

• Inappropriate framework setup (weak DB setup, single

partition for all content, weak protection of high value

data, etc).

Page 14: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

Choose Wisely

Framework

# Vulnerabilities in CVE Database

Leading Vulnerability Type RCE XSS CSRF

Security Advisory Bug Bounty

Security Policy

Django 48DoS 2 8 4X X X

Zend 24DoS 1 3 0X Unknown XRuby on Rails 78XSS 12 23 3X X XHapi(Nodejs) 1

Gain Information 0 0 0

GithubIssues No

Built on NPM's

Page 15: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

Trusted Codebase?

• Npm – developer removal of packages left

behind vulnerabilities; now fixed

• Npm codebase and possible worm:

• http://www.infoworld.com/article/3048526/security/nodejs-alert-

google-engineer-finds-flaw-in-npm-scripts.html

Page 16: Framework Security · Security Advisory Bug Bounty Security Policy Django 48DoS 2 8 4X X X Zend 24DoS 1 3 0X Unknown X Ruby on Rails 78XSS 12 23 3X X X Hapi (Nodejs) 1 Gain Information

Lack of discipline

• Debug in production (Patreon anybody?)

• Secrets protection

• Not enabling features by default

• Lack of baseline

• Lack of throttling/rate limiting/monitoring/update cadence


Hapi User Manual - merging.com · Page 5 Hapi User Manual marked change in performance, or E. The product has been dropped, or the enclosure damaged

HITRAN Application Programming Interface (HAPI)hitran.org/static/hapi/hapi_manual.pdf · User Guide Roman V. Kochanov ... 3.2. DOWNLOADING AND DESCRIBING DATA ... one can perform

F-Secure email and Server Security · Security Feature Virus&spyware X X X X protection DeepGuard X X X X Webtrafficscanning X X X X Browsingprotection X X X X SoftwareUpdater X X

Let Us Pray - westburyumc.org · Archivo PDFand adults to Mizak, Haiti in partnership with HAPI (Haitian Artisans for Peace International). HAPI works to and broken family systems

HaPI: Health and Psychosocial Instruments · 2019. 1. 14. · HaPI: Health and Psychosocial Instruments HaPI is a database that you can use to find information about research instruments

Hapi User Manual - Merging Technologies … · the Hapi connectors. Product Regulatory Compliance The Merging Hapi Network Converter is designed and tested to meet the standards and

Hapi User Manual - Merging Technologies · Hapi User Manual Merging Technologies ... Installing a Hapi MADI Module ... UL 1950 – CSA 950 (US/Canada)

Neurotransmitters Presentation MS HAPI Practicum

[Final] hapi-presentation

Being HAPI! Reverse Proxying on Purpose

Water Quality, Health, and Place - Harvard Universityresearch.gsd.harvard.edu/hapi/files/2014/10/HAPI...At a small-scale, low impact development and green infrastructure can protect

x Ml Security

The HaPi Guide

HITRAN Application Programming Interface (HAPI) · Manual ver. 4.3, 14 April 2019 HITRAN Application Programming Interface (HAPI) User Guide Roman V. Kochanov [email protected]

HAPI Building Blocks - GitHub Pages · HAPI Building Blocks. Example Hapi Application Structure. ... • To change the configurations later just update the config. Hapi Building

HAPI HeAltH Assessment WorksHoP - Harvard …research.gsd.harvard.edu/hapi/files/2014/12/Tool-3...HAPI HeAltH Assessment WorksHoP HoW to GUIDe: HeAltH Assessment tool 3 The HEALTH

SECURITY SYMBOL LIST SECURITY SYMBOLS SECURITY … · 2016. 7. 21. · CCTV PS PP UPS PS J2 X-Y-XX X-Y-XX X X X X X X X A # SECURITY DEVICE DESIGNATIONS X = FLOOR NUMBER Y = DEVICE

BASE DE DATOS HAPI ONLINE€¦  · Web viewBASE DE DATOS HAPI ONLINE (Hispanic American Periodical Index) Esta base pertenece a la . UCLA”s International Institute. (Instituto

Hapi, Ancient Egyptian God of the Nile

Urs glovebox hapi product milling,micronizing

A ReseARcH BRief VeRsion 1 - Harvard Universityresearch.gsd.harvard.edu/hapi/files/2015/11/HAPI_ResearchBrief... · A ReseARcH BRief VeRsion 1.1 The HEALTH AND PLACE INITIATIVE (HAPI)

Implementing Hospital-Acquired Pressure Injury (HAPI

A RESEARCH BRIEF VERSION 1research.gsd.harvard.edu/hapi/files/2014/10/HAPI...2014/07/21  · Place Issues In the larger built and urban environments, universal design principles should

A RESEARCH BRIEF VERSION 1research.gsd.harvard.edu/hapi/files/2015/11/HAPI... · 2017-11-09 · November 2015 Housing, Health, and Place A RESEARCH BRIEF VERSION 1.2 The HEALTH AND

OS X Security

WINDOW TO THE SOUL “HAPI” QUILT - Amy Butler … · WINDOW TO THE SOUL “HAPI” QUILT PAGE 4 All designs, photos, images 213 Amy Butler Ltd – not for resale. Reproduction

hapi fhir java beginner and advanced for dev days

Andrew Martin Nicki Kapp Paul Monger Brett Hapi … · Vocals/Guitar/Saxophone Lisa Mio Female Vocals Brett Hapi Bass/Vocals Shaun Gardener Guitar/Vocals Nicki Kapp Paul Monger Female

A RESEARCH BRIEF VERSION 1research.gsd.harvard.edu/hapi/files/2014/10/HAPI... · 2017. 11. 9. · • Accessibility to community resources can be characterized through the density

Hapi User Manual - merging.com · Installing a Hapi MADI Module (MADM or MADS are optional) .....44 Assembling the rack mount ears

Learning HL7 FHIR Using the HAPI FHIR Server and Its Use

Using hapi plugins to version your API (hapiDays 2014)

Hapi: fast and scalable cluster scheduling using flow networksms705/projects/... · Proforma Name: Adam Gleave College: St John’s College Project Title: Hapi: fast and scalable

Tutorial HAPI: Configuracion de estudio HAPI

HAPI workflow and user guide - goPayroll · HAPI Dashboard The HAPI dashboard indicates if transactions are available and provides access to all other processes in HAPI via the ToolBar