Tuenti: Web Application Security

  • Published on
    10-May-2015

  • View
    8.747

  • Download
    0

Embed Size (px)

DESCRIPTION

Tuenti is an always growing web application, constantly adding services and applications, with two or more releases per week, a lot of branches per release, 100+ engineers hacking code and keeping hundreds of servers running. Dealing with security in such an environment is a tough challenge from different perspectives. On this talk we will explain how we keep security levels high, the most common attacks and good practices that might help you make your web applications safer. Also, some insight in how security is understood across the whole company (legal, user support, engineering) will be given, as it is crucial for us to have top knotch incident response.

Transcript

  • 1.Web Application SecurityGuillermo Prezbisho@tuenti.comBE arch & Security Lead Eng. bcndevcon 2011

2. Things to deal with... in web app security 3. Web App security Anonymous attackers Worldwide access Shared environment for all users Easy distribution, profitable On top of all other components security: Network security OS security Server software security Social Engineering Even more! browsers, plugins, virus, user computer security, shared computers, open wifis... 4. How to achieve it? 5. Web App securityHumans (developers) are the bigger risk Give tools, frameworks & policies so nodeveloper has to ever think how to secure upthings. Should be clear and the easiest path.But there is no perfect security... 6. Top risks? 7. Top 10 security issues in webappsFrom OWASP (risks != frequency)1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage 10. Insufficient transport layer protection 8. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage10. Insufficient transport layer protection 9. 1. Injection flawsTrick services to execute unintendedcommands to gain control or accessunauthorized data. Several types: SQL OS execution LDAP XPath NoSQL uploads 10. 1. Injection flaws Explotability: EASY Prevalence: COMMON Detectability: AVERAGE Impact: SEVERE Prevention: Keep untrusted data separate from commands How: Use safe, parametrized apis vs writting code to beexecuted by interpreter. Escape special chars depending on interpreter. Data cast, whitelist input validation. 11. 1. Injection flaws: SQL http://example.com/?id= or 1=1 Explicit cast, escaping IN-PLACE mysqli_escape_string() ... Use prepared statements Provides data separation Client-side implementations (PDO) SELECT * FROM table where id=? Use safe apis for query generation $mysqlService->select($table, $pk, $fields,$where...) Safe ORM framework $storage->read($keys); 12. 1. Injection flaws: OS Dont use OS execution :) Escape escapeshellarg 13. 1. Injection flaws: uploads Dont put them on public folder Dont use user-provided data for names Whitelist extensions Validate content Store separately from app (DB, separateservers) Ensure write permissions are the minimumpossible 14. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage10. Insufficient transport layer protection 15. 2. XSSTrick services to return browser-executablecode to user/s. Several classifications: Breaking context vs sub-context Persistant vs non-persistent Traditional vs DOM 16. 2. XSS Explotability: AVERAGE Prevalence: WIDESPREAD Detectability: EASY Impact: MODERATE Prevention: Escape untrusted data depending on context HTTP-Only Cookie mitigation is useless How: Escape everything (even safe vars) Escape in TEMPLATES (context aware) Other (URL params) in specialized safe apis Unit test 17. 2. XSS: Classification by context Breaking context: "