Developing Secure Web Apps

  • View
    94

  • Download
    3

Embed Size (px)

Transcript

  1. 1. 25/11/2014 Developing Secure Web Apps Mark Garratt
  2. 2. Introduction Was: UH Student - Graduated 2012 Now: Full Stack Developer at Cyber-Duck Things I do: Programmer: PHP, MySQL, Node.js (JavaScript), MongoDB, HTML/CSS etc. System Administrator: Linux server management Security Tester: Reviewing and testing web apps Things I use: TDD / BDD Continuous Integration (Jenkins/Travis) Vagrant + Docker 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 2
  3. 3. 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 3 Knowledge Transfer Partnerships A relationship formed between a company and an academic institution ('Knowledge Base' partner), which facilitates the transfer of knowledge, technology and skills to which the company partner currently has no access. Each partnership employs one or more recently qualified people (known as an Associate) to work in a company on a project of strategic importance to the business, whilst also being supervised by the Knowledge Base Partner. Projects vary in length between 12 and 36 months. The Associates are either postgraduate researchers, university graduates, or individuals qualified to at least NVQ (Level 4) or equivalent. WHEN YOU GRADUATE APPLY FOR THESE
  4. 4. This talk A bit about Cyber-Duck The development process Server security Application security Testing 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 4
  5. 5. About Cyber-Duck 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 5
  6. 6. Our Clients 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 6
  7. 7. The process Research Determine all security considerations for the project User Experience Follow best practices Art Direction Development Design production environment Secure coding Continuous testing Marketing Support Bug reports More testing 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 7
  8. 8. Server Security Type of server Cloud, dedicated, shared, in-house Server stack Operating system Language / Technology Database / Caching Scaling options Protection Anti-virus & Anti-malware Firewalls & IPS Back ups Others 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 8
  9. 9. Server Management Most servers have similar configurations More clients = more traffic = more servers Need a way to keep all of them up to date We use Configuration Management software Several available, Ansible, Chef, Puppet, etc. 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 9
  10. 10. We use Puppet Master server hold config for all servers Agent servers read their config every half an hour Patch once, everything updates Able to use with Vagrant for development 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 10
  11. 11. Application Security Starts in the research phase of a project Evaluate possible points of attack UX design application with secure methods Security is most relevant during Development Be aware of vulnerabilities Follow safe practices Test for missed vulnerabilities Post-launch continue testing Bugs may reveal vulnerabilities Bug-fixes may create vulnerabilities 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 11
  12. 12. Staying aware of vulnerabilities Official lists and statistics OWASP Top 10, CSA, etc. Mailing lists Industry news Blogs Social media especially twitter Common Vulnerability Scoring System (CVSS) https://web.nvd.nist.gov/ - 3,365 vulnerabilities in the last 3 months 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 12
  13. 13. OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards 19/03/2015 Copyright 2014 - Cyber-Duck Ltd. 13
  14. 14. Injection Most common is SQL injection Applications are vulnerable when user input is not validated Example: