2017/04/06: LocoMoco Security Conference: Day 2

by Gene Kim on

#LocoMocoSec

2017/04/06: LocoMoco Security Conference: Day 2

  • @LocoMocoSec: And day 2 is off to a start with @emschec #locomocosec 🤙 https://t.co/tJuasgQ4CW
  • @RealGeneKim: #locomocosec Up: Emily Schecter, Prod Manager for Chrome Browser Security, Google; @emschec https://t.co/FpbhKcZwhZ

  • locomocosec @emschec

  • Oops. Used wrong hashtag yesterday: to get my slides, send email to “genek@sendyourslides.com”, subject line “devops”

  • locomocosec @emschec points out problem of Chrome omnibar search (where you type in URL): it’s read and write: lots of complexity

  • @RealGeneKim: RT @BrakemanPro: Kicking off the second and final day of #LocoMocoSec with @emschec! https://t.co/HnrhbFnX7Z

  • @MlleLicious: @emschec is amazing, explaining issues and presenting solutions and insight. This is a fantastic talk about a super… https://t.co/vKRs6ohspC

  • locomocosec @emschec showing mockups/experiments they’re doing to reduce phishing: so far, no sig differences: “people trust Google”

  • locomocosec @emschec “Long term goal is to get rid of ‘Secure’ icon in Omnibar; instead, want to warn with ‘Not Secure’, show nothing for HTTPS

  • locomocosec @emschec “Google SafeBrowsing: detect phishing and deceptive websites; API freely available”

  • @KseniaDmitrieva: .@emschec discussing how URL do not solve phishing and other problems @LocoMocoSec https://t.co/T97hoR89S2

  • @KseniaDmitrieva: .@emschec discussing how URL do not solve phishing and other problems @LocoMocoSec https://t.co/T97hoR89S2

  • PS: I tweeted yesterday on wrong hashtag: #locomoco: all my notes/tweets are posted here: http://scribes.tweetscriber.com/realgenekim/627

Up: Beyond Bearer Tokens: token binding as the merging specs for secure web: Brian Campbell, Ping Identiy, @_bc

  • @_bc: “Bearer token: a security token w/prosperity that any party w/possession can use token to access resources; no other proof necessary”(OAuth)
  • @BrakemanPro: Time for @_bc talking about token binding at #LocoMocoSec! https://t.co/SW8TajfqVZ
  • @BrakemanPro: Time for @_bc talking about token binding at #LocoMocoSec! https://t.co/SW8TajfqVZ
  • @_bc: “Bearer tokens: cookies: httponly (prevent exfiltration via XSS, secure flag (can’t be sent in clear text)
  • @_bc: “Last year, there was a subdomain takeover at Uber; able to harvest cookies site-wide and replay them
  • @_bc: “Don’t save sessions in local storage; can be exfiltrated/stolen
  • @_bc: “Token binding: 3 years ago: IETF: long lived binding of cookies/security tokens to a client generated public-private cookies”
  • @_bc: “that was OpenIDConnect; now token binding for OAuth 2.0”

Up: The (Application) Patching Manifesto: Jeremy Long: of OWASP dependency-check fame

  • @ctxt: “as founder of dependency-check project, I’m a huge fan of static analysis and SaaS; spend lots of time in Java ecosystem
  • @ctxt: “In most enterprise, most patching programs focus on infrastructure (os, middleware, firewalls), overlooking application layer patches, where real risks are
  • @ctxt: “
  • @manicode: When introducing @ctxt as a “S.O.B” I state that with ❤️. Jeremy took a chunk out of the dependency management tool… https://t.co/PXFjXhmlat
  • @ctxt: “most devastating vulns: remote code execution: when people can run arbitrary code on your server
  • @ctxt: “Good example: CVE-2017-8046: Spring-Data-Rest Remote code execution
  • @ctxt: “
  • @oleggryb: What your apps are made of #locomocosec https://t.co/hWLidl4phq
  • @ctxt: “Known CVE vs unreported: 25% of orgs don’t report vulns to users: they’ll put into release notes; 10% actually report CVEs
  • @ctxt: “PrimeFaces CVE-2017-1000486: published 1/3/2018; vuln unreported as CVE; was fixed in 2/2016; cryptominers started using it
  • @ctxt: “Good dev teams treat out of date libs considered a code quality issue; time built into sched to upgrade
  • @ctxt: “Most (not as good) teams: occasionally sweep thru deps & upgrade; most afraid to break build” (yep!)
  • @ctxt: “Snyk 2017 State of Open Source Security Report:
  • @RealGeneKim: #locomocosec: @ctxt Snyk 2017 State of Open Source Security Report highlights https://t.co/fICoAOg425
  • @ctxt: “security debt is a subset of tech debt; left unchecked, debt collectors grabs your stuff & sells to highest bidder
  • @ctxt: “Emergency patching: what’s difficult: patches generally not backported to previous major/minor releases; Spring rare exception
  • @ctxt: “Emergency patching: security debt must be repaid immediately, even if there are breaking API changes”
  • @ctxt: “Big risk: UAT environments that are exposed to live Internet, often totally missed in patching program
  • @ctxt: “Future state: Upgrades must be planned as part of SDLC; old or dead libraries as severe as other defects
  • @ctxt: “Making upgrades less painful must become habit; applying emergency patches becomes routine vs. not used to upgrading
  • @ctxt: “maven-versions-plugin will actually update your maven dependencies automatically, instead of just reporting
  • @RealGeneKim: #locomocosec: @ctxt “Upgrading/continuous patching becoming much easier: automatic pull requests upon new library v… https://t.co/v3CJM1cCIc
  • @ctxt: “Transitive dependencies: patching is difficult: shows that FOSS is not actually free”
  • @RealGeneKim: #locomocosec - @ctxt: “Transitive dependencies: patching is difficult: shows that FOSS is not actually free”

“50… https://t.co/HouOKbT3Xt
- @ctxt: “people using open source: help your projects keep all their dependencies up the date, all the way down the depenedency tree”
- @ctxt: “WAFs can help.
- @RealGeneKim: #locomocosec @ctxt: “WAFs can help. Here are other alternatives” https://t.co/rR0MW1LKzP
- @ctxt: “Single purpose RASP: notsoserial: covers core Java deserialization: Jackson, xtream, kyro; blocking ProcessBuilder
- @ctxt: “maven-shade-plugin: built to resolve JAR version conflicts; Infosec benefit: changes packages space for attacker
- @ctxt: “Contrast Security study: 70% of library code never called; maven-shade-plug will remove class from JAR” (!!)
- @ctxt showing demo of Jenkins instance w/CVE vuln; launching deserialization attack; maven-shaded version not vuln (class deleted)
- @RealGeneKim: #locomocosec @ctxt https://t.co/11eWYlnLLk
- @ctxt: “Stop looking for new vulns: instead, keep your libraries up to date; and contribute to keep OSS project deps to to date, too”
- @ctxt: “So many vulns are unreported; so instead of focusing on security patches, more important to update all patches/updates
- @ctxt: “Nearly ideal: GitHub automatically generating pull request: still must check that licensing hasn’t changed

Up: Alex Smolen, “Identity and Access Management: Judgement Day”, Engr Manager, Clever @alsmola

  • @alsmola: “1st use of passwords: CTSS”
  • - @ctxt: “2011-2016: we worked on the IAM stack at Twitter; president Obama guessable password; at Clever for 2 years
  • @alsmola: “5-7yo take a long time to type in password; now they use badges w/QR codes; we threat modeled, watched how they manage credentials
  • @alsmola: “distributed passwords by popsicle sticks
  • @alsmola: “3 tough IAM problems: authenticating people; least privilege for code; auditing access (cloud trail)
  • @alsmola: “Helping them manage private keys; Twitter: SMS and private key on phone (doesn’t exist: don’t build your system on assumption that millions of users can effectively manage a private key)
  • @alsmola: “IAM sudo; secrests in env Vars or config files”
  • @alsmola: “AWS-vault: Store secrets IAM user”