"Certified" apps, are they really secure? Break them or fix them, your choice!
joseluisquinones
249 views
28 slides
Nov 01, 2015
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
In today's world of regulations and compliance, IT has to manage and carry the burden of compliance. Most vendor claim their applications are secure and are "Whatever regulation" certified. Learn what tools we have available to achieve real security in an operational scenario with &q...
Slide Content
“Certified” apps: Are they really secure? Jose L. Quiñones, BS MCSA, RHCSA, CEH, CPEH, CM2I, GCIH, GPEN
About me UPR School of Medicine – IT Director Technical Instructor – CompTIA, Micro$oft , EC Council, Mile2 Obsidis Consortia, Inc. – President Security BSides Puerto Rico – Organizer Init6 - InfoSecurity User Group – Founder & Mentor
What is OC, Inc ? Obsidis Consortia, Inc. [OC, Inc.] is a non-profit organization that promotes security awareness in the community and supports professional development of security professionals, students and enthusiasts in Puerto Rico. OC, Inc. has develop and is supporting initiatives like the Init6 Security User Group, Professional Training & Workshops, Network and Security Systems Simulation Scenarios, Community Outreach Program and Security B Sides Puerto Rico Conference.
Security B Sides Puerto Rico October 6 th , 2016 PR Convention Center San Juan, PR http://bsidespr.org/2016 / # BsidesPR @ bsidespr
Disclaimer I am NOT a developer, I only dabble in scripting and my point of view is biased toward IT operations. I am NOT an auditor, nor I care much about compliance for the sake of it. I am NOT an expert in regulations but like many I have no choice in the matter. I DO care a bout information security, privacy and making systems secure. My experience with IT is mainly in the Healthcare, Education and SMB Industries. I am not an “expert” nor pretend to be one. this presentation is based on my own personal experience with developers, deployments and the implementation of such systems. #nightmares
Dataloss http://breachlevelindex.com/
These are not he hackers you are looking for!
Today’s price is the Data
What’s the surface area of an application? Client ( FrontEnd ) UX/UI Web, Mobile, OS Binaries Application/Business Logic DB Engine API Calls Tasks Data/Infrastructure Caching DB File System
Application Vulnerabilities Affects home-brew, customized and packaged applications all the same Usually have vulnerabilities as a result of poor coding, QA , deployment and administration All apps are NOT created equal. Each application provides unique methods of attack it.
Common Errors Buffer overflows Weak authentication and/or crypto Poor data validation Written errors or poor error checking Bad configurations
What can go wrong?
File Permissions many (poorly written) applications will break inheritance when saving files Modify contains every right that full control does, except for Change Permission and Take Ownership . Giving excessive permissions can give access to users
Network Access Case: Dr. Alice & Patient Bob No special hardware was used , only a stock iPhone No special tools were used , only App Store applicacions Because of bad access confguration , Bob had access directly the Alice’s DB files
Temp Files Temp files from editing, configuration and installation tools can leave interesting information behind. Even if deleted these file scan be recovered.
Config Files
Powershell
PII/PHI exposed !
Password hashes exposed!
Encryption
GPU cryptanalysis
What about web/ mobile Apps? https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
What can we do? Enforce a strong password policy Use strong encryption with up to date encryption standards Use strong, salted hashing algorythms Secure messaging (encrypt & tunnel) Secure data at rest (whole disk encryption, file encryption and obfuscation) Stored procedures and parameterized queries for DB access Input Validation, Use fuzzers and automatic code review tools . Use restrictions, triggers and alerts on your DB Enable audit trails and l og everything (success / failure) Use monitoring tools ( Sysmon , Regmon , Windows ADK , ZAP) to learn how to application works
What else? DevOps! Integrate IT operations into the development cycle.
THE PHOENIX PROJECT: A NOVEL ABOUT IT, DEVOPS, AND HELPING YOUR BUSINESS WIN http://itrevolution.com/books/phoenix-project-devops-book/
Thanks! https://codefidelio.org [email protected] @ josequinones
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 249
- Slides 28
- Favorites 1
- Age 3682 days
Related Slideshows
1
MGV Residential Design projects for different clients, including a New Mexico Adobe project-1-.pdf
mannyvesa
26 views
16
EUNITED_Advocacy and Public Engagement through Visual Media
GeorgeDiamandis11
30 views
31
DESIGN THINKINGGG PPT 2 TOPIC IDEATION.pptx
HibaZaidi2
24 views
36
DESIGN THINKING CHAPTER 1 PPTT PPT 1.pptx
HibaZaidi2
27 views
112
Hinduism and Its History - PowerPoint Slides.pptx
ConorMcCormack10
23 views
20
Service Attributes of Manufactured Parts.pptx
MustafaEnesKrmac
24 views