What Not to Document and Why_ (North Bay Python 2024)
MargaretFero
44 views
28 slides
Jun 30, 2024
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
We’re hopefully all on board with writing documentation for our projects. However, especially with the rise of supply-chain attacks, there are some aspects of our projects that we really shouldn’t document, and should instead remediate as vulnerabilities. If we do document these aspects of a pro...
Slide Content
What Not to Document and Why?
Don’t Help Hackers by Highlighting Risks
Margaret Fero
@MaggieFero(@hachyderm.io)
For North Bay Python 2024
Don’t Help Hackers by Highlighting Risks
Margaret Fero
@MaggieFero(@hachyderm.io)
For North Bay Python 2024
Overview
Case Study: The 0Day Docs Caused
Overview of Some Common Vulnerabilities in Docs
What to Watch Out For
What if it’s in somebody else’s docs?
Review
Case Study: The 0Day Docs Caused
Overview of Some Common Vulnerabilities in Docs
What to Watch Out For
What if it’s in somebody else’s docs?
Review
Case Study
The 0day Docs Caused
The 0day Docs Caused
Quick Terminology Overview
A person trying to
use your system to
cause harm, real
or simulated
Attacker Vulnerability
A way that an
attacker could
cause harm
0day /
Zero Day
A vulnerability
publicized or
exploited without
prior warning to
the development
team, named for
the 0 days of
advance notice
A person trying to
use your system to
cause harm, real
or simulated
Attacker Vulnerability
A way that an
attacker could
cause harm
0day /
Zero Day
A vulnerability
publicized or
exploited without
prior warning to
the development
team, named for
the 0 days of
advance notice
In late 2019, a
Security Researcher
Got Stuck
●SwiftOnSecurity got
stuck
●They read the docs!
●Very normal, good
job adhering to best
practices
https://twitter.com/SwiftOnSecurity/status/1202034106495832067
Security Researcher
Got Stuck
●SwiftOnSecurity got
stuck
●They read the docs!
●Very normal, good
job adhering to best
practices
https://twitter.com/SwiftOnSecurity/status/1202034106495832067
Within an hour...
Another researcher
responded!
Another researcher
responded!
This ended up CVE-2019-15006.
Oops.
Oops.
CVE-2019-15006
●Affected: Everyone who used the Confluence Previews plugin in
Confluence Server or Confluence Data Center
●Potential Impact: An attacker could see files that were edited, edit files, and
possibly access user information
●Time to patch this before public disclosure: 0 days
●Affected: Everyone who used the Confluence Previews plugin in
Confluence Server or Confluence Data Center
●Potential Impact: An attacker could see files that were edited, edit files, and
possibly access user information
●Time to patch this before public disclosure: 0 days
What went wrong here?
●Almost no security issue has one single root cause
●Software
●Documentation
●Researchers
●Almost no security issue has one single root cause
●Software
●Documentation
●Researchers
Common Vulnerabilities in Docs
Authentication, Authorization, and Disclosure! Oh my!
Authentication, Authorization, and Disclosure! Oh my!
URLs Used in Authorization
Users Get
●A URL to Allowlist
●A better understanding
of how you handle
Authorization
Attackers Get
●A high-value target
point
Users Get
●A URL to Allowlist
●A better understanding
of how you handle
Authorization
Attackers Get
●A high-value target
point
Common Examples
●Secret Admin Console
●Alternate versions of pages
Example: old.reddit.com
●Unpublished pages (like testing or dev)
●Secret Admin Console
●Alternate versions of pages
Example: old.reddit.com
●Unpublished pages (like testing or dev)
Default Passwords/Keys
Users Get
●The key they need to
set up, and change it if
desired
Attackers Get
●The key that
almost-every user is
definitely still using
Users Get
●The key they need to
set up, and change it if
desired
Attackers Get
●The key that
almost-every user is
definitely still using
Common Examples
●IoT devices, especially cameras and networked printers
●Routers and other equipment
●SaaS products given as employee benefits
●IoT devices, especially cameras and networked printers
●Routers and other equipment
●SaaS products given as employee benefits
Password Requirements
Users Get
●A clear outline of what
criteria your password
must meet
Attackers Get
●Exact regex criteria for
faster, easier
bruteforcing and other
password attacks
●A way to reduce the
solution space
●Often, information
about your tech stack
Users Get
●A clear outline of what
criteria your password
must meet
Attackers Get
●Exact regex criteria for
faster, easier
bruteforcing and other
password attacks
●A way to reduce the
solution space
●Often, information
about your tech stack
Common Examples
Any Setting You Don’t Recommend
Users Get
●Curious about what it
does
●A desire to try it out
and see if it’s really as
bad as you made it
sound
Attackers Get
●A strong hint that you
can get unexpected
behavior by playing
with this now-shiny
new toy
Users Get
●Curious about what it
does
●A desire to try it out
and see if it’s really as
bad as you made it
sound
Attackers Get
●A strong hint that you
can get unexpected
behavior by playing
with this now-shiny
new toy
Common Examples
●Configurable page limits over a certain value
●Anything that “may cause a crash”
●Anything you’re thinking about putting a security warning on
●Configurable page limits over a certain value
●Anything that “may cause a crash”
●Anything you’re thinking about putting a security warning on
How Will I Know?
Signs and signals that you might have a problem
Signs and signals that you might have a problem
“Not Recommended”
Insider Information
Concepts You Don’t Fully
Understand
Understand
What if it’s in somebody else’s docs?
You can still try to help!
You can still try to help!
security.md
Information about how
the repository owner
would like to receive
security reports
Information about how
the repository owner
would like to receive
security reports
●Try not to exaggerate or downplay the severity
●Mention who’s affected
●Be polite and kind
●Include any information you have about the fix; if it’s easy, providing a patch
in the email upfront is often very much appreciated
How To Approach That Email
●Mention who’s affected
●Be polite and kind
●Include any information you have about the fix; if it’s easy, providing a patch
in the email upfront is often very much appreciated
How To Approach That Email
In Conclusion
Here’s a review of what we covered!
Here’s a review of what we covered!
When In Doubt, Call It Out
●Some things that turn up in your docs are signs of a security vulnerability
●If something feels fishy in a document, ask a teammate, the maintainer, or if
you’re a solo maintainer, a trusted peer
●Security is always a team effort
●Note that none of these vulnerabilities are fixed by just not documenting!
●Some things that turn up in your docs are signs of a security vulnerability
●If something feels fishy in a document, ask a teammate, the maintainer, or if
you’re a solo maintainer, a trusted peer
●Security is always a team effort
●Note that none of these vulnerabilities are fixed by just not documenting!
Thank you!
https://linktr.ee/MaggieFero
https://linktr.ee/MaggieFero
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 44
- Slides 28
- Age 521 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views