Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Hacktivity 2013 : "The only thing that is constant is change"

60 engineers, 200 releases every month, 25 million Prezi users. How a single "it sec guy" can achieve results in such a changingenvironment? During an attack information gathering and careful planning is always a key task and can form the basis of th
by

Mihaly Zagon

on 5 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Hacktivity 2013 : "The only thing that is constant is change"

"The only thing that is constant is change" (Heraclitus)
Integrate, but how?
share ideas, knowledge
generic examples are boring
tech breakfast, brownbag talks
security 101 during bootcamp
goal: have security in devs mind
Automate whatever we can
code review (repoguard / phabricator)
basic XSS scanning (phantomscanner)
Torch in the darkness
we believe in monitoring & data visualization
EOF
some of these:
are environment specific
are "agile" specific
are very simple ideas
we will change / replace

but we believe that security and development can be friends :)
Security can be part of agile dev
agile dev
continuous integration
heterogeneous environment
devops mentality
"surprisingly" huge infra
infrastructure / architecture
heading to SOA with lot of microservices (>200 private repo)
we have ~400 instances at amazon
some more at other providers
Chef to automate infrastructure
Security?
+ monitoring
+ Chef
+ CI (we can fix quickly)
- CI (hard to follow)
Mihály Zágon
much easier to spot the important things
we love our monitoring
response codes, response time anomalies, increased error rates, ... ~ attack signs

continuous integration
goal: automate what we can, integrate security into dev
we don't want to block
"SecOps" ?
growing team
lot of ideas
Phantomscanner / concept
inspired by Etsy's attack-driven testing idea
Phabricator
"An early release of Facebook's development tools."
opensource
we use it for code review*
Herald can do the same as repoguard
Phantomscanner / why
+ good enough solution until no full scans in Jenkins
+ test case in json - dev friendly
+ clean up plugins, csrf handling
Repoguard
lot of django projects
python / django security analyzer?
best effort: regex patterns on known issues
grab possible XSS attacks
resend the request
inject JS to the response & see if payload is triggered
define test case
send fuzzed requests
inject JS to the response & see if payload is triggered
- far not 100% solution

- why write extra test cases
- solve the main issue, instead of reinventing the wheel
+ learning is always good
+ PhantomJS is powerful
+ we can use it later (auto-evaluate xss attacks?)
cronjob starts to run
(e.g. every 11 minutes)
(refresh repo list through github API)
&
git pull on every* repository
run through every new git commit & search for regex patterns
send notification mail if patterns matched
manual code review / pentest
searching for:
plain text secrets
django specific stuff
|safe / autoescape off
.raw( / query= / cursor.execute(
HttpResponse(simplejson
SHA1 / MD5 ...
os.system / subprocess.call ...
new endpoints (request.GET)

could be used for anything else...
patterns for known issue types
+ high false positive rate
notifications about wtf is happening
new ideas what to test
more issue
more pattern
let's visualize security alerts
suricata vs. cloud
suricata is a great NIDS
nice ruleset, easy to extend
ec2 - no span port
running on app servers (not 100%)
centralized logging
smartrouter / concept
Content Security Policy
just started to implement it
visible in kibana
what JS can run on site
microservices: cool
"frontend": can't set it usefully
report-only mode (be carefoul)
how we improve?
OSSIM (vs cloud)
debian based SIEM "appliance"
AWS marketplace - buggy version
upgrade messed up the install
lot of opensource stuff wired together
we have mostly ubuntu cookbooks
suricata
OSSIM
OSSEC
elasticsearch
logstash
kibana
CSP
suricata
barnyard
rsyslog
OSSIM
users
smartrouter
backends
log server
log!
monitor!
track!
>4-5k req/sec
~SOA
elasticsearch + kibana
visualize!
real time monitoring
huge event / sec rate
building secure systems is hard
Challenge #1
logstash agent
log1
logstash "server"
elasticsearch cluster
not amazon
amazon
+stunnel
kibana
we
AUTH?
AUTH?
HTTPS?
>4-5k event / sec
Challenge #1.1
elasticsearch cluster
kibana
we
+apache (godauth)
+apache
(godauth)
req1, with prezi cookies
req2, XHR preflight request (OPTIONS)
OPTIONS never sends credentials
added withCredentials:true
auth will fail
Challenge #1.2
elasticsearch cluster
kibana
we
+apache (godauth)
+apache (godauth)
req1, with prezi cookies
req2, XHR preflight request (OPTIONS)
added withCredentials:true
+nginx
method!='OPTIONS'
localhost - elasticsearch
method=='OPTIONS'
answer preflight request
let's check it
suricata
"access log"
track log
~0.0033% outage
"sandbox"
hack as threat agent n
(find issues?)
"how could I detect this attack?"
improve monitoring, alerting
n=rand(10)
code review
https://prezi.com/bugbounty/
test & monitor & fix
security is yet another feature
commit - test - deploy - monitor
Prezi Security Bug Bounty Program
Oct 14 Monday evening (CET)
Etsy
Facebook
Twitter
mihaly.zagon@prezi.com
@woff_itsec
Full transcript