Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Security and “Modern” Software Deployment - OWASP Edition

No description

Rory McCune

on 29 November 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Security and “Modern” Software Deployment - OWASP Edition

Security and “Modern” Software Development
About Me
'X' years in IT/Infosec
'X-5' years in security testing
Managing Consultant at NCC Group

curl -s http://mysite.com/install.sh |sudo sh
The Attacks
The Short Con
The Long Con
Rory's >2014 Rule of Security
"If I can think of a threat scenario
Someone else has already done it"
Modify a Library
Push a new version
People Download Your Code
Fixing This
Start an Open Source Library
Modify specific versions as needed to gain unauthorised access
Fixing This????
Modify the lib to execute my code
Wait for library to be used?
Post-install hooks to the rescue!
Code Run At Install Time As Installing User
How is access Controlled?
(lack of) curation
Python - PyPI - Static username/password (can be stored in .pypirc)
Ruby - Rubygems - Static username/password (API key stored in .gem/credentials)
JavaScript - npm - Static username/password (stored in .npmrc, base64 encoded)
PHP - packagist - Static username/password (auto-updates from repository)
.NET - NuGet - Static username/password or API Key.
You get the picture
Or Start a package Repository!
How Big a Problem is this REALLY?
(Lack of) Digital Signing
NPM - No Digital Signing Available
Rubygems - Signing available but not widely used
PyPI - Signing available but not widely used
You get the picture
Audit All The Code!
Trusted Repository
The Update Framework
Better Repo Security
Digital Signatures
Operational Security Improvements
twitter : @raesene
mail : rory.mccune@nccgroup.trust
Get the code
Image credit - Moyan Brenn - https://flic.kr/p/dB7F8e
Image credit - Karunakar Rayker - https://flic.kr/p/4ed3D9
An Aside - Docker
Tower of Trust
Application Developer
Dependency Developer
Repository Provider
Cloud Providers
DNS Providers
Infrastructure Providers
"How is this any worse than other installation methods we could use?"
An Aside - Choosing a target
Dependencies are installed too!

So choose something with a lot of dependent libraries
Understand your trust model
Consider restricting your use of repositories
If this is important to you - Contribute!
Contributor at Security.Stackexchange
Docker Content Trust
Implementation of The Update Framework
Takes the repository out of the trust equation
Interesting to see how take-up goes...
Real World - Trusted Repositories
Full transcript