Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Security and “Modern” Software Deployment - OWASP Edition
Transcript of Security and “Modern” Software Deployment - OWASP Edition
'X' years in IT/Infosec
'X-5' years in security testing
Managing Consultant at NCC Group
curl -s http://mysite.com/install.sh |sudo sh
The Short Con
The Long Con
Rory's >2014 Rule of Security
"If I can think of a threat scenario
Someone else has already done it"
Modify a Library
Push a new version
People Download Your Code
Start an Open Source Library
Modify specific versions as needed to gain unauthorised access
Modify the lib to execute my code
Wait for library to be used?
Post-install hooks to the rescue!
Code Run At Install Time As Installing User
How is access Controlled?
(lack of) curation
Python - PyPI - Static username/password (can be stored in .pypirc)
Ruby - Rubygems - Static username/password (API key stored in .gem/credentials)
PHP - packagist - Static username/password (auto-updates from repository)
.NET - NuGet - Static username/password or API Key.
You get the picture
Or Start a package Repository!
How Big a Problem is this REALLY?
(Lack of) Digital Signing
NPM - No Digital Signing Available
Rubygems - Signing available but not widely used
PyPI - Signing available but not widely used
You get the picture
Audit All The Code!
The Update Framework
Better Repo Security
Operational Security Improvements
twitter : @raesene
mail : firstname.lastname@example.org
Get the code
Image credit - Moyan Brenn - https://flic.kr/p/dB7F8e
Image credit - Karunakar Rayker - https://flic.kr/p/4ed3D9
An Aside - Docker
Tower of Trust
"How is this any worse than other installation methods we could use?"
An Aside - Choosing a target
Dependencies are installed too!
So choose something with a lot of dependent libraries
Understand your trust model
Consider restricting your use of repositories
If this is important to you - Contribute!
Contributor at Security.Stackexchange
Docker Content Trust
Implementation of The Update Framework
Takes the repository out of the trust equation
Interesting to see how take-up goes...
Real World - Trusted Repositories