Tuesday, October 13, 2015

#jnuc - Software Security and Vulnerability

#jnuc - Software Security and Vulnerability

Why I chose this:
I am always looking for different perspectives of support and this one stuck out as something I really don't often take into consideration. I'm hoping to learn a thing or two.


What we covered:

Testing

  • Understand App
    • Traffic interception
    • Source code review
  • Send unexpected input
    • manual or automated
    • unusual or unexpected actions
  • Look for unusual results
Authentication/Authorization
  • Authentication identifies a user
  • Authorization grants permissions
Injection Flaws
  • User input generally not trustable
  • Injected in HTML
  • Inject in SQL
  • Others
Cryptographic flaws
  • randomization
  • keys
  • identifying servers/clients
  • don't do it yourself
Dependency Flaws
  • Open source
  • 3rd party components
  • Different dev styles
  • Different release cycles/security fixes
  • Different validations
Overview of Select Findings
  • Script download privilege escalation - script executed as root, could execute script, lock it, and run new script. Was fixed by changing location/permissions.
  • Insufficient Authorization Controls - JSS was able to execute as incorrect user privs
  • XML external entity vulnerability - could read file(password) and pass as plain text, cause DOS, etc. Fixed by changing XML parsing to prevent DTDs
  • DES-ECB mode for password - flaw = DES small key size, ECB is weak cipher, Prone to attacks. Fix = select stronger algorithm; more sophisticated cipher mode (AES-CBC); migrate old passwords to new scheme
Out of date software
  • System dependencies that have known, patched issues that you have not updated. Fix = sub to 3rd party release notices; incorporate dep updates
Secure Config Recommendations
  • Message verification = enable message signing using host key/cert
  • Software Install = various protocols could be used. fix = use securable protocols https/smb3
  • Filevault recovery key handling = filevault 2 keys can be intercepted. fix = use institutional recovery key instead of individual key
Q&A

No comments:

Post a Comment