Think Like a Hacker

Think Like a Hacker @Brunty

@Brunty

@Brunty Developer Mentor & mentee Tinkerer @Brunty

Who are hackers? @Brunty

Black hat: hacker doing evil White hat: hacker doing good Grey hat: hacker hacking Top hat: hacker doing fancy stuff @beerbikesbacon https://twitter.com/beerbikesbacon/status/1186783818272952327 @Brunty

Clever Creative Curious @Brunty

Why do they do it? @Brunty

Financial gain Reputation Corporate reasons Ideological reasons Stumbled upon something @Brunty

What makes you a target? @Brunty

Popularity Politics & perspective People Pot-luck @Brunty

What can you do to start reducing risk? @Brunty

No magic solution @Brunty

Embed security considerations into the whole project workflow @Brunty

No-one has the time or money for securing their systems until it’s too late Clinton Ingrams https://twitter.com/cfing99 @Brunty

It is every developers responsibility @Brunty

The people problem @Brunty

https://xkcd.com/538/ @Brunty

Principle of least privilege @Brunty

Limit who has access to what @Brunty

Do all your devs really need 24/7 access to your production DB? @Brunty

No developer should ever have a permanent login, or access to any credentials David McKay https://twitter.com/rawkode/status/1182213985661308928 @Brunty

That’s not to say that a “Break Glass” button in the admin interface can’t generate a prod database login that’s valid for an hour; but it needs to log who requested it and take a reason; and notify slack, et al David McKay https://twitter.com/rawkode/status/1182213789686620160 @Brunty

Where is your data stored? @Brunty

https://www.bankinfosecurity.com/mongodb-database-exposed-188-million-records-researchers-a-12769 @Brunty

Who are the third parties you trust with your data? @Brunty

Who are the third parties you trust with your customer data? @Brunty

You @Brunty

Shodan https://www.shodan.io @Brunty

You can’t lose what you don’t have @Brunty

Encrypt data in transit and at rest @Brunty

HTTPS all the things @Brunty

Check your repos for secrets @Brunty

zricethezav/gitleaks https://github.com/zricethezav/gitleaks @Brunty

Check your public sites for secrets @Brunty

Google dork queries @Brunty

Curiosity “what if…” @Brunty

Don’t trust user input @Brunty

“I’d like to be removed from the mailing list please” @Brunty

Use prepared statements https://en.wikipedia.org/wiki/Prepared_statement @Brunty

Don’t trust data https://news.ycombinator.com/item?id=8336025 @Brunty

Don’t just validate client-side @Brunty

Observe 👀 Client Payload Back-end Validation @Brunty

Broken access control @Brunty

Do you trust this? @Brunty

123457 ? https://en.wikipedia.org/wiki/Attribute-based_access_control @Brunty

Don’t trust users input @Brunty

Broken authentication https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ @Brunty

Hash passwords properly @Brunty

Don’t re-use passwords https://blog.lastpass.com/2018/05/psychology-of-passwords-neglect-is-helping-hackers-win.html/ @Brunty

haveibeenpwned.com @TroyHunt @Brunty

Don’t allow your users to re-use passwords @Brunty

5f4dcc3b5aa765d61d8327deb882cf99 password @Brunty

pwned passwords API https://www.troyhunt.com/pwned-passwords-version-5/ @Brunty

Use Multi Factor Authentication @Brunty

But not SMS @Brunty

What packages do you trust in your application? https://help.github.com/en/articles/listing-the-packages-that-a-repository-depends-on#supported-languages @Brunty

More packages than you think @Brunty

Front-end Mobile App(s) Back-end Platform / OS Infrastructure @Brunty

Keep them up-to-date @Brunty

You have more surface area than you might think @Brunty

No magic solution @Brunty

Mistakes will happen @Brunty

Mostly, it’s not like the movies. (Sorry) @Brunty

Evaluate who you trust with data Security at all stages of the project Principle of least privilege Encrypt data in transit and at rest Check for public secrets Don’t trust users & input Hash passwords properly Ensure your components aren’t vulnerable OWASP Top Ten @Brunty

Always be curious @Brunty

@Brunty

Danke! @Brunty