Think Like a Hacker

A presentation at GOTO Berlin 2019 in October 2019 in Berlin, Germany by Matt Brunt

Slide 1

Slide 1

Think Like a Hacker @Brunty

Slide 2

Slide 2

@Brunty

Slide 3

Slide 3

@Brunty Developer Mentor & mentee Tinkerer @Brunty

Slide 4

Slide 4

Who are hackers? @Brunty

Slide 5

Slide 5

Black hat: hacker doing evil White hat: hacker doing good Grey hat: hacker hacking Top hat: hacker doing fancy stuff @beerbikesbacon https://twitter.com/beerbikesbacon/status/1186783818272952327 @Brunty

Slide 6

Slide 6

Clever Creative Curious @Brunty

Slide 7

Slide 7

Why do they do it? @Brunty

Slide 8

Slide 8

Financial gain Reputation Corporate reasons Ideological reasons Stumbled upon something @Brunty

Slide 9

Slide 9

What makes you a target? @Brunty

Slide 10

Slide 10

Popularity Politics & perspective People Pot-luck @Brunty

Slide 11

Slide 11

What can you do to start reducing risk? @Brunty

Slide 12

Slide 12

No magic solution @Brunty

Slide 13

Slide 13

Embed security considerations into the whole project workflow @Brunty

Slide 14

Slide 14

No-one has the time or money for securing their systems until it’s too late Clinton Ingrams https://twitter.com/cfing99 @Brunty

Slide 15

Slide 15

It is every developers responsibility @Brunty

Slide 16

Slide 16

The people problem @Brunty

Slide 17

Slide 17

https://xkcd.com/538/ @Brunty

Slide 18

Slide 18

Principle of least privilege @Brunty

Slide 19

Slide 19

Limit who has access to what @Brunty

Slide 20

Slide 20

Do all your devs really need 24/7 access to your production DB? @Brunty

Slide 21

Slide 21

No developer should ever have a permanent login, or access to any credentials David McKay https://twitter.com/rawkode/status/1182213985661308928 @Brunty

Slide 22

Slide 22

That’s not to say that a “Break Glass” button in the admin interface can’t generate a prod database login that’s valid for an hour; but it needs to log who requested it and take a reason; and notify slack, et al David McKay https://twitter.com/rawkode/status/1182213789686620160 @Brunty

Slide 23

Slide 23

Where is your data stored? @Brunty

Slide 24

Slide 24

https://www.bankinfosecurity.com/mongodb-database-exposed-188-million-records-researchers-a-12769 @Brunty

Slide 25

Slide 25

Who are the third parties you trust with your data? @Brunty

Slide 26

Slide 26

Who are the third parties you trust with your customer data? @Brunty

Slide 27

Slide 27

You @Brunty

Slide 28

Slide 28

Shodan https://www.shodan.io @Brunty

Slide 29

Slide 29

You can’t lose what you don’t have @Brunty

Slide 30

Slide 30

Encrypt data in transit and at rest @Brunty

Slide 31

Slide 31

HTTPS all the things @Brunty

Slide 32

Slide 32

Check your repos for secrets @Brunty

Slide 33

Slide 33

zricethezav/gitleaks https://github.com/zricethezav/gitleaks @Brunty

Slide 34

Slide 34

Check your public sites for secrets @Brunty

Slide 35

Slide 35

Google dork queries @Brunty

Slide 36

Slide 36

Curiosity “what if…” @Brunty

Slide 37

Slide 37

Don’t trust user input @Brunty

Slide 38

Slide 38

“I’d like to be removed from the mailing list please” @Brunty

Slide 39

Slide 39

“I’d like to be removed from the mailing list please” @Brunty

Slide 40

Slide 40

Use prepared statements https://en.wikipedia.org/wiki/Prepared_statement @Brunty

Slide 41

Slide 41

Don’t trust data https://news.ycombinator.com/item?id=8336025 @Brunty

Slide 42

Slide 42

Don’t just validate client-side @Brunty

Slide 43

Slide 43

Observe 👀 Client Payload Back-end Validation @Brunty

Slide 44

Slide 44

Broken access control @Brunty

Slide 45

Slide 45

Do you trust this? @Brunty

Slide 46

Slide 46

123457 ? https://en.wikipedia.org/wiki/Attribute-based_access_control @Brunty

Slide 47

Slide 47

Don’t trust users input @Brunty

Slide 48

Slide 48

Broken authentication https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ @Brunty

Slide 49

Slide 49

Hash passwords properly @Brunty

Slide 50

Slide 50

Don’t re-use passwords https://blog.lastpass.com/2018/05/psychology-of-passwords-neglect-is-helping-hackers-win.html/ @Brunty

Slide 51

Slide 51

haveibeenpwned.com @TroyHunt @Brunty

Slide 52

Slide 52

Don’t allow your users to re-use passwords @Brunty

Slide 53

Slide 53

5f4dcc3b5aa765d61d8327deb882cf99 password @Brunty

Slide 54

Slide 54

pwned passwords API https://www.troyhunt.com/pwned-passwords-version-5/ @Brunty

Slide 55

Slide 55

Use Multi Factor Authentication @Brunty

Slide 56

Slide 56

But not SMS @Brunty

Slide 57

Slide 57

What packages do you trust in your application? https://help.github.com/en/articles/listing-the-packages-that-a-repository-depends-on#supported-languages @Brunty

Slide 58

Slide 58

More packages than you think @Brunty

Slide 59

Slide 59

Front-end Mobile App(s) Back-end Platform / OS Infrastructure @Brunty

Slide 60

Slide 60

Keep them up-to-date @Brunty

Slide 61

Slide 61

You have more surface area than you might think @Brunty

Slide 62

Slide 62

No magic solution @Brunty

Slide 63

Slide 63

Mistakes will happen @Brunty

Slide 64

Slide 64

Mostly, it’s not like the movies. (Sorry) @Brunty

Slide 65

Slide 65

Evaluate who you trust with data Security at all stages of the project Principle of least privilege Encrypt data in transit and at rest Check for public secrets Don’t trust users & input Hash passwords properly Ensure your components aren’t vulnerable OWASP Top Ten @Brunty

Slide 66

Slide 66

Always be curious @Brunty

Slide 67

Slide 67

@Brunty

Slide 68

Slide 68

Danke! @Brunty