Think Like a Hacker @Brunty
A presentation at Bulgaria PHP in November 2019 in Sofia, Bulgaria by Matt Brunt
Think Like a Hacker @Brunty
This is not a talk about in-depth, detailed exploit techniques @Brunty
@Brunty Developer Mentor & mentee Tinkerer @Brunty
Who are hackers? @Brunty
Black hat: hacker doing evil White hat: hacker doing good Grey hat: hacker hacking Top hat: hacker doing fancy stuff @beerbikesbacon https://twitter.com/beerbikesbacon/status/1186783818272952327 @Brunty
Clever Creative Curious @Brunty
Why do they do it? @Brunty
Financial gain Reputation Corporate reasons Ideological reasons Stumbled upon something @Brunty
What makes you a target? @Brunty
Popularity Politics & perspective People Pot-luck @Brunty
Quick wins @Brunty
What can you do to start reducing risk? @Brunty
No magic solution @Brunty
Embed security considerations into the whole project workflow @Brunty
No-one has the time or money for securing their systems until it’s too late Clinton Ingrams https://twitter.com/cfing99 @Brunty
@Brunty
It is every developer’s responsibility @Brunty
The people problem @Brunty
https://xkcd.com/538/ @Brunty
Principle of least privilege @Brunty
Limit who has access to what @Brunty
Do all your devs really need 24/7 access to your production DB? @Brunty
No developer should ever have a permanent login, or access to any credentials David McKay https://twitter.com/rawkode/status/1182213985661308928 @Brunty
That’s not to say that a “Break Glass” button in the admin interface can’t generate a prod database login that’s valid for an hour; but it needs to log who requested it and take a reason; and notify slack, et al David McKay https://twitter.com/rawkode/status/1182213789686620160 @Brunty
Where is your data stored? @Brunty
https://www.bankinfosecurity.com/mongodb-database-exposed-188-million-records-researchers-a-12769 @Brunty
Who are the third parties you trust with your data? @Brunty
Who are the third parties you trust with your customer data? @Brunty
Shodan https://www.shodan.io @Brunty
Check your repos for secrets @Brunty
zricethezav/gitleaks https://github.com/zricethezav/gitleaks @Brunty
Check your public sites for secrets @Brunty
Google dorking @Brunty
DB_PASSWORD filetype:env @Brunty
OSINT https://osintframework.com @Brunty
Curiosity “what if…” @Brunty
Don’t trust user input @Brunty
“I’d like to be removed from the mailing list please” @Brunty
“I’d like to be removed from the mailing list please” @Brunty
Use prepared statements https://en.wikipedia.org/wiki/Prepared_statement @Brunty
It’s 2019, but injection is still #1 in OWASP Top 10 https://www.owasp.org/index.php/Top_10-2017_A1-Injection @Brunty
Don’t trust data https://news.ycombinator.com/item?id=8336025 @Brunty
Don’t just validate client-side @Brunty
@Brunty
Observe 👀 Client Payload Back-end Validation @Brunty
Broken access control @Brunty
Do you trust this? @Brunty
123457 ? https://en.wikipedia.org/wiki/Attribute-based_access_control @Brunty
Don’t trust users input @Brunty
Broken authentication https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ @Brunty
Hash passwords properly @Brunty
Don’t use default passwords https://www.forbes.com/sites/kateoflahertyuk/2019/10/20/equifax-lawsuit-reveals-terrible-security-practices-attime-of-2017-breach/ @Brunty
Don’t re-use passwords https://blog.lastpass.com/2018/05/psychology-of-passwords-neglect-is-helping-hackers-win.html/ @Brunty
haveibeenpwned.com @TroyHunt @Brunty
Don’t allow your users to re-use passwords @Brunty
5f4dcc3b5aa765d61d8327deb882cf99 password @Brunty
pwned passwords API https://www.troyhunt.com/pwned-passwords-version-5/ @Brunty
Use Multi Factor Authentication @Brunty
But not SMS @Brunty
What packages do you trust in your application? https://help.github.com/en/articles/listing-the-packages-that-a-repository-depends-on#supported-languages @Brunty
roave/security-advisories https://github.com/Roave/SecurityAdvisories @Brunty
https://github.com/sensiolabs/security-checker @Brunty
More packages than you think @Brunty
Front-end Mobile App(s) Back-end Platform / OS Infrastructure @Brunty
Keep them up-to-date @Brunty
Death by a thousand paper-cuts @Brunty
Mistakes will happen @Brunty
Make sure you don’t miss the simple stuff @Brunty
Mostly, it’s not like the movies. (Sorry) @Brunty
Expectation: Reality: @Brunty
Evaluate who you trust with data Security at all stages of the project Principle of least privilege Encrypt data in transit and at rest Check for public secrets Don’t trust users & input Hash passwords properly Ensure your components aren’t vulnerable OWASP Top Ten @Brunty
Always be curious @Brunty
Thanks! @Brunty
