« view all posts

Security 101 for devs (a presentation)

A quick intro to security for developers, a talk I gave; slides with commentary ↓

I work in finance, and my hindi is atrocious. yes, I'm laughing at myself .-.
I work in finance, and my hindi is atrocious. yes, I'm laughing at myself .-.
levels of security for your house. A door, probably a lock
levels of security for your house. A door, probably a lock
...and if you're THAT worried about security, maybe you can even guard underground!
...and if you're THAT worried about security, maybe you can even guard underground!
in reality, most attackers are like the guys from Home Alone, goofy, trying the easy stuff. Very few are Tom Cruise trying to carry out a complex heist on your house. So what level of security is 'worth it' for you?
in reality, most attackers are like the guys from Home Alone, goofy, trying the easy stuff.
Very few are Tom Cruise trying to carry out a complex heist on your house.
So what level of security is 'worth it' for you?
it's similar in software; there are common attacks everyone tries and then complex attacks very few try.
it's similar in software; there are common attacks everyone tries and then complex attacks very few try.
so what level of security is 'worth it' for your software?
so what level of security is 'worth it' for your software?
a few common security terms
a few common security terms
so don't just think in terms of solutions: 'should we add a door?' 'should we add a fence?' but think of problems: attacks you want to protect against
so don't just think in terms of solutions: 'should we add a door?' 'should we add a fence?'
but think of problems: attacks you want to protect against
start by protecting ourselves from goofy attacks first
start by protecting ourselves from goofy attacks first
what are the Tom Cruise heist level complex attacks in tech and who exactly is Tom Cruise?
what are the Tom Cruise heist level complex attacks in tech and who exactly is Tom Cruise?
keep code simple, limit bug possibilities
keep code simple, limit bug possibilities

Defence in depth:
We try to restrict possible bugs at each step even though any of these might not seem like a big deal.
But attackers are smart and will combine multiple small bugs to do high impact attacks (vulnerability chaining), which is why this is important.

remind everyone that the access they have is NOT an indicator of how important they are! That's an easily avoidable way to decrease severity of attacks. Using guessable IDs like in the image (result-103) is IDOR; attackers will try 104, 105 and so on
remind everyone that the access they have is NOT an indicator of how important they are!
That's an easily avoidable way to decrease severity of attacks.

Using guessable IDs like in the image (result-103) is IDOR; attackers will try 104, 105 and so on
Careful about using any user inputs in SQL queries - it will be considered part of the query. Use prepared statements
Careful about using any user inputs in SQL queries - it will be considered part of the query. Use prepared statements
Careful about using any user inputs in in JS. In anything, actually. Modern UI frameworks handle this by default though.
Careful about using any user inputs in in JS. In anything, actually.
Modern UI frameworks handle this by default though.
Careful about using any user inputs in...you get it by now right?
Careful about using any user inputs in...you get it by now right?
solution to injection: restrict chars or encode them
solution to injection: restrict chars or encode them
Careful about using user-supplied file names to read/store files. eg if user uploads the file named '../config.json', filesystem will think it means a different directory
Careful about using user-supplied file names to read/store files.
eg if user uploads the file named '../config.json', filesystem will think it means a different directory
security needs to be a part of development, not something we do after development
security needs to be a part of development, not something we do after development
need to set up alerts and logs for observability and analysis
need to set up alerts and logs for observability and analysis
one of the most common reasons for breaches. Keep libraries/software updated!
one of the most common reasons for breaches. Keep libraries/software updated!
aand lots more
aand lots more
immediate things to do to get to 80% security
immediate things to do to get to 80% security
there are two sides to this coin though. Security isn't everything!
there are two sides to this coin though. Security isn't everything!
mic drop scratch that, mic gently placed
mic drop
scratch that, mic gently placed