Most Vulnerable Product: Easy to implement security solutions and strategies for the modern web application stack

all right wants to see it you push it to a server and bam their client tells you they don't like it so the next step is the application structure so this is commonly like a web front-end API layer this can be you know rest endpoints xml god forbid or it can be a database as the last layer so there's three layers keep that in mind I know it's a lot to remember we have front-end API and database so the main thing I want to talk about today is application structure where these mistakes can happen or just like make sure I'm not gonna hit space on this thing just everything apart all right so get get is

the first topic of discussion this is like the start of everyone's project and it's typically end so wrong for people so first things first what is gig it is a utility software that tracks changes in files this is a really great utility for what it does and it's also really great if you want to expose your public secrets to the Internet so everybody has heard of it recently I don't where we should get anyway so Suga it's been the news what it does is it parses the github API stream for valuable assets like usernames passwords config settings just general things of mayhem and then displays it in front of people so if you want to know what that is it's get sh h

GI t so that's that's a really cool utility check it out if you want to just find some creds on the internet it's not illegal I don't think all right so your two main issues with get your risk gonna be secret exposure and supply chain attacks what a secret exposure security scourges when you say submit a publican like a config file to a public repository people read it they grab your say Amazon keys and they charge up like a million dollars spinning up crypto jackers right the next one supply chain attack what that is is if somebody gets access to your codebase they can change your code and then you may not even know this but it will be then you know

shipped off to all of your clients or remote locations or other things this is the foe on supply chain attacks there was a really famous supply chain attack like a long long time ago were like the government poisoned the alcohol supply during Prohibition killed a whole bunch people that's probably one of the earliest Burton supply chain attack it actually calls for the end of prohibition so if you are here you're gonna drink at the after party thank the US government for killing people so huh well we're just talked about with yeah why anyway it's not that's not why I'm here today it's not why I'm here today guys yes oh did I stop there CC cleaner also

another example I want to thank David Freitag from rent Rio telling me to speak about that and that's as far as I'm gonna go on that one so start of it it didn't kill anybody alright so you want to start every project off right use a git ignore file that's publicly available right when you create your first project gitlab does this thing where it kind of gives you these commands forget and it's like yeah just you get in it and then get at all and the problem is to get at all if you didn't have a good ignore file you're gonna add all your favorite stuff my favorite stuff I mean API keys secrets log files nudes so so alright so I have

actually a lot more to say about this so git ignore use a standard one you can grab them from github they like they come completely available so not only it's like you don't know what you're doing with the programming language check out git ignore it has like file paths for the application technology you're using so like let's just say you don't know where config files go in the git ignore file will be a path for configs so I mean just use that as a way to structure your code base so other developers who are potentially going to work on your code well know we're to also put things cuz you put things in the right structure not why I'm here so

next thing oh yeah so another thing is that these can be used as treasure maps these can ignore files so if you are doing a pen test on a web application and you come across technology you can recognize or fingerprint what you do is you look up to get ignore file for it and then enumerate those directories for secrets just simply typing in I got the QT one I notice that it has an object scrip of dot release do a quick file type for dot release Bango Bango Bob's your uncle we got passwords so uh so why is this better than just a certain connection cheering is because you're actually looking for dot release file so the

release follows our production files versus a debug file if you were to type just connection string equals you're gonna end up with a lot of like code examples and templates and stuff for like tutorials but if you look for the right type of file type you know when you got a hit so I didn't you can't there actually isn't a username password here I did kind of block it out but if you I mean don't look at this one so let's continue before anyone takes a picture already front end all right so your main front end risk again why secret exposure keep happening hey [Applause] better late than never so anyway so uh so front end your main

issues are going to be secret exposure and cross-site scripting secret exposure again people seeing follows that they shouldn't be seen or in the case of a front end people saving properties or values to storage that shouldn't be there so very frequently people think that maybe like local storage is secure or even secure cookies are secure but I always assume that everything can be read by the clients so therefore do not put anything there very easy way to do this is just use your friend as a presentation layer that way there's no reason for secrets to be there let your API handle all the like the dirty business so next we have xs/s use a modern framework for these things a lot

of the modern frameworks templating engines have a lot of built in XSS protection it is not a silver bullet it will not protect you from really fringe cases but we develop products quick and like really we're not looking for four-inch cases we're probably going to get me if you like the most of like 50 to 100 users on this thing even in its prime run so we don't really focus on fringe cases when we do development for you know quick deployments all right so use I use modern tooling use things that's fully supported things that are still being worked on the really famous ones today are like react in view and maybe like angular 2 yes thank you thank

you all right simple just presentation I spoke to this you want your front end to just be a presentation layer you not want to put business logic on your front end you do not want to have anything that your back in may or may not rely on just presentation if you only display stuff and means less code at least meant less bugs less maintenance less money less time less code the better way soon it's so he's saying that he runs to developers and they can't seem to segregate the layers of business it's really simple if you just know your friend is just able to display stuff poorly you are good no secrets on the back end we just front

under rather nothing in local storage no nothing in JavaScript files nothing in comments please don't make everything easy all right so this is an honorable mention it use HTTPS if you're going to pretty much the only secret you should have being tossed around on your front application is when the client input data and sends it somewhere it should not be held on the front end use HTTPS just in case people are going to get nosy about what's going on that's an honorable mention is not one of the biggest risks I would say when you're doing smaller development API layer so your biggest issues are going to be a numeration and unsafe data and I believe

my enumeration is if say you have an endpoint that ends in a database ID what can happen is somebody can then enumerate through all your database IDs and then get all of your information from the database so you're gonna want to protect against this the next thing is unsafe data do not trust data from anyone barely trust it from yourself trust no one do not don't even trust yourself on this don't trust your own database all right your new IDs for everything this is how you're going to protect yourself from enumeration using you ideas for everything file names database IDs your dog's name cat's name mom's name your you ideas just if I have a kid it will

be a UID

talk to me later I would like to see that John you're listening this thing is lagging all right don't trust client data again don't trust yourself don't trust anybody especially do not trust serialize objects let's talk about let's say this again do not trust serialize objects I do not mean JSON I mean like bytecode pickles whatever dotnet uses I just don't trust it don't deserialize it and then run it don't oh did I skip a slide I don't know how to go back all right databases we're almost done guys how am i how am I on time right now 248 12 minutes that's all I need for everything databases injection and unintended access anyway databases

injection you're gonna be worried about sequel injection I know like it's 2020 it's not something that really gets talked about anymore so databases so to protect against injection use an ORM I'm gonna have more slides about this unintended access this is not necessarily somebody getting your database credentials this is also like say a junior developer having root access and may be or may not leaving a table or exporting secret content takes more than that all right use an ORM what are RMS and why are they valuable in orem is an object relational mapper what this does is it translates code into sequel why is this good because if you were to put regular sequel in your application it would only

work for that specific type of database replace it with an ORM you you can work on Emma's sequel and your buddy over there could use Maria DB what this does is abstract the code from the database therefore making it platform independent so there is no lag it will only take like a configuration setting to allow somebody to either use MS sequel or my sequel use an ORM they do protect against a lot of the baseline sequel injections this is not a silver bullet again it just happened we just had sequel I CAS get hit and they that was in crazy sequel injection luckily most people I'd hear about my policy of don't put secrets on

the front end right says I'm sure there's no sequel lies J s vulnerability is on the internet anywhere I'm sure about sure of it all right no application should use the root account say it again no application should use the root account every account that uses your database should be specific for that application that means that if your application does not have a need to write to say that users table do not allow them to write to the users table allow them only read access did you know that you can actually lock down specific columns to a table to a specific user so if you had say regular access for an application you could prevent that

application from we didn't say a really sensitive file like the password hash so keep that in mind next slide definitely about no users using the root password no developer should have this account if no developer has this account they could not export data they cannot allow it to be stolen and they could not break things no developers should use the root account ever ever ever ever only one person should have it in case they died that's it you standard encryption for passwords this does not mean roll your own again don't roll your own what does this mean use bcrypt you something standard you have a question of course is what all right I'm not gonna discuss that

that's interview question if you're taking interviews later so um oh so you're actually right it should be hashing right you stand a passion for it because bcrypt is not reversible right I don't know it doesn't matter because you should use a standard one use it they got it I don't need to know about it that's the whole point of this you don't need to know about it to use it just use it develop right time for this nothing executable database do not store sequel in database do not store HTML in database you're not stored Java do not store Python do not store Ruby why because if somebody gets access to your database they may only have access

to your database but if they find a nice sweet Ruby script in there they could change those values and then hopefully at some point it will be executed by your application that is how you go from having a low-level access violation like a database to a higher-level one like a remote code execution on a server do not put executable stuff in database especially don't put like even like display properties in the database like if you want something to be read on the front end don't put the property read in and then pass it in as a you know my method to the CSS don't do that it's not necessary also it's really weird later when you have like a million records

that are supposed to be green and they're all red and then you have to update like a really large table just to change a display property otherwise what you can do is put in the code if red equal green and then every everyone's confused later so I don't know why the alerts supposed to be red deployment I actually left this lot of the stuff out because there's a guy here who did a DevOps talk earlier that I sure would have liked way better content than this the only thing I want to stress is nothing manual nothing on your local machine if you want to do something like have a script that builds it somewhere else that is the ideal thing to do

nothing manual do not build it on your own machine especially and ship it out elsewhere everyone's heard the expression works on my machine right well that's because your machine has an environment that's specifically catered to get running in your local environment because we're the developer and you made it run now you'll build it on your local machine ship it off somewhere and it doesn't run and you don't know why what will happen is is if you do this somewhere else on isolated machine with a script or like a platform like Jenkins or circle CI or any of the other ones it will give you a quicker identification that something's wrong and it also like kind of creates a more clandestine or

like you know sanitized environment for developments for deploying and building relations so that is my talk I did not put a thank you slide in because I am a heathen and don't care about anyone so I wanted to say thank you to the organizers here thank you for coming here listening to me and spend your time with me thank you John for showing up he just go round of applause applause my boss he's awesome ah yeah so thank you guys thank you grandma if you're watching how did this get on TV I love you guys special thanks to everybody