Why I chose this:
I am always looking for different perspectives of support and this one stuck out as something I really don't often take into consideration. I'm hoping to learn a thing or two.
What we covered:
Testing
- Understand App
- Traffic interception
- Source code review
- Send unexpected input
- manual or automated
- unusual or unexpected actions
- Look for unusual results
Authentication/Authorization
- Authentication identifies a user
- Authorization grants permissions
Injection Flaws
- User input generally not trustable
- Injected in HTML
- Inject in SQL
- Others
Cryptographic flaws
- randomization
- keys
- identifying servers/clients
- don't do it yourself
Dependency Flaws
- Open source
- 3rd party components
- Different dev styles
- Different release cycles/security fixes
- Different validations
Overview of Select Findings
- Script download privilege escalation - script executed as root, could execute script, lock it, and run new script. Was fixed by changing location/permissions.
- Insufficient Authorization Controls - JSS was able to execute as incorrect user privs
- XML external entity vulnerability - could read file(password) and pass as plain text, cause DOS, etc. Fixed by changing XML parsing to prevent DTDs
- DES-ECB mode for password - flaw = DES small key size, ECB is weak cipher, Prone to attacks. Fix = select stronger algorithm; more sophisticated cipher mode (AES-CBC); migrate old passwords to new scheme
Out of date software
- System dependencies that have known, patched issues that you have not updated. Fix = sub to 3rd party release notices; incorporate dep updates
Secure Config Recommendations
- Message verification = enable message signing using host key/cert
- Software Install = various protocols could be used. fix = use securable protocols https/smb3
- Filevault recovery key handling = filevault 2 keys can be intercepted. fix = use institutional recovery key instead of individual key
Q&A
No comments:
Post a Comment