linux security for developers
play

Linux Security for Developers Insights for building a (more) secure - PowerPoint PPT Presentation

Dec 21, 2023 •269 likes •1.14k views

Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 We Love Construction 2 Image source unknown And Magic! Turning data into: - Useful output - Stable

  1. Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016

  2. We Love Construction 2 Image source unknown

  3. And Magic! Turning data into: - Useful output - Stable software - Nice services 3 Image source: renoairport.com

  5. Why Invest in Security Now? ● Spying ● Internet of Things ● Law ○ 2016 Dutch Data Protection Act ○ 2017-2018 European data protection law 5

  6. Agenda ● What can go wrong? ● What can we do? ● Strategies and Tools 6

  7. Michael Boelen ● Open Source Security ○ Rootkit Hunter (malware scan) ○ Lynis (security scan) ● 150+ blog posts at Linux-Audit.com ● Founder of CISOfy 7

  8. What can go wrong?

  9. Passwords Image source unknown 9

  10. Case: Phone House http://sijmen.ruwhof. net/weblog/608-personal-data-of- dutch-telecom-providers- extremely-poorly-protected-how-i- could-access-12-million-records

  11. Creative Users Image source unknown 11

  13. What can we do?

  14. Solution “Developers should become auditors of their creative work, and that of others.” Michael Boelen, 14 January 2016 14

  15. What can we do? Improve in steps ● Level 1: Basics ● Level 2: Take ownership ● Level 3: Perform auditing 15

  16. Level 1: The Basics

  17. Input Validation Validate! ● Trust nothing ● Double check - Client = for active user - Server = for all users 17

  18. Input Validation Why Validate? Prevent data injection (SQL, RDF, OWL, SPARQL, SeRQL, RDQL, XML, JSON, etc.) Where? Input forms, data imports 18

  19. Data Protection Encryption: ● Good Encryption solves a lot ● Bad Knowledge required ● Ugly Easy to implement incorrectly 19

  20. Secure Programming Using universally unique identifier? UUID1 = Host (MAC) + sequence + time UUID4 = Random 20

  21. Two-factor Authentication Use ● GitHub Implement ● Your apps? 21

  22. Level 2: Take Ownership

  23. Ownership What? ● The code ● Development systems ● Deployment ● Production 23

  24. Hardening ● Add new defenses ● Improve existing defenses ● Reduce weaknesses Photo Credits: http://commons.wikimedia.org/wiki/User:Wilson44691 24

  25. Hardening What to harden? ● Operating System ● Software + Configuration ● Access controls 25

  26. OS Hardening Operating System: ● Services ● Users ● Permissions 26

  27. Software Hardening Software: ● Minimal installation ● Configuration ● Tuning 27

  28. Access Hardening Users and Access Controls: ● Who can access what ● Password policies ● Accountability 28

  29. Data Hardening Focus on data streams ● Network (data in transit) ● Storage (data at rest) ● Access 29

  30. Network Hardening Traffic flows ● Is all incoming traffic needed? ● What about outgoing? ● IPv6? 30

  31. HTTP Hardening Header X-Frame-Options SAMEORIGIN Allow only iframe targets from our own domain X-Frame-Options DENY Do not allow rendering in iframe 31

  32. HTTP Hardening Header X-XSS-Protection 1; mode=block Block reflective XSS, avoid returning previous input (e.g. form) 32

  33. HTTP Hardening Header X-Content-Type-Options nosniff Don't peek into server responses, consider text/html by default 33

  34. HTTP Hardening 34

  35. Hardening Myth: After hardening I’m done 35

  36. Hardening ● Security should be an ongoing process ● Which means it is never finished ● New attacks = more hardening ○ POODLE ○ Hearthbleed 36

  37. Level 3: Perform Auditing

  38. Myth Auditing = ● A lot of work! ● Booooooring! ● And.. prone to errors... 38

  39. Fact Well, it can be. 39

  40. Common Strategy 1. Audit 2. Get a lot of findings 3. Start hardening 4. ……. 5. Quit 40

  41. Strategy (New) 1. Focus 2. Audit 3. Focus 4. Harden 5. Repeat! 41

  42. 1. Focus ● Determine what to scan ● Limit scope of systems / applications 42

  43. 2. Audit ● Start small ● Collect data 43

  44. 3. Focus Determine hardening focus ● Impact ● Number ● Area (e.g. crypto) 44

  45. 4. Harden ● Create implementation plan ● Perform lock down ● Document ○ What, Why, How ○ Exceptions 45

  46. 5. Repeat ● Keep measuring your actions ● Again: ○ Ongoing process ○ Never finishes ○ New attacks 46

  47. Questions?

  48. Tools Options: 1. Guides 2. Utilities 48

  49. Benchmarks / Guides ● Center for Internet Security (CIS) ● NIST / NSA ● OWASP ● Vendors 49

  50. Benchmarks / Guides Pros Cons Free to use Time intensive Detailed Usually no tooling You are in control Limited distributions Delayed releases 50

  51. OWASP Open Web Application Security Project 51

  52. OWASP Security Knowledge Framework 52

  53. OWASP Link 53

  54. OWASP 54

  55. Tools

  56. Tools Tools make life easier, right? Not always... 56

  57. Tools Problem 1: There aren’t many 57

  58. Tools Problem 2: Usually outdated 58

  59. Tools Problem 3: Limited support 59

  60. Tools Problem 4: Hard to use 60

  61. Introducing Lynis

  62. Lynis Free Open source Shell Simple Flexible Portable 62

  63. Lynis Background ● Since 2007 ● GPLv3 ● Requirements ○ Flexible ○ Portable 63

  64. Lynis Goals ● Perform a quick security scan ● Collect data ● Define next hardening steps 64

  65. Lynis Simple ● No installation needed ● Run with just one parameter ● No configuration needed 65

  66. Lynis Flexibility ● No dependencies* ● Option to extend easily ● Custom tests * Besides common tools like awk, grep, ps 66

  67. How it works 1. Initialise 2. OS detection 3. Detect binaries 4. Run helpers/plugins/tests 5. Show report 67

  68. Bonus: Integration ● Deployment cycle ● Create your own tests: include/tests_custom 68

  69. Running 1. lynis 2. lynis audit system 3. lynis audit system --quick 4. lynis audit system --quick --quiet 69

  70. Auditing Code

  71. Code Validation Quick wins ● Python: Pylint ● Ruby: ruby-lint ● Shell: shlint 71

  72. Code Validation Professional services ● Pentesting ● Code reviews 72

  73. Auditing Repositories

  74. Sensitive Data ● Secret keys ● Passwords ● Unique IDs ● Customers http://blog.arvidandersson.se/2013/06/10/credentials-in-git-repos http://blog.nortal.com/mining-passwords-github-repositories/ 74

  75. Sensitive Data Search your GitHub repos: extension:conf password extension:pem private filename:.bashrc filename:.ssh language:ruby secret language:python password 75

  76. Hardening Harden: ● Your systems ● Your code ● Your sensitive data 76

  77. Latest Developments

  78. Developments ● Data protection laws ● OWASP ● New Rails security HTTP headers ● Internet of Things ● DevOps→SecDevOps / DevOpsSec 78

  79. Conclusions

  80. Lesson 1: Continuous Auditing Many small efforts = Big impact! 80

  81. Lesson 2: Implement Lynis #include lynis.sh 81

  82. Lesson 3: Leverage Security Security ● Less: Crisis and Leaks ● More: Development Time 82

  83. Success ! You Finished This Presentation

  84. Want More? Follow Me ● Twitter: @mboelen ● Personal website: michaelboelen.com ● Blog: linux-audit.com 84

  85. 85

Recommend

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook <keescook@google.com> (pronounced Case) Who is

474 views • 33 slides
Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security

Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security

Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security Dinosaur Smack Linux Security Module Manager Tizen and Linux Kernel Security 2 Tizen Linux based operating system Project of the Linux

486 views • 23 slides
TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

CE Linux Forum Worldwide Embedded Linux Conference 2007 April 17-19, 2007 TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux http://tomoyo.sourceforge.jp/ Toshiharu Harada Tetsuo Handa NTT DATA

654 views • 47 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 9 Linux Security & Logging Linux Security Real-World Linux Security RHEL

739 views • 41 slides
Basic Linux Original slides from GTFO Security outline Linux What it is? Commands

Basic Linux Original slides from GTFO Security outline Linux What it is? Commands

Basic Linux Original slides from GTFO Security outline Linux What it is? Commands Filesystem / Shell Package Management Services run on Linux mail dns web central authentication router

1.55k views • 23 slides
TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux PDF version of ELC2007 slide is available: CE Linux Forum Wiki TomoyoLinux http://tree.celinuxforum.org/CelfPubWiki/TomoyoLinux (bookmark and

890 views • 48 slides
Linux, PCs and Energy Efficiency Implications for Linux Developers, OEMs, and IHVs Tom Bolioli,

Linux, PCs and Energy Efficiency Implications for Linux Developers, OEMs, and IHVs Tom Bolioli,

Linux, PCs and Energy Efficiency Implications for Linux Developers, OEMs, and IHVs Tom Bolioli, Terra Novum, LLC Agenda Agenda Demand for Energy- -Efficient Electronics Efficient Electronics Demand for Energy ENERGY STAR Program

593 views • 31 slides
Introduction to Linux Justin W. Flory CC-BY-SA 4.0 UNIX 101 To understand Linux, you need to

Introduction to Linux Justin W. Flory CC-BY-SA 4.0 UNIX 101 To understand Linux, you need to

Introduction to Linux Justin W. Flory CC-BY-SA 4.0 UNIX 101 To understand Linux, you need to understand what UNIX is, 30 years ago 1969 : Team of Bell Labs developers begin working on solution to address software problems with

500 views • 17 slides
Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/lss/kspp.pdf Agenda Background Security in the context of

652 views • 52 slides
Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG, 7 December 2016 Michael Boelen Open Source Lynis, Rootkit Hunter Business and Community Founder of CISOfy Board member and

454 views • 18 slides
Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft Windows, Sun

1.11k views • 55 slides
Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus

912 views • 60 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

349 views • 15 slides
Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
Security threats and mi0ga0ons for iOS developers Emil

Security threats and mi0ga0ons for iOS developers Emil

Security threats and mi0ga0ons for iOS developers Emil Kvarnhammar www.truesecdev.com Twi=er: @emilkvarnhammar Isnt iOS secure? Q1 2014 : goto fail; Q4

440 views • 32 slides
M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco Information Assurance Research G roup National Security Agency Co-author: Stephen D. Smalley, NAI Labs 1 roup Inform ation A ssurance R esearch G

476 views • 43 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security Agency (ANSSI) RMLL 2017 Goal of this talk Goal of this talk Increase the security of standard Linux distributions Use security features

382 views • 37 slides
Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
Linux Security Scanning Learn your weaknesses with Lynis Michael Boelen

Linux Security Scanning Learn your weaknesses with Lynis Michael Boelen

Linux Security Scanning Learn your weaknesses with Lynis Michael Boelen michael.boelen@cisofy.com Nijmegen, 2016-05-10 Meetup: Linux Usergroup Nijmegen Goals 1. Perform a security audit 2. Learn what to protect 3. Determine why 2 Agenda

558 views • 52 slides
Threat modelling for developers Arne Padmos xkcd Safety vs Security William Warby Warner

Threat modelling for developers Arne Padmos xkcd Safety vs Security William Warby Warner

Threat modelling for developers Arne Padmos xkcd Safety vs Security William Warby Warner Bros Are we doomed? Building security in Security by design Shifting security left Microsoft Microsoft If we ... could do

1.1k views • 72 slides

More recommend