Security in the Stack

00:00

All right, listen. 2.3 security in the stack

00:04

and we're gonna be taken. Look at each one of the components that make up a Web application all the way down to the application Web server and everything in between just to kind of understand what we're trying to protect.

00:17

So the addictive is we want to list the components of the Web app, stack, identify vulnerabilities in each of the components and distinguish some of the attack vectors on those components.

00:29

So for just starting off kind of low level, where the data is the

00:33

and the reason we're listing all days is just kind of make you think about. Here's all the parts we have to think about. Here is everything we need to protect. So,

00:41

for example, the database there's there could be my sequel sequel server, post grass. Then you have sequel. Lied on the mobile side. You have peel SQL on Oracle, the stored procedures, all these type of our pieces need to protect it.

00:57

Then, on top of that, you have the web application server. So when you're running Apache Tomcat,

01:02

I asked node

01:03

all these You you need some knowledge to understand each how the security impacts for each one of these Web application servers.

01:14

And then, maybe on top of that, you might be running ah, content management system like word path, WordPress drew people Djamila al fresco any thes,

01:22

they all require constant updates, specific Kerry, their running, different types of languages where there's PHP, Java and they all have their own configuration settings that that need to be done correctly,

01:34

and then even the communication between your APP and the

01:41

the client there. There's a lot of different verbs that there's get post cross origin. There's cross site request forgery, whether depending on the type of data, whether it's Jason XML

01:53

with your doing out of band Web sockets, that there's a lot of ideas you have to understand and have to protect because the bad guys understand all these.

02:01

And so you needed to match those skills.

02:06

And, of course, there's a cloud. Now there's Cloud Trail Cloudwatch Lambda. There's the metadata to take care of, and you have docker kubernetes there. There's so many pieces

02:17

and of course you have to own the you I side. You have to

02:22

predict the JavaScript html five. There's, of course, you can't protect the client side because you can't control it. But you have to put controls in place to understand what's going on there and not

02:34

trust, uh, anything that that's being sent by the claim

02:38

so you can drill down a little bit here. So in the databases, there's obviously is there's different types of different versions.

02:46

This the types of sequel injection are dependent on the database and can actually be dependent on the operating system as well.

02:53

And I mentioned before store procedures have their own security,

02:58

uh, issues that you have to deal with.

03:00

Whether you have a relational database where they have no sequel,

03:05

there's a again that there's a completely different databases to protect, and we've all seen the stories about the no sequel databases out there on the Internet. That air just plugged in and running with no authentication. And of course, there's

03:17

they're secure configurations that that that are available out there with their steak or C. I s for protecting the way they're set up in the rights on them.

03:29

So the Web application server, same thing vendor and version have different exploits

03:34

again, depending on the operating system and the programming language that they're they're sequel dependencies on them.

03:40

And and again there's there's there's good security secure configuration guides out there for the settings. What modules that add on their, which was she should be turning off. So if you just set a default Apache

03:53

Web server out there, it's gonna have a lot of modules on that you really don't need

04:00

content management systems probably seen all these exploits out there as well. Again, there's they're dependent on the version. Sometimes the operating system again. There's plenty of best practices out there for

04:12

thus the settings access rights, how to securely configure it

04:16

and which modules to use. Which themes? Keeping them up to date. Because that's what a lot of the exploits have been. Have focused. Honest is these modules Because a lot of times people just say I need this functionality. Let me find a module. Cool. Let me deploy. All right. I never have to look at it again, Which is, of course not. Correct.

04:34

Okay,

04:35

so here's a question for you.

04:39

Why do we need to understand all the components of the weapons? It's back.

04:45

Does his?

04:46

Hopefully you're paid attention. You should understand that the reason we're looking at this is so we understand the complexity, and by understanding that we can, we can then look at when we're setting up our def sec up pipeline and we're sitting up our controls, the tools we need. We need to understand what their threats are, what did what

05:03

risk are specific to these components of the of the stack,

05:08

and so that when we go to select tools, we know that they're covering what we think are the risks or the threats to our organization, and you don't have to cover it all with one tool of one process. You can have some overlap until he's good to have a little bit overlap so that you can make sure because not all tools or processes air perfect. So it's always good to have a little bit of overlap.

05:30

Step back in this I mentioned before. There's Web protocols when you'd understand, get post the lead,

05:35

depending which one you use. It has some you can have some impact on and seen this before, where the person developing the application on Lee thought about, say, I get her post or didn't even think about that and didn't implement any of these other verbs. And when it gets an unknown verb,

05:54

you have no idea, really what, it? What's going to happen?

05:58

Um, there's other ones I've seen where the developers

06:01

wanna pull in thes third party libraries from other way from from other sources than the application sitting on there. And then this cross origin

06:12

gets in the way. So they relax it just so it works. And then you cause vulnerabilities that way when people can start injecting Java script or other

06:19

code into the application.

06:23

And there's other issues D. C realization of, like XML and Jason that

06:29

that that are big issues as well.

06:30

And then you have to understand there's Web socket with which runs out of band

06:35

of of the regular requests. And I've seen vulnerabilities with this as well, with specific way back with the spring framework had an issue with Web sockets there. It was a vulnerability, but only if you had Web sockets, he unencrypted. I was testing application, exact what they had and it with a critical vulnerability.

06:58

Of course, everybody knows about cloud security. Thes s three buckets left out there,

07:03

uh, with no encryption on them, hoping nobody finds them at the lot of the controls or the um in between the VP seas are set up to by default, denying it it's hard to get it working. So I've seen this before to just say, Let me do any any,

07:23

get it working and then they forget they leave it out there like that,

07:27

and we've seen recently these these servers tried request forgery where you trick thesis Web server into believing that you that's a call from the inside and getting extracting, meditate or other sense of data that shouldn't be descend out there

07:42

and course of these

07:44

vulnerabilities will not be what will not become apparent until it's actually out production. So you do a lot of these testing, and they may have set up the production environment you heard mention a couple of times. Is this environment drift?

07:57

So one of the ways that fixes his infrastructures or code where uses have this repeatable process, but it takes a lot of expertise to do that well as where as well

08:07

and again dependent. You might have an expert in AWS, but they might not be an expert in azure so understanding. Getting getting the right expertise is difficult until you know you have toe test for these type of specific vulnerabilities as well.

08:24

Again, there is the you I component, so html has injections. Dom attacks

08:30

across like scripting with Java script. There's a team L five and cascading style sheets now,

08:35

um, malicious ads, which which may not become apparent again again, especially in the developed environment in the production. So these are all kind of different areas we need to think about as well.

08:48

And again there's. We focus on the really technical side. But there's a and there's these miscellaneous wanted. We forget about just two standard configuration errors of the software auditing. Is it not done correctly?

09:00

The exposure of sensitive information like passwords, keys anytime in the documentation. Sometimes he gets published.

09:09

The last one's a little difficult to automate, but some checks you should be going out there, uh, times developers run into an issue, and then they go out and post on stack flow or some other place and say, Hey, I need help and they may post, you know, sensitive information out there that

09:24

that could be then used to attack your application.

09:30

That's another quiz here.

09:31

Seiko injection exploits can depend on the database type or programming languages is true or false.

09:39

This is true eso there's the issue with called Stacked Query. Exploit where you can if you can get a semi cooling in there, you can then terminate the the Sequin Gestion and add your own Arab at many on after, which is one of the worst sequel exploits. So I got this table from Nets. Barker blogged that that showing

09:58

the cross reference of the database is across the top in the programming languages and everywhere it says yes is. If you have that specific database and that programming language you can, you are susceptible to stack. Query explodes.

10:11

So in this model, we just talked about Security House needed for each one of the layers and understanding why we need that.