When a Security Architect Writes an Application

all right so for those who care to pay attention i'm david zenzian i um one of the guys who helped get besides started a couple years ago i always like get involved in things i probably shouldn't i guess it kind of defines all of us and where we're at um who here is on operation side okay so uh security team okay so it's mostly security how about developers how about business so you're gonna kind of try to tie all these together and we'll kind of see where it goes from there i originally started off with a nice long title here trying to bring it all together holistic security but just narrowed it down to the basic idea of what happens when you

have a security architect who builds an application so we'll see what happened here and go from there um i'm gonna go through a couple of things i wanna start off with a lot of talks on operational security to start off with is kind of a history of how we got here where we're at and where we're going and then kind of go into what inspired the application i built what kind of application it is and what i how i learned to do it and um how i learned to secure it and make some fun stuff out of it at the same time and i have a little bit of code we'll go through it and hopefully uh y'all can

follow it i should grab my laser pointer so i can showing you um for those who don't know me i been in i.t and security for over 25 years i went to the college charleston i was supposedly a graduate of around 92 i kind of stretched it out for a little bit and then stopped going after a while but it was a lot of fun i was doing a lot of fun things at that time i started the first isp here in town if anyone here remembered awod it was a wad yes it sucked but i had fun starting it i i didn't choose the name it wasn't my choice in a name and i also started a

wireless isp many years ago back when all my customers were going why did you want to have wireless internet you know i had many lawyers offices tell me at one time why do we need internet and why do we need it wirelessly at that point i decided it's time to go to california so left charleston went to california had lots of fun working at banking healthcare you know other financial services sites um did my students at pa paqsa in qsa so i did audits and assessments for lots of fun things from the marine corps to william sonoma and disney so i've seen a lot of fun things and all that led me into the idea of where i'm

at primarily which is easy servers which is a managed services and security company my brother and i built to solve the problems i saw everywhere i did audits so we tried to bring real security operations into a day-to-day operation for people make it affordable for people and the last thing here is kind of what we're going to talk about today is the random idea that my friend came up with that i decided i'd you know try to build and we'll go through kind of the history of where that went and what it is and why a security person is writing applications which not sure was good or not but i had a lot of fun

so operational security any sort of security um nothing really happens unless you have something worth taking you know why they why they uh the old saying go you know why they rob banks that's where the money is you know if you have nothing that's worth anything with any point of importance no one's gonna really come look at your stuff but if you have stuff that's important they're gonna come look at it no way around that one so who's looking at it you know as georgetown might have said and um whether you like him or not he's it's got something right there you know how many researchers in this room there's people here this is what we do

we look at things we're curious we're not the only ones we're trying to be on the good side of it but anyone out there has the ability to research that's kind of what we're here advocating for is to have that research and happen so you have a target people are looking at it there's a big problem though attackers only need you know how many times people have this you know attackers only one exploit to get into your environment we all know that i mean what i'm gonna go through in the beginning is pretty much recursive over all the security talks we always hear which i want to spend a few minutes on to kind of you know pay

tribute to that that part of the industry the biggest problems we have is no one talks together so there were there were really wonderful people here people who do business but mainly security people that really we aren't reaching out to the community at general we have an entire computer science department here that all of them are like oh i don't work in security so why would i go to security b-sides conference there's a big disconnect we're having a problem in technology now i don't want to see information security because it is technology the technology problem we have that no one talks to each other they're all in their own little silos and it's up to us to

help bridge that a lot of talks recently you go to smoocon you go to derbycon a lot of talks are happening people are talking about the fact that we need to bridge the gaps we need to understand the business and really know what the problems are to bring real solutions to them and work with them and solving their problems so out of all these controls that happen um basically operational security and regular security came out of this and from here we have the basic ideas and again there's lots of things people people building the cia triad and other things that go around this is just the basic steps of what happens when people try to

secure things i'll go into a bit more detail just kind of you know fill in the whole thing before we start going into what what happened to actually go into making an application um you know we we uh start off with the basics of credit you know critical information as we started off originally saying you know unless you have something important to steal no one's gonna steal it so what is important to you and we as security people don't typically know what's important to the business you know we're there watching for attackers or they're watching for signature or they're watching for things that are happening but do you really know what's important to your business or whatever whoever

you're working for uh they really need to drive that fact but at the same time they're not the ones who think out of the box they're not the ones you have to follow up on kids on that one they're not the ones who will um you know be paranoid enough to really think about the controls they need to put in place around it this scoping this classification of critical information needs to include everything uh when you're looking at things people typically say oh here's our financial system this will be our sock data oh here's our online credit card system that's our pci data oh here's our um whatever you want to name it we're doing government contracts to involve

this one thing here's our health record change of hipaa and they go off and make these little silos of the different areas and controls and policies that manage all of those things i'll just stand up right now and say to all of y'all i think that's a bad approach one policy is much easier to live by than 12 especially you start getting a bigger organization so standardized make it easier for people to live with but also don't forget the dependent parts of it so while the business might be concerned about their sox compliance or their pci compliance and look at those systems what supports them you have the domain controllers you have all the different

things go around the logging servers you have all the other components jump points vpns any of those other components are part of the supporting environments that you need to as a technology people bring those back to the business because they're looking at the critical things that makes the business function make money you're looking at what keeps them online alive so you have to blend the two of those and find that matching so once you identify your critical information you have to look at threats and this is what we all love to do right we have to go out and figure out what the threats are we go to conferences we listen to podcasts we um you know go to

different training things um i only say a couple of them here but one of my favorite resources on the internet is just irc who still uses irc not that many of you i mean twitter has replaced a lot of it there's a lot of information on twitter but irc is a great great tool um there's there's a bunch of underground sites there's a bunch of above crown sites you can actually go and actu and find really good up-to-date information but outside the security realm if you're working on programming or working on different tools it's a great resource for talking to a live community people around the world so i suggest really going back to irc because it still is a

vibrant community so once you've actually identified those you need to analyze your vulnerabilities in your environment we're all pretty comfortable with this you know we've done these tools all the time we're used to um you know running vulnerability scans doing uh the code reviews and penetration testing um i guess some of our favorite tools here nt objectives are one of my favorite in the industry i think they have a great spidering tool if you haven't played with it i think you should give it a chance um but that's that's one again these are the favorite things that we as security people like we have to go to conferences and learn like to go talk to our peers

we like to do pen testing but now our favorite topic of all who always fill in the paperwork oh come on someone's got is there no government people here so risk assessments i did this for about eight years as a pci assessor but also uh outside of that doing regular security risk assessment for companies this where you tile those things together you have the vulnerabilities that you've identified you have the risks that are out there putting into a reusable document there's a lot of different ways of doing it um i don't even want to we could have a whole talk just on the different ways of documenting analyzing your risk and putting it together but it's one of the

more important things you can really do is is understand all these things put together something as usable by management all the way down to the tech teams making something useful for those people out there and then finally what everyone thinks they're talking about these days they talk about opsec is what do you do with all the data how do you respond do you block them you know we had a nice talk earlier about the honeypots the different things you can do around that do you do you attack or scan them back you know there's there actually was an hour discussion at shmucon and the idea of do we legally have the rights of hacking people back

i don't get debates with that but it's it's useless if you don't really know why you're doing it what you're doing and the risks involved with it it's just a reactionary it's like someone hitting the knee in your knee jumping it doesn't do any good for you so these are great tools and great countermeasures in fact some of the things that we go into and what i wrote for the application i put together actually tie together some of these things into auto responsive things but nothing directly attacking somebody it's more in a defensive role to keep things moving forward so out of all these tools and things we've all put together what are some of

the problems we have them uh the biggest problem is that they are realm specific people tend to segment their things out there and they go oh here's my pci data here's my hipaa here's my you know my help my employee records for my hr stuff and they do them in different areas and no one really talks to each other we all admit that when it's one of our biggest problems we don't talk very well together once we do have solutions we're also very bad at communicating them back to people we come up and say you need to review you know write this fix to your code but we don't actually work with the developers to give them

the report and say go fix it and come back and scan them later it's a it's a back and forth no one's really working together with that and one of the things i went through in the program i'll show you the work i did on is i was doing both sides where i was small you know i didn't wrote all the code myself so i was doing the design work which my background security helped me put together but i also had to do the programming so i had to make sure that integrated together so it's time to give that communication that hopefully as you go back to your businesses you can bring back some real good dialogue

and make it work forward and also kind of kind of try to keep in mind that technology solutions a lot of times people come and say oh this vendor has this box will solve this or we can put in that firewall here and does this don't depend just on technology you really need to understand the logic of what the programs are doing your environment and bring that out of the box thinking back to the different people and help them think out of the box themselves so all this kind of builds up we now feel we're all in the same space of operational security talking about what the heck is a security guy doing making a program

i just moved back from the bay area i moved back to south carolina and a buddy of mine came up and said hey i've got a fun idea let's make a program it's an online marketplace that makes money and it gives people money and has like raffles and fun things out there and honestly i had again all the details of it i could talk for hours about the actual application because i wrote 20 000 lines of code for it but it's just kind of a silly idea that i said why not let's go ahead and figure it out and have some fun making it so spent about three years of part-time coding and put it together but this is

actually what i mentioned back earlier you know do you have a target what's your target i have financial data i'm actually a live action site that has a feeling of you know i say the word gambling but it's a feeling of gambling so anything you have like that something like a banking is gonna be like someone's you're gonna be a target and it is actually a fairly active target considering it's really not known yet i released it about three months ago so it really isn't even out there publicly so it's been kind of an interesting couple months here watching how people respond to it um a quick little view it's just a simple little site made up together

it's a place you can go shopping when you buy things you get cash back you can use then raffle off anything else on there again it's a silly application something you really wouldn't expect a security architect to be working on but sometimes you got to take silly projects to have fun and learn more i started off like a lot of startups i tried to find developers to do it for me again i'm a security architect i'm not a coder i just code when i have to just for the fun of it so i made the uh the joyful mistakes of hiring people onshore and offshore and going through the trials and tribulations of realizing that

they don't really know what i'm trying to get done communication is the biggest issue even with english speaking commission is a big issue trying to offshore to estonia that worked even worse cost us money we didn't get anything out of it so that was a big issue around there i'm sure you all have dealt with it before i can see a couple heads nodding when you're talking about the offshoring it's nothing fun so what's uh what was the biggest problem i ran to was the fact that developers see a life cycle of this they see oh give me some requirements i'm going to design you know that will make the design i'm going to write some

code we're going to test it and that's the biggest misnomer especially when you start dealing with a pci without you know asking questions about you know doing code reviews is the testing people do is functionality testing it's not security testing so i was really getting upset and frustrated that they were making code that i was able to exploit it was just demo code so it was very very upsetting to me what i really wanted to have was a secure process for developing code having the risk assessment in the beginning of it so this is something that i would like to see in more software houses actually or anywhere you're developing software is we're actually when you're making the

functional spec in the business of the application you need to have i'm sure you all advocate this all the time security people involved in that step so you can provide that pragmatic voice and saying here's the risks we have with this make sure we can keep that as part of the design so in the in the back side when you're coming off of the of the application you can actually test against those risks you identify in the beginning and also have it as part of the iterative loop is more things being developed you can tie it into it and identify risk and then part of the test make it happen so since i couldn't outsource it and

make it happen i did what every other hacker would do i decided to learn rails myself and make it happen so uh rails was a fun challenge it was a really interesting thing i heard a couple people earlier i think it was a training last night talking about ruby and rails and the joy of learning it if you haven't learned it i would suggest you do there are some really cool things you can do with it as i mentioned here uh from an operational security side you have metasploit it's all written in ruby and has wonderful tools and once you've learned how to write in the ruby you can actually do your own metaphor code part snippets to actually make it a

useful to you you and what you're actually working on on operations side puppet and chef they're all written in ruby and they tie into rails for various things they do it's a very helpful language to actually do manage configuration management for your environment on development side red mine does anyone ever hear red mine before one person how about github it's a picture github but for a private environment that ties on your cvs your get your your trouble tracking your wiki all that into one server tool for an internal environment it's an open source uh rails environment to do all your devops in inside of it so some really great tools and really good reasons i wanted to do more with

metasploit so i had to learn more about rails so i figured why not let's write an application so i can figure out rails that's the best way of figuring it out and that's how i started in code before you know just get the code and figure it out so i'm gonna go through a couple things here on how i learned rails and what i learned from from it and basically how i got into the security side of it so any of the of you who want to get into this you can actually follow some of these things yourself and give it a chance to learn some ruby and rails yourself one of the best places that i went to is

try ruby wonderful place what they actually have is a an interactive web application where you can actually go to it and it'll give you code snippets you can type into the web page and it'll let you write ruby code and it'll you know debug it and work with you and actually help you in an interactive web environment write the code great environment for running writing the tools i expect to see a lot more online training things using this approach it's um it was a lot of fun but not as much fun as learning rails because who doesn't want to do a program for zombies right so i originally went through this when it was on version three of rails now

it's on version four i'm sure it's changed a little bit i've not gone through the classes before but in the version three what you actually did is you wrote a twitter application for zombies pretty useful right so it actually was a fully interactive environment they go through a training video they have that same like you know the the tri ruby site had where you actually would type the rails code into it go through the examples and actually make a functioning twitter application in the web page through all the different courses in about two hours you're writing rails code and writing a full on rails application with database integration basic tools now it doesn't get you everything you need to

know but it's a great starting point and uh has lots of fun things in it if you're like like me you're kind of a hacker coder so the best way i learned after this to get really into the mix of what can be done is a wonderful site called railscass and i wish they had these for every development languages out there this guy was a prolific uh webcast developer he made hundreds i mean i think like three or four hundred different webcasts most of them are like six to ten minutes on they're very short but they're very detailed on how to do specific things so say you want to focus on uh migrating from rail three to rails

four he has one webcast on what variables and functions and how you have to actually do it and you can just follow them step by step or even just copy and paste code from his website wonderful environment in fact you can see on the model caching i just deployed this last last week when we started getting some more activity i decided to put memcache d behind it and start doing some caching in the back end i watched a little you know six minute video go oh that's all i have to do in there so that's and i spent two hours adding cash code to all my different models so for those who don't understand rails

i want to give you a couple a little walk through on the various parts of how rails works so on the very base level you have a model which is actually a database definition inside the model you're gonna say things like um you know the different records it has so might have an id a name a password a various various fields of describing the the structure of the database but you also can add some really cool things like you can point to this record relates to another another record so you can actually have like a user in a store so the store is owned by the user so that relational model is just an english inside the model

definition so it can tie together things so if you have a store that's a user one i can actually say don't delete the store record if it has a user model attached to it so it actually does all the error checking around it and i'm gonna get a little bit second and a little bit further down about some of the more security things you can do has some really great built-in stuff on the model side for doing validation so if you're entering data in you can say this field is only supposed to be numbered just feels cast to match this regular expression this field only has to be present or not present so you have some

really great definitions or even writing custom code to actually do validation of parts of the data inputting before it actually even gets the database so it's a very strong validation model built into it the next step up from the model is the controller and that's where all the logic happens in the application that's where you're going to say something got came in from the user i need to do some sort of logic function have some time to model and produce something back to the application which is what's called the view layer and the view layer that's a web page that's the actual html markup page that gets you rendered the output so inside rails there's there's

different ways of doing i tend to do just regular erb templates which is like html and then the code snippets put into it like a php code would be also there are there's actually other languages um i think it's sass is one uh where you can actually do like a syntax based language you can do an h1 it ties it's like a syntax like like python in a way which is one reason why i hate python i hate syntax or if i put a wrong space that screws me up but anyway just from that basic structure i want to go into a couple of the other other controls we had to make the application so naturally

being a security person i had to walk through and say what can i do with security and rails i can't just say deploy an application because every website you follow for what you know webcast says deploy the application and basically you can make a twitter application in rails in about 12 minutes it doesn't take very long at all you can do about 15 commands run it and boom you have a running twitter emulation of an application nothing fancy but it works but it doesn't have all the various things that are needed so rails provides a bunch of really good information uh fully integrated uh cross-site restricted uh cross-site request forgery built into it so it

makes all your data variables automatically post on each page so when you're posting data if it doesn't match on the back end you can know it's a forge request has a bunch of other details showing the ways you can help address privilege escalation uh sql injection and unsafe queries and how to tie together your your validations and some basic minimalistic structures of what you do for security it didn't really get into everything i wanted so uh i i have my own list of things i keep that aren't in the basic documents things you kind of would expect which are you know our business logic some you know how do we actually prevent you know mass data

when you say um mass assignment what that means is you're submitting a form to a date in a web page form and it's got a first name a last name address a phone number a comment that's multiple fields being mass inserted into the database into mass record update and i'll show you some of the controls that rails has for those features nowadays which i wish that other languages had it um i'm not the best in some languages but i know php doesn't have aspx doesn't have it and if it does i'd like to learn how to do it because it's good to know so we'll get into a couple of these in a little bit more detail

so we can uh get an understanding of how i put these controls together around it um and actually i think the slides are all gonna be out there if you only take any pictures they're gonna be posted along with the videos to go with this um so on the business side again this is one of those things where you rarely have the communication between the developer the business and security working together so what i did since i'm the developer and the business side of the of the application i integrate the security into my life cycle so i would actually some of the tools you're going to see here actually would iteratively do do code reviews do application reviews do

you know security controls release it do you know do my own qa that's why it took me three years because i do have a full-time job and it's a lot of work to follow all those processes so inside your business the biggest thing you can do is making sure that you have security as part of that life cycle i'm sure everyone here would fully agree with that there's no real nothing new and fancy on that one uh awareness and training again i know everybody here has awareness and training but are you really training your developers to not just have you know this one of my biggest arguments even here at the college of charleston is we're training developers and then

we're saying oh well now you've had your python class let's go take a class on python security you're not actually having security as part of what you're doing so if you're it's actually a plea to everyone here if you are making a security training program if you're actually helping build the programs in your organizations to do security training try to have in such a way where it actually brings people together to have that discussion and dialogue habits that developers have a set of standards they actually have to program with they have the security built into the methodology they can use the developers have your marketing and qa folks have them have a process process for them to

include security as their discussion if you have a salesperson now they're making a sale and they're not bringing up the idea of you know the risks involved with using different parts of your tools with the customers i mean there's plenty of opportunities for cross sales upsells to uh you know to have the discussion with customers because everyone is worried about security these days it's good to have but i think the biggest thing that can really help is a security bug bounty program um i always was a big fan of it and once google and everyone else started coming out with them i thought it was something i wanted to have so i made bid a dollar

i actually have a section in there that's a full security bug bounty and it really paid off humongously for me when i first released the site within three or four days it hadn't even really no one even knows about it until this in fact there's more people in the room who've heard about bitter dog today than actually probably know about it it's just such a new application um and i don't have millions to market it we're not you know funded um so what happened is when i first released it and it first got indexed by google i i've got some really new friends from india uh there's actually a team of teenagers i actually teachers there's

about 15 of them from 15 to 25 and all they do every day is go visit bug bonnie programs find exploits and make money and they're making a lot of money we're talking like 15 year olds making 100 000 a year in india finding bugs in google and yahoo they're good hackers and they're actually helping inspire a couple of the ideas that i'm going to show you the code i wrote for they weren't actually able to find exploits but they found ways of harassing the site and i was able to help mitigate those to make sure i can handle the load of an attacker hitting it so don't underestimate that you have a bug bounty and as such

bug bodies have really grown there's actually right here two different commercial bug bonnie programs you can actually go here if you can get buy in from your company and actually be part of the program where actually security investigators and researchers are actually going to you know the crowds and the crowd security crowd security i thought security and the hacker hacker won terrible names um but you know what bitter doll is not a good name either um but with these sites people are posting their applications or websites whatever it might be onto these sites and hackers or security researchers in fact if someone here wants to go get some valid security research if you're trying to find projects and don't want to get

you know in trouble for scanning people's websites go to these sites hundreds of companies list their sites and says please hack us if you find hacks you can either get you know props for it which that's i have no money so the guys who found stuff on my site they're sending a page says thank you for helping us but there's actually real cash in fact if you look right here uh this one right here was for the hacker one they've had 1.5 million in bounties awarded and they've only been online for like a year maybe a year and a half if that so they've awarded over a million dollars in bounties in that short amount

of time so it's a great thing uh please take advantage of it and it'll help to help you learn more or help the industry get better overall so now to jump in some of the oh i think my presentation died sorry about that

no

and here we are that's what i get for working on presentation all morning i was leaving up on my desktop all day um now i just want to get a little bit time and go in through some of the actual coding examples and one of the things i always felt was frustrating about going to security conferences is a lack of actual real examples it's always been annoying to me that you go to go somewhere and people talk about oh you need to have a security policy you need to have code review but they don't really get into the details so if you can't read i apologize the slides will be available afterwards and i'll be

available to have any discussions but these are actual things that are either part of rails or things that i have actually integrated from the third party tools or my own tools to make the application uh respond to its environment and have some controls around it i mentioned mass assignments earlier if you have a form that's being submitted that has multiple fields one of the biggest problems that have happened out there is people don't you know one validation of it but two is the user authorized to input the data in the fields they want to have as you can see on this example here what i've got is i've got three different functions right here um this is actually

updating an item so say something gets sold on the on on better dollar or somebody creates a new item say administrator of a store creates an item to list or an administrator like me modifies a record there's different you know different types of people who might do functions so if i bought something i actually can leave a comment back to the seller on the site i can actually rate the seller and do different things around it and so you want to have interaction for the different people but what you don't want to have is you don't want to have someone who bought an item able to change the price or able to change the pictures on it or able to change other

details of the records that they shouldn't have access to so i'm going to show you the next slide a bit more details of how this works but you can see inside i always have my pointer there but over on the right side you can see uh after update attributes it actually has it's a function call looks like a variable with a function call with uh you know one is if it's updating if it's sold one if it's the admin or one if it's just an update from the owner of the store and what had the way this works and that just totally came out bad sorry y'all

so i'll just make this it won't be perfect but it'll work right now

come on

okay so so it's hard to see it again i this apologize is within the rails code rails is object oriented i did some private functions and inside the private functions each one of the uh the prior calls here for update sold item update you know admin update or update item there's a function that goes with it and each and inside each of those functions i'm able to define which uh elements within the database table that that function is able to update so i can say administrators if you look at the top one the administrator one that has access to all the records in the database so it can actually you know on the item record it can update pictures

it can update prices you cannot update anything the update item actually is a smaller subset because uh in our environment once you've created a listing you can't change the price because if it's involved in a bidding environment our prices are all fixed so you don't want to have somebody changing prices and affecting people's uh ratio to what they've actually got access to so even if you own the store and you own the item you can't change the price as you can see on the update item parameter here there's no pricing here they can change the quality they can change the description they can change it for renew it and they can change pictures but that's all that they

can change and then if it's one of the buyers the buyer can basically only update the attributes that deal with the update of the delivery item so because of these controls it's called strong parameters and rails and i really wish if as anywhere developers and other languages let me know if other languages have this feature it's one of the few things that i really really came to love rails about is the idea that i can i can really granularly assign individual user an individual function writes to what they can access and access and can't access for changing database records wonderful set of tools and it's all built in the system on top of that you can actually extend

it so like in in perl you have a different pearl mod you know pearl modules uh rails has gems which provide various things so you have to rewrite things yourself now you're welcome to go off and write your own authentication library but device has some really great integration it has full you know you password changes reset urls all this stuff already built for you you basically stick one line in one file run run a command and then you have full authentication tied into your data your system it makes it pretty much seamless one of my favorite extensions to that is called the device security extension and that allows us to have all the controls that we want to have over accounts

password expiration password length and um i forgot to grab it in here but i believe the maximum password the device can handle is 127 characters which i i set a bit a dollar for that so if you decide you want to 100 character password in better dollar you're welcome to do it and actually will work fully well for you um and then session timeouts and locking um it's important to have timeouts and outside of banking does anyone really know any websites that really have time outs on them and log them out i can't think of many that do yeah outside of banking sometimes yeah but not really that many in in real realistically in pci you're

supposed to have session timeouts so they're supposed to have it in a lot of places they don't um another fun thing is can can i am not actually actively using can can but what cancan does is it does roll based access so you can actually define users and roles have access to various functions we're very simple we have an administrator or not administrator so we don't have many roles i didn't have to use it but it's a great tool for doing multiple layered roles models and again we're taking security and applying to the application and trying to make it have the controls that we as security professionals would like to have in applications and these are some of the

tools you can build from them omni auth is a wonderful set of libraries you can actually um you can go to bitter dollar you can use twitter you can use facebook using google you can log in with those you can control your access controls through those so you can actually use google's two-factor authentication as a if you want to make sure you have a strong secure login to go you know buy a car from me you're welcome to um and capsco while we know capsco is easy to bypass it's a great tool to have if someone's going to have to change a password or or do things that are in a semi unauthenticated environment it's a great

tool to help limit the number of bots hitting you just doing password sending reset passwords out there to help limit that and another really cool tool is alpaca and i'll show you in a little bit that i didn't actually use it but what alpaca does is you can create a file that contains white lists and blacklist and at various parts within the application say you know this one web page can only be accessed from these ip addresses so it's an easy way of saying your administrators can only log in from one ip to this that's part of the function and control those pieces um i use the other layers to actually do you know role based access in the

environment and i'm doing another method i'll get into in a few minutes on actually doing blacklists and i don't do any whitelist but you'll see the cool the cool way i tie into uh security and um and the blacklist in just a few minutes here code review anyone here do code review how many languages do you know i'm actually fairly proficient in rails these days but i still use the tools available so let me go through this one and uh code take dawn in just a second um breakman is a wonderful tool it takes about 30 seconds to go through my code maybe about a minute at most and again i have about 15 16 000 lines of code

and it goes through and is able to pull it's actually a report i ran in my development development tree this morning and i didn't include all security warnings but some security warnings are some of the joins i do some things are so complex in the way i do joins uh it thinks that there's possibly a sql injection on there but there's no variables going into it so it's not an injection but this is a great tool to quickly go through the code and produce a report of what could be an issue uh there's there's two versions of this there's break man and code sake dawn both of them provide similar sort of things they're based on

the same sort of ideas as they go through the structure of the models the the validations the overloading you do the different ways you write the code and it tries to tie together you know a good code review you can buy commercial tools but these work really well for the basics of what you're going to go after if you're really see uh worried about security one of the biggest problems i've seen with most applications built on ruby or python or pearl or php is you end up having third-party libraries you're going to have you know on here i've already listed half a dozen gems from from device to uh the security extensions and each one of

these gems comes from a git code repository which an exploit hits they make a post in their site they release new code but have you gone out and actually update all the libraries your application depends upon have you q8 all that and i i don't know i'm sure you all have seen it before i can't count the number of times i was on an assessment that they have not upgraded their web application because they think it's gonna break one function so they don't touch it for years it's one of the biggest problems we have trying to talk to developers is the idea that they have to do that work they have to take that step forward and do the code reviews and

do the fixes on their code and move forward and um gem canary is a great tool and i'd love to see more of these four other languages too the one thing they don't have yet is it only works if your code's in get go what it actually does is scans your code looks at your gem mod you know the gems you've added look to the code you've actually written and it goes out and has listings on all the the gem sites on get go and all the various other places make gems and looks at their security release lists so if you if you have your application that they looked at in their environment and the new exploit comes out for device

you'll get an email saying hey this application has this device module has you know x y and z came out upgrade it now so it actually does all the watching of your gems for you which one the biggest problems i ever had in development and now that i was a big developer by anything i dealt even just rolling things out when we used to do apache by source code you know any anything you used to do on a code based release where you're tying into things that you have to manual update has been a big problem so jim canary i think would be a great idea i personally am concerned about giving my code entirely over to another company that's

just me being paranoid but i might do it one day we'll see how it goes i think it's a definitely great idea and i love the idea that you can get email alerts when you have to do upgrades it makes it easier and less things you have to watch our entire on the entire environment inside bitter dollar i think i have about 35 gems and if i had to go out there every week or every day scanning 35 websites looking for new releases i i just wouldn't have any time to do anything else and i have kids and i like to have fun too so now we step back and go back to the regular traditional operational security

side so inside regular operation security we have you know people deployed web servers they have applications they deployed and they would come to someone like you know maybe i'm not just a security person but i also do a lot of operations work they come to someone like me and say okay we're deploying nginx we're deploying apache let's secure it let's make it good you know let's not forget to change our tls and ssl header so we can can't get hit by poodle here's a couple things i went into on top of that that were there before poodle to kind of go into some things that that most websites should have but realistically don't have uh this one right here goes

into think simple things like uh ssl stripping making sure that you know it forces and enforces the ssl the x frames uh one of the biggest problems on attacking people is if you have the uh you know click jack and you you have an x-frame a hidden frame come above somebody and where they click on something but hidden a hidden frame above it and click jack can take over it so between the um the hidden frame and uh some of the other other features that go into the next next page here in a second you can actually tell the browser's control to now say oh i can't display that page because it's not it's not it's not

supposed to be a frame over on this so it has some of the controls for doing frame over um there's a i gave a couple links in here on where some of the details come from and if you want to talk more in detail on how it works or what it does be happy to get into that i just don't want to get too in depth into some of the specifics right this second um and this is actually another one for cross-site scripting it's it's another header you can put in there and these are all headers that come out before the html so you're talking to the web server itself it produces the headers and the

information that defines what the connection can have and this is another uh for cross-site scripting it's a it ties into some of the browser controls that are out there but what i found is one of the best controls you can do which i have really not found many sites that can really do a good job with it is content security policy uh anyone here you play kind of security policy before okay so i've got a fun fun gift for you guys to do i got one hand back there uh so one person here has felt the pain of content security policy what what the basic idea behind content security policy again this is uh the messed up formatting because

there's a lot of data in there on behalf i'll get this back to you but it defines the basic things of what sites can you load the web page from what sites can you learn javascript from what sites can load css from what sites can you load um you know um let's see what else we have connection source we have uh so it defines when the browser connects to a website you have various elements that are being loaded like if you hit bitter dollar you're gonna have um you know the links for google the links for facebook the links for twitter you can have the site itself my javascript my css but if you look at the way that

we have our kind of security policy you can't load css information or frame information or javascript from a third-party site because i haven't listed it here so the controls are in modern browsers ie and chrome and firefox they all look at the content security policy so if you load the webpage and this is very cumbersome to debug it's not the easiest thing in the world is you can pull up a web page and also just won't display and you'll get a little error in the in the console of the uh the browser developer console that says unauthorized by content security policy so i had to actually go through and this does not do it justice

but it's it's a humongous amount of code uh just loading up the google icons you know they they have icons in javascript and css they pull from three different locations so you basically have to list everywhere a browser has to connect to for every function it might do to go to your website and that's why most people don't really do it it's humongous amount of effort most people don't even understand all the different things they're loading in their web pages or web applications they've written so it tends to cause a big heartache and break things left and right so because it breaks things people don't do it i've done it just because i built it

from the ground up and every time i added when i added facebook i added all the pieces to facebook there's a few pieces google does have a bit of javascript they put in line so i have to change one thing that allows inline javascript but other than that um you can't insert code into our application it just doesn't allow it the browser will say it's not allowed by policy i'm sure this is something people have done before again we're dealing with just the traditional operational security rules here of what we we'd all expect to be seeing out there this is throttling so i've i've basically set up a a zone of 10 meg and looking for a

certain you know rate limit on that so if we get somebody who's really slamming the site you know the nginx will actually throttle the connections it'll prevent the site from being taken down from either a denial service or possibly even distributed denial service if it can you know i'll hit it the right same way it can actually throttle the connections and make sure the server is still responsive so those are the traditional things that they go into the basic configurations i want to throw this slide up here just really go into some of the additional controls that people put out there application firewalls and specifically i wanted to talk to you about the nasa x

i'm not even trying to say these names i don't know who comes up with them but um naxi that sounds good naxi is a very cool idea and application firewall what it does is instead of being a signature based rule like you know like mod security would be where in mod security you define your signatures looking for certain types of activities happening what nasty does is it defines certain types of activities that are known to be invalid web-based activities an example it has right here you shouldn't have certain characters or functions happen with within the stream of data going to website i've already done things inside beta to prevent certain types of characters for inserting html and those

sort of things one thing that actually does is it actually looks if someone's submitting embedded html inside a form coming in unless you're actually supposed to do that it'll actually block that so it doesn't look for signatures it's looking for invalid types of attacks which is a very nice new idea and and the stats that they have on their website they actually compare it going against the open uh vulnerable websites you can do your tests on and it actually blocks and finds like 90 or 95 percent of the attacks from a rule set that's like 20 lines long so it's very robust but like any sort of application firewall unlike things that are signature based or you have known

signatures and you can kind of generally be okay because this ties directly into the type of content going through the web server you have to actually get down in detail and do tuning with that one so it's going to take direct involvement from the developers and the people actually running the site to make sure it runs fine and it will make it like content security policy a lot more work to actually tie into it but it's a great tool to have and something you should have and then to round out uh on the actual server side of operational security i looked at my favorite um open source and pseudo open source splunk is not really uh open source but

they do have a free version for 500 mega day um but these are sort of tools that i've also built into what i've done in my commercial endeavors is also what i've done inside of bitter dollar fail to ban is a wonderful set of scripts it's very extensible and i'll show you in a few minutes some of the tools i've done with it to actually make it a really useful tool for watching activities on the system uh os tec great for looking at logs doing file integrity monitoring again i i tie all that back into one tool it does my blocking and alerting just to make it easier and who can't live without syslog and

the tools that go with it so i listed a few tools here that you can use to output this data to visualize it the picture here is with splunk tied into the os tech monitor and i keep on these dashboards on my desk all day long it's a great tool to see spikes and trends we visually see things better than computers can process them i think kids was mentioning earlier you can't really have a lot of programmable things you look for for trends and data because our minds and our eyes can pick up trends and data much better than a program can it's much harder for it to see the things we see visually i want to also give you you know the

logging logstash and graylog if you can't afford splunk they're great tools for getting a visualization that are also open source and then to find finish up our um traditional operation security we have our networking side so i'm sure everyone here has used or played with snort anyone play with cicada yet yeah i'm i see you snort it's a good tool so again signature based um i didn't throw it in here because i'm not doing embedded dollar but um has anyone here played with mohawk yet ah well next time we'll do a taco mohawk for you moak is a wonderful open source tool uh anyone who uses an nfr or tool to do full network capture of your environment

is it's a full network capture device that will capture all of your network data i've got one of my data centers in dc about a two tera i store six days worth of network data and it's about two terabytes of data i keep in the system and what it allows me to do is i can actually go back and say three days ago give me the network traffic going from this ip address and i go from every connection it has it's a full network capture so i have the entire data stream i can go through but it's basically splunk for pre-cap data and you can do distributed nodes and sensors ties it all into a nice electric

search database i don't have a slide on it but go look at mohawk if you have any questions about it my best friend's one of the authors of it and i use it extensively it's a really great tool uh ties it all together and i i know i ran over so i'm gonna go kind of quick over some of these last few things here um because i want to end on time for the next person um yeah so i have a bunch of slides so i did some additional coding because i want the application to do more than that i wanted to give i want to share this code with the links i found various

things out there on the web to help make things better and again this is just code and ruby and partially rails but the idea is you can take this and extend your own application and do this sort of thing inside of inside of rails you can't really see it again it formatted my little thing a little funky here but inside the model definition i mentioned earlier the models of rails where you define the different parts of of what's inside the the database table that the model associates with you can actually have validation so you can see kind of parts of it here you can have field where it says is the id a number if they enter a character

for it it's going to kick it out and say it isn't a valid field if it's a uh a name you can see on the name i said the length can only be 4 to 35 characters and it gives an error message for that it gives you a regular expression of what characters i allow so it allows a simple one place to define for every field in a table what's what type of data it is what's allowed for it so what i did is i extended that that part itself and i put inside a special function uh what this does right here is this actually takes the validation within the rails models from this validation code and if if it

gets a validation error typically what the application will do is a display on the screen a little box that says you entered in valid code or please try again or whatever it would be what this part does here is it actually takes and outputs the rails logger a message saying this event happened for a validation error because typically rails will not log validation errors to the log file and from my point of view on operational security side i can't act on that log unless i know something's happening so it doesn't mean no good for it so i had to extend it to get this out of there and you'll see two messages here on the

bottom one actually has an ip address and one doesn't because i have to keep in mind some people might be not be actually you know logged in or they might be coming from a local source like myself for doing testing so i didn't mention support connections that are not remote so it actually creates a message like this where it actually has inside the log file the ip address of where it happened you know say the full message what came on the screen you can see you know the store it's and it's a new insert function it's it's um they didn't check the purchase button the uh the state doesn't match the zip code so it has all

the validations i have built out there i have now hitting the log file of things that are happening so if someone's doing something to the application so say you know yes you're looking for invalid logins but are you actually looking for invalid data being entered into your application and acting upon it and that's what i've done here is i've made the application log what's happening inside of it so if someone enters wrong data or they don't do things they're supposed to do it logs into the database and making that work or just a matter of going to each one of my models and you can see in the top part there i put include validation logger each model i put that

in there instantly any validation it does now logs to the file um and also just if you're gonna do some rails code by default rails are only in production mode log high and critical events so i had to change the method and model so it actually would log that data out there i want to share that with you if you decide to go look at that yourself um one other function is there's another gem out there called public activity it's used a lot for people who are doing like facebook type social media apps you can say say this person did this or this person did that what i've used it for is every function within the site uh you

can see this this is actually one of my controllers here so there's various activities i create so when whenever we're doing anything if you're updating a record you're visiting a site you're you're browsing an entry you're making a purchase you're actually the shopping cart i have all these entries that come out and now i have a website you know i'll paste in placement when my admin inside the website i can actually go and browse you know anonymous and logged in users and see what they're doing so if an administrator changes the password i would see it in here i'd see that password so any any function from a public side to a regular customer side

to user side i'm logging all the activity i can do some nice visualizations with it you know get nice reports if we ever do have investors they can look at nice pretty graphs and make it all work so that's something that that really is a useful thing is making sure if you're gonna blog for you know anything out there make sure you're logging what people are doing with the application uh makes it really useful so now that i've got all these these pieces built i've got your traditional network security from your snort i've got the application security i got some development stuff happening i got some business logic how do i all tie this all

together so i'm going to try to write this up real quick here cause i know we're almost running out of time i mentioned earlier i just failed a band and i don't want to really go into the details of these i include the details in here of of what i put in here just so i can share it with the community so you can kind of learn from what i i built from this most this stuff uh is kind of taking from examples out there and i kind of built it to be tied together but i've created some fail to ban um filters for the authentication stuff for model which is the validation then we saw the

validation errors and then i created another one for the throttling so if i see throttling messages which i'm getting a large amount of activity if i see validation entering wrong code or if i see uh authentication errors each one of those i have defined different sets of how i'm going to respond so if someone's just entering a wrong username i don't want to block them out but if they enter a wrong wrong username 10 times in five minutes that's a bit much you know i want to act on that and i can tune these as i need to be for validation i make it again uh it needs to be ten times of invalid data

entry you know one or two times is okay three times okay we get to ten times i get a bit nervous i'm like why are you doing that so i've created inside here the filters that search the right regex of the log entries for both the authentication the throttling and the validation one again i apologize for not looking pretty but i just want to have some code samples in there so you actually take this back to your your office wherever you look and play with it yourself and get an idea of what kind of code it takes to make that happen uh from that there's actually an action that happens and what it does it adds or

removes the ip address in question to a band file so earlier i mentioned the uh there's a gem that was available to do in white listing i didn't want to do that i wanted to have my application respond based upon activities that happened so this actually would create lists out there and then inside my application controller i have there's a thing called a pre-filter so anything that happens before things happen you can do pre-filter post filter you know pre-changes it has all these wonderful controls for controlling when activities can happen so in a pre-filter before it does anything in the application it's going to read the banned file and see if the current user's ip address is in that

list if it does it's going to send them to the error page 599 it's just one error page i've made up there so anytime the ip address that the person has is in the site they get this and says sorry but your ip address has been blocked so the application just responds based upon the activities that are going on around it and then it'll block them based upon the time frame of what i defined for authentication or throttling or filtering and again those are just a few examples of the ones i've built into it and you can kind of go crazy as you have more access to the developers and the function you're doing you can really

build from that to things that you as a paranoid security person are looking for to have it respond and act for you so you can make it better for everyone out there and even with my break in the beginning we ended good on time so there's my contact stuff um if you just google dmz you can kind of find me sometimes too but i don't know what time of time we have i kind of ran through that real quick