AXDC – Keith Brown, Web Services Security Tips
Keith Brown will talk about security in a web services context.
“Admins were right not to trust us; we wrote a bunch of really shitty code.” Audience member notes that we need to take pride in what we do. Amen!
Its a matter of getting in to the right mindset so that you can recognize (and repair) potential vulnerabilities.
- Less is more – less parts, less code, less privilege, less security code to have to write (as in more should be in the platform).
- Newer is often not better – In cryptography, new things are not trusted for a long time. Bruce Schneier’s Crypto-Gram newsletter was cited; I just suscribed.
- Trust no input – not from the user, not from a web service request, not from a web application request, not in a cookie. SQL injection, printf strings. Look at code and think “how could comebody break in?” Anytime you take input from the outside world, you absolutely need to think about this. Filter the data, accept only things that are in accord with rules and expectations. Attackers give you “finely crafted garbage.”
- You cannot authenticate remote software – It must have a secret, which can always be stolen or reverse engineered. It cannot be solved, so don’t try to!
- What your program knows, an attacker can discover. References Schneier’s book, Secrets and Lies : Digital Security in a Networked World. Detection countermeasures are very worthwhile.
- Understand trust – Federation, linking up companies.
- Wetware is unreliable. Kevin Mitnick’s book – The Art of Deception: Controlling the Human Element of Security. WS-Security and tokens; cleartext passwords and IPasswordProvider. One-way hash is one solution.
- You probably need a longer key – Creating an RSA key pair with a 4K key length takes a long time. 2K is the mininum. “Selecting Cryptographic Key Sizes” (Link to PDF), Lenstra & Verheul. To get 128 bits of security you need more than 128 bits of key, due to the birthday paradox. Record enough packets encrypted with the same key, and you can start to ascertain patterns. Keys get weaker, the longer you use them.
- Availability is the third pillar –
- Find the weakest link – Use threat modeling. New book from Microsoft press: Threat Modeling (Microsoft Professional)
Books referenced in this talk: