# Web Application Security

Feedback Form: https://forms.gle/j5AGrL54NTxRYmFF7



## State of the MiniTwits

* Scaling: How is it going? 
  - which part of your system can you scale horizontally?
  - which part do you have to scale vertically?
  - how do you scale? 


* Logging: How is it going? 
  - do you see access logs? is anybody trying to hack your system?
  - can you see anything unusual in the logs for last night?
  
  


# What does it mean to be a professional?

My uncle asking: 

> "Why are there so many people working on at Google? That webpage is so simple!"


My friend some years ago: 

> "We know Rails. We can reimplement Facebook now".


Another friend working at Google: 

> "I was upgraded from engineer to SRE. It is one of the most important roles in our company."



## SRE - Before DevOps was popular

> The SRE role of today combines the skills of the developer responsible for writing applications and the skills that operations engineers use to deploy those applications. The SRE moves an application from proof of concept, to quality control, and then to deployment – **automating that entire process** and giving it consistency.

> A primary function of an SRE is to work on automation to improve the system. By **continuing to run security experiments**, we can evaluate and improve such vulnerabilities proactively in the ecosystem before they become crisis situations.

_ 

Read More:

- What is a SRE? 
 - https://opensource.com/article/18/10/what-site-reliability-engineer
 - https://www.csoonline.com/article/3244925/on-cybersecurity-and-it-teams-of-the-future-we-will-all-be-sres.html
- SRE as an approach to DevOps:   
 - https://en.wikipedia.org/wiki/Site_Reliability_Engineering
 - Post-mortems




## Being A Professional = Building Dependable Systems


<img src="images/dependable.png" alt="Drawing" style="width: 200px;"/>

Sommerville defines **dependability** as: 
- **availability**  -- probability that a system is operational at a given time
- **reliability** -- correct outputs up to some given time t.
- **safety**  -- ability to operate w/o catastrophic failure
- -> **security** <- today's focus 







# "Information... wants to be free...

    ...Information also wants to be expensive. 
    That tension will not go away" 
    
            (Steward Brand, The Media Lab: Inventing the Future at MIT)


<img src="https://images-na.ssl-images-amazon.com/images/I/51FbpAQFVPL.jpg" alt="Drawing" style="width: 200px;"/>


- history of early days in computing, excitement about basics (reminder not to take things for granted)
- one other interesting question: "can you map the flow of information"?

More Stewart Brand: http://longnow.org/

# Security: Preventing Information from Getting in the Wrong Hands


> ( Computer | cyber | IT ) security is ...

>  ... the protection of computer systems and networks from the theft of or damage to their hardware, software, or  data, as well as from the disruption or misdirection of the services they provide. [1]


[1] https://commons.erau.edu/cgi/viewcontent.cgi?article=1476&context=jdfsl 


# State of the Security

- The most common way to discover security failures is when a security incident happens 

- Average time until people found out they were hacked: half a year! [1]

- By this time, it is often too late, and damage has been done. 


#### ==> We need a proactive and systematic approach

*Story*: Russian vs. Brazilian hackers.


[1] 2017 Cost of Data Breach Study by IBM -  https://www.ibm.com/downloads/cas/ZYKLN2E3



# Attacker Types

* Black Hat - bad guys in the western movies

* White hat - ethical hackers, working with orgs to strengthen security

* Grey Hat - not malicious, usually notify you that they hacked you

* Script Kiddies - they have time on their hands



What differentiates them: **intent** & **capability**...


## Threat = Triplet

### 1 Intent (we can guess)

### 2 Capability (we can't change)

### 3 Opportunity <-- (this is our focus!)


## Case Study: Migrating from GCE to DO 

# Learning from the "Intelligence Field"

1. Collect (**What are your assets**? What is worth protecting?)
1. Analyse the adversary and opportunities
1. Process (**What are the *risks*? Which should be addressed?**)
1. Disseminate (Implement mitigations)

# How do we assess risk? 

### e.g. Risk Matrices

- Severity: Insignificant, Negligible, Marginal, Critical, Catastrophic
- Likelihood: Certain, Likely, Possible, Unlikely, Rare

## Risk = f(Likelihood, Severity)

<img src="images/matrix.png" alt="Drawing" style="width: 700px;"/>

- https://sectara.com/news/risk-assessment-matrix/
- https://31000risk.wordpress.com/article/what-s-right-with-risk-matrices-3dksezemjiq54-4/#_Ref125355130




# e.g. A More Detailed Matrix

<img src="images/risk-rating-matrix.png" />


## Pen testing (Penetration Testing)

> "blue teams always need **red teams** to test them against each other"

- testing of security
- simulate attacks on your system
- **requires you to know potential vulnerabilities**



## Potential Vulnerabilities List: OWASP

Open Web Application Security Project

**OWASP Top 10** Include:
- Injection
- Broken Authentication
- Broken Access Control
- Cross-Site Scripting (i.e. JS injection)
- Insufficient Logging & Monitoring (<- how are you doing?)


Full list is online: https://owasp.org/www-project-top-ten/

Related Concept:
- Post-mortems


See also: 
- Same Origin Policy (long but good video) https://www.youtube.com/watch?v=zul8TtVS-64
- XSS explained nicely: https://portswigger.net/web-security/cross-site-scripting

## OWASP Top #10: Insufficient Logging and Monitoring

> This issue is included in the Top 10 based on an industry survey. One strategy for determining if you have sufficient monitoring is to **examine the logs following penetration testing**. The testers’ actions should be recorded sufficiently to understand what damages they may have inflicted.

Part of your assignment! 


## Insufficient Logging and Monitoring: When...

- Auditable events are not logged
  - e.g. logins, failed logins, and high-value transactions
- Warnings and errors generate no log messages
  - (or inadequate, or unclear)
- You're not looking at the logs!
- The application is unable to detect, escalate, or alert for active attacks in real time or near real time.

Source: [OWASP Top 10: Insufficient Logging and Monitoring](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A10-Insufficient_Logging%252526Monitoring)

Logging Cheatsheet from OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

## Pen Testing Toolbox

Kali Linux
- security focused distro
- contains a very large set of tools (https://tools.kali.org/tools-listing)
- can be installed in meta-packages (https://www.kali.org/news/kali-linux-metapackages/)

## Trying Out Kali Linux in Docker

Give it a try: 

```
~$ docker pull kalilinux/kali
~$ docker run -t -i kalilinux/kali /bin/bash
root@a218cf999462:/# apt-get update 

```

Then you can install meta-packages: 

    root@a218cf999462:/# apt-get install kali-linux-web

(ten minutes on a 2017 mac )

~ 

Or install individual tool on Kali: 

    root@a218cf999462:/# apt-get install metasploit-framework
    
(several minutes later...)



## Tool: Metasploit

- ruby-based framework for vulnerability scanning
- very popular
- lots of plugings

Starting metasploit

    service postgresql start
    msfdb reinit # if this is the first time you are running metasploit
    msfconsole

More: https://github.com/rapid7/metasploit-framework

A lot: https://books.google.dk/books?id=EOlODwAAQBAJ

## Example: interaction with the wmap plugin [1]
    
    
    
    load wmap
    wmap_sites -a https://elysiumpro.in/
    wmap_sites -l
    wmap_targets -t 35.227.145.165:443
    wmap_run -t
    wmap_run -e
    vulns

Notes:
- The thing freezes for me (as of 2020) and the way to fix it was to remove some of the offending modules, e.g. 

```
    cd /usr/share/metasploit-framework/modules/auxiliary/scanner/http/
    rm brute_dirs.rb dir_webdav_unicode_bypass.rb
    
    ```
- In 2021 it works, but detects no more vulnerabilities; what you can do is go to https://www.random-website.com/ and try to find a few other candidates; 


[1] https://www.offensive-security.com/metasploit-unleashed/wmap-web-scanner/

More: https://github.com/rapid7/metasploit-framework

## More Pen-Testing Tools

Desktop Apps: 
- OWASP ZAP (https://www.zaproxy.org/getting-started/)
  - Documentation: https://www.zaproxy.org/docs/api/#introduction

Online Services: 
- Detectify (https://detectify.com/)
 - quite nice
 - requires an account
 - require you to prove that you own the website
- Mozilla Observatory (https://observatory.mozilla.org/)



## Detection

- is hard

- warning signs that you might have an intruder
 - abnormal network traffic (important to monitor!)
 - unusual resource usage (ditto)
 - you can't access your server
 - your server IP has been blacklisted
 


## Detection - Approach

- Develop baseline for normal
- Stop intruders from taking information out 
  - firewall
  - traffic filtering
  - white/black listing
- Auditing, system hardening, compliance testing, e.g. Lynis

 


## Lynis - Output

``` 
 [+] Boot and services
------------------------------------
  - Service Manager                                           [ systemd ]
  - Checking UEFI boot                                        [ DISABLED ]
  - Checking presence GRUB                                    [ OK ]
  - Checking presence GRUB2                                   [ FOUND ]
    - Checking for password protection                        [ NONE ]
  - Check running services (systemctl)                        [ DONE ]
        Result: found 27 running services
  - Check enabled services at boot (systemctl)                [ DONE ]
        Result: found 54 enabled services
  - Check startup files (permissions)                         [ OK ]

[+] Containers
------------------------------------
    - Docker
      - Docker daemon                                         [ RUNNING ]
        - Docker info output (warnings)                       [ 1 ]
      - Containers
        - Total containers                                    [ UNKNOWN ]
          - Running containers                                [ 4 ]
    - File permissions                                        [ OK ]

[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                                [ FOUND ]
    - Checking AppArmor status                                [ ENABLED ]
  - Checking presence SELinux                                 [ NOT FOUND ]
  - Checking presence TOMOYO Linux                            [ NOT FOUND ]
  - Checking presence grsecurity                              [ NOT FOUND ]
  - Checking for implemented MAC framework                    [ OK ]

```
 


# Practical Steps to Improve Security when you DevOps


## 1. Evaluate Dependencies

- Keep dependencies up to date
- Code reuse is very valuable - but can make you vulnerable
- Scan dependencies for security breaches
  - source code and container images too
  - "If its part of your app, it should be part of your security process"
  - add security checks as part of your CI

- [Postmortem for Malicious eslint Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes)









## 2. Never Trust User Input

- "All input is bad until proven otherwise"
- In the webpage or in the API
- Validate the input before using it
- Use parameterized DB queries
![](https://imgs.xkcd.com/comics/exploits_of_a_mom.png)


## 3. Protect your Servers

- Keep software on servers up to date
- e.g. [`apt-get install unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades)


## 4. Protect Secrets

- Don’t hardcode credentials and other secrets (like keys and certs) into files you commit to a repository
- Use 2FA for secret repositories
- Consider using dedicated tools and vaults for secrets
- [The Uber Breach](https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data) - started accessing a private GitHub repo, where keys were found for an AWS account, etc.




## 5. Go Hack Yourself

- create a red team to pen test
- stress the app infrastructure


## 6. Protect your CI/CD tools 

- CI pipeline is part of your infrastructure
- [Multiple US government agencies hacked due to misconfiguration of their TeamCity CI tool](https://cd.foundation/blog/2021/01/07/could-ci-cd-tool-teamcity-really-have-been-exploited-to-hack-the-us/_


## 7. Automatic Backups

- data is probably your most precious asset; don't lose it
- a backup is not useful unless you can use it to actually perform the backup

## 8. Log Everything 

- your key to being able to detect attacks 
- everything except customer secrets!


# References:

- [Five Easy Steps to Keep on Your Organization’s DevOps Security Checklist
](https://www.tripwire.com/state-of-security/devops/devops-security-checklist/)
- [What Is A Risk Assessment Matrix?](https://sectara.com/news/risk-assessment-matrix/)
- [ Guide To Conducting Cybersecurity Risk Assessment For Critical Information Infrastructure](https://www.csa.gov.sg/-/media/csa/documents/legislation_supplementary_references/guide_to_conducting_cybersecurity_risk_assessment_for_cii.pdf), Dec 2019
- The DevOps Security Checklist by Sqreen


Further Reading
- [Information Security Risk Analysis – A Matrix-based Approach ](https://www.albany.edu/~goel/publications/goelchen2005.pdf) -- an advanced approach to security risk analysis 
