Application Security

Summarized using AI

The State of Web Security

Mike Milner • May 04, 2016 • Kansas City, MO

In the presentation titled "The State of Web Security," Mike Milner delves into the evolving landscape of web security as of 2015, exploring both significant vulnerabilities and emerging protective technologies. The talk, held during RailsConf 2016, emphasizes the immense challenges developers face in keeping their applications secure amidst a variety of attack vectors.

Key Points of Discussion:
- Introduction to the Speaker and Context: Mike Milner begins by establishing his role as the CTO at Immuno, highlighting the importance of RailsConf to his company's origins and mission.
- Vulnerabilities in Web Applications: The focus shifts to three significant types of vulnerable code which can exist within applications: 1) application code, 2) view logic, and 3) Ruby code in controllers. Developers are reminded of their responsibility for both their own code and third-party libraries, underscoring the interconnectedness of code.
- Common Threats: Milner elaborates on SQL injection, detailing its persistence as a vulnerability despite its long-standing recognition, citing recent data breaches like the VTech incident, which compromised millions of personal records. Notably, he shares a case about Weatherspoon’s pub in the UK, where attackers exploited SQL injection to access customer data and even beer vouchers.
- Emerging Vulnerabilities in Rails: He touches on a newly discovered information leak vulnerability in Rails that can arise from unsafe render functions, urging developers to implement secure coding practices to prevent exposure.
- Ransomware and Credential Stuffing: The speaker transitions to discussing ransomware as a growing concern targeting web applications and identifies credential stuffing, linking it to poor password practices among users.
- Preventive Measures: Suggested strategies for mitigating risks include rate limiting, educating users on strong password creation, and implementing defensive tools such as web application firewalls (WAFs) and Runtime Application Self-Protection (RASP).
- Continuous Education and Monitoring: The importance of staying current with security trends and conducting regular threat assessments is emphasized. Milner recommends utilizing resources like OWASP for ongoing developer education.

Conclusions and Takeaways:
Milner concludes by reminding attendees that web application security is a continuous journey requiring diligence, education, and effective strategies to safeguard user data and maintain system integrity. He stresses that as long as applications are built and users engage with them, vigilance against vulnerabilities must be a priority.

The State of Web Security
Mike Milner • May 04, 2016 • Kansas City, MO

Join me for a wild ride through the dizzying highs and terrifying lows of web security in 2015. Take a look at some major breaches of the year, from Top Secret clearances, to medical records, all the way to free beer. We’ll look at how attack trends have changed over the past year and new ways websites are being compromised. We’ve pulled together data from all the sites we protect to show you insights on types and patterns of attacks, and sophistication and origin of the attackers. After the bad, we’ll look at the good - new technologies like U2F and RASP that are helping secure the web.

RailsConf 2016

00:00:09.679 Hello everyone, my name is Mike Milner, and I'm the CTO over at Immuno. I wanted to welcome you all to Kansas City. I hope everyone is having a good time here on the third day of the conference. I'll try to keep the references to 'We're not in Kansas anymore' and 'The Wizard of Oz' to a minimum, since you've probably heard them all.
00:00:27.269 RailsConf has always been a great place for us. If you remember us from last year, we had a booth in the expo hall. In fact, we launched our company here at RailsConf, and our first supported platform was Rails. We really appreciate the support!
00:00:40.020 Speaking of launches, I want to start by asking. Did anyone stay up late last night to watch the keynote? Those guys did an amazing job, let's give them a round of applause! This is not just about REST APIs; I love to watch teamwork and collaboration.
00:01:06.479 Now, how many of you did different tasks today? How many of you did all of them? I want to take a moment to emphasize that there's a lot of content to cover today. Last time I did this presentation, I sped through several topics and finished in six to seven hours, which is probably not what you want.
00:01:36.930 So, a quick background on me: the reason I'm doing this workshop is that we work with APIs, and some of you may be familiar with what that entails. How many of you are aware of that? It's crucial for my talk today. I want everyone to understand the significance of it because it can greatly impact your work.
00:02:04.259 Let’s be honest; security is tough. It's hard to stay on top of everything and ensure that your code is protected. Everyone wants to stay secure, but achieving that is challenging. It takes a lot of time and effort, especially when you’re focused on making sure your site works and delivers cool features for users.
00:02:23.640 Despite these challenges, I hope some of you are interested in the fascinating aspects of security. Today, I will focus on three types of vulnerable code that might exist in your applications. This includes the code you write for your application itself, the view logic that you handle, and the Ruby code that constitutes the overall controller.
00:03:00.120 You’re also responsible for code written by others. Rails runs on Ruby, and you likely utilize a host of third-party gems to add functionality to your app. The security of this external code is also something you must be aware of. Additionally, there might be gaps in your code, such as functionalities you haven’t written yet to protect against attackers.
00:03:11.340 Let's start with one attack type that you may be familiar with: SQL injection. This common vulnerability occurs when user input modifies your SQL queries. For instance, if you construct a query by piecing together user-entered strings and a hacker attempts to input manipulated characters, it can result in unintended queries being executed against your database.
00:04:06.240 As many of you may know, SQL injection has been a well-understood vulnerability since its public discussion in 1998. So by now, one would think that every app on the internet has resolved this issue. Unfortunately, that's not the case. Just last year, 157,000 customer details were stolen from a UK ISP, demonstrating that SQL injection is still a prevalent threat.
00:04:50.220 VTech, a company producing kid-friendly technology, also faced a breach, losing information on 200,000 children as well as almost 5 million parents—including their names, emails, and passwords. This is a stark reminder that data breaches still occur regularly.
00:05:11.770 The reality is that SQL injection is not only a legacy issue; it's still impacting organizations. For instance, Weatherspoon’s pub in the UK experienced a data breach affecting around 650,000 customers, including their phone numbers and emails. The hackers even gained access to beer vouchers, which significantly depleted the pub's revenue.
00:05:38.350 If you're a Rails developer, you might think that you are insulated from these vulnerabilities due to Active Record. However, it’s crucial to dig deeper and scrutinize how Active Record handles queries. You may find instances where it's possible to inadvertently introduce SQL injection vulnerabilities.
00:05:55.420 In 2016, a new information leak vulnerability was uncovered in Rails. If you're using certain render functions without clear parameter expectations, it can lead to revealing sensitive information. The nature of these vulnerabilities could allow attackers to exploit user input to access sensitive files.
00:06:06.340 It's vital to understand the implications of this vulnerability and take steps to mitigate your exposure. Many developers still utilize functions like render params without understanding the risks associated with arbitrary file disclosure. If this vulnerability is present, an attacker could read any file that the web server has access to.
00:06:56.950 By safeguarding the data your applications handle and implementing secure coding practices, you can significantly reduce the risk posed by these vulnerabilities. One misstep could lead to catastrophic data exposure. The ghost of Christmas past may remind you of the necessity of diligence in web application security.
00:07:31.830 Moreover, string concatenation with user input can lead to vulnerabilities like command injection, exposing your application to severe threats. This risk amplifies when user-submitted data is mishandled, allowing attackers to manipulate your commands at runtime.
00:08:22.480 Understanding these vulnerabilities fosters greater awareness about common attack methodologies, equipping you to better handle potential security challenges. By analyzing these vulnerabilities, we begin to devise effective defensive strategies. It’s incumbent upon us, as developers, to ensure that our applications remain secure.
00:09:04.060 I want to talk about ransomware as well; it has permeated application security. Security threats have evolved to the point where ransomware is actively targeting websites, locking users out and demanding a ransom for access. This trend started ramping up in late 2015, with actors zeroing in on various applications, exploiting vulnerabilities to execute malicious scripts.
00:09:56.170 Healthcare providers and agencies have faced ransomware attacks with potentially devastating consequences for their operations. Ransomware not only jeopardizes sensitive data but could also jeopardize the livelihood of employees, as customer networks may ultimately be affected.
00:10:41.450 Credential stuffing is another widespread practice in which attackers take username and password combinations from a breach on one site, and use them to try and gain access to other accounts elsewhere. Statistically, many users reuse passwords across different platforms, making this threat a reality. The responsibility for this spans both developers and users, emphasizing the need for strong password policies and multi-factor authentication.
00:12:29.640 When working on protecting against these attacks, consider implementing rate limiting to restrict failed login attempts, while allowing genuine users the opportunity to recover their access as necessary. It’s vital to train your users on creating strong passwords and using unique combinations across various sites.
00:13:49.820 Another dimension of this involves warranty fraud. For instance, Fitbit's issues related to warranty fraud in 2015 emphasize the financial threat which accompanies unregulated user accounts. Hackers exploited stolen credentials to change user details and fraudulently request padlocks for Fitbits that had never been broken.
00:15:06.220 To effectively combat vulnerabilities, it’s essential to implement active defenses and remain engaged in continuous monitoring and threat assessment. Tools like web application firewalls (WAFs) can provide a layer of protection, but they also require proper configuration and regular updates to remain effective against current vulnerabilities.
00:15:49.470 Modern approaches, such as Runtime Application Self-Protection (RASP), help applications defend themselves in real-time against exploits. It shifts the security logic to the internal application level, providing visibility on potential threats and attacks. Though this may represent a significant evolution in app security, awareness and vigilance remain paramount.
00:17:12.300 The importance of education cannot be overstated; developers must stay informed about the latest trends in security vulnerabilities, ensuring their applications are equipped to handle threats as they emerge. Resources like OWASP provide valuable insights into vulnerabilities, enabling developers to remedy code effectively.
00:17:51.220 In summary, protecting web applications involves an intricate understanding of potential vulnerabilities within both custom code and third-party dependencies. Through rigorous testing, continuous education, and effective defensive strategies, we can mitigate risks and safeguard both user data and system integrity.
00:18:36.390 The journey never ends. As long as we continue to build applications and users interact with them, we must remain cognizant of these vulnerabilities and evolve our security practices accordingly. Thank you all for your time. Let’s ensure we’re engaged, informed, and diligent in making the web a safe space for all.
Explore all talks recorded at RailsConf 2016
+102