Securing your Dancer app

keeping out the bad guys

Peter Mottram (SysPete) <peter@sysnix.com>

Perl::Dancer Conference 2014, Hancock NY, 8th October 2014

About me

  • Currently living in Malta
  • 24 years UNIX & Linux
  • Network security, Perl, e-commerce
  • Interchange6 development team member

"slightly less than twice the size of Washington, DC"

© CIA World Fact Book

The Attackers are Winning


On the internet right now, the attacker has the advantage and will for the foreseeable future.

Bruce Schneier, AppSec USA, 18th September 2014

Three Important Trends
in Information Security

  • We are losing control of our infrastructure
  • Attacks are getting more sophisticated
  • Increasing government involvement in cyberspace


Bruce Schneier, AppSec USA, 18th September 2014

Source: LWN.net

Security

Finding the right balance

  • Security requirements
  • Cost versus budget
  • Impact on users
  • Motivations of attacker

Attackers

  • Disgruntled staff or developers
  • "Drive by" attacks: viruses, worms, trojans
  • Motivated criminal attackers: organised crime
  • Criminal attackers without motive against you
  • Script kiddies

OWASP CLASP
Security Principles

  • Ethics in Secure Software Development
  • Insider Threats as the Weak Link
  • Assume the Network is Compromised
  • Minimize Attack Surface
  • Secure by Default
  • Defense in Depth
  • Principles for Reducing Exposure
  • The Insecure Bootstrapping Principle
  • Input Validation

Network security

(where did it all go wrong?)

Don't trust the network!

  • Eavesdropping
  • Tampering
  • Spoofing
  • Hijacking
  • Observing
  • Brute force

Reducing Exposure

  • Compartmentalisation
  • Least privilege
  • Minimise windows of vulnerability
  • Minimise windows of privilege
  • Privilege separation

Ten Most Critical Web
Application Security Risks

  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Known Vulnerable Components
  10. Unvalidated Redirects and Forwards

Source: OWASP

HTTP Headers

Strict-Transport-Security: max-age=16070400; includeSubDomains Enforces secure (HTTP over SSL/TLS) connections to server.
X-Frame-Options: deny Provides Clickjacking protection. May need tuning if frames/iframes are in use.
X-XSS-Protection: 1; mode=block XSS filtering by most modern browsers

HTTP Headers

X-Content-Type-Options: nosniff Reduces exposure to drive-by download attacks on IE & Chrome
Content-Security-Policy: default-src 'self' Helps protect against XSS and content injection. Needs very careful tuning.
Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://loghost.example.com/reports.jsp Like Content-Security-Policy, but only reports

Adding HTTP headers

nginx


add_header Strict-Transport-Security "max-age=16070400; includeSubDomains";

Apache


Header add Strict-Transport-Security "max-age=16070400;includeSubDomains"

Plack::Middleware::Headers


plack_middlewares:
  -
    - Headers
    - set
    - 
      - Strict-Transport-Security
      - "max-age=16070400;includeSubDomains"

CSRF / XSRF

Plack::Middleware::XSRFBlock


    plack_middlewares:
      - 
        - XSRFBlock
        - cookie_name
        - MY-XSRF-Token
        - cookie_options
        -
          httponly: 1

See also Plack::Middleware::CSRFBlock

Injection



© xkcd

Injection

  • SQL & LDAP
  • mod_security
  • DBIx::Class

Escape HTML

  • protect against XSS
  • Dancer::Plugin::EscapeHTML

    plugins:
        EscapeHTML:
            automatic_escaping: 1
            exclude_pattern: '_html$'

Hide server tokens

nginx


server_tokens off;
more_set_headers 'Server: Teapot v12.16.1773';

Apache


ServerSignature Off
ServerTokens Prod

Dancer


session_name: session

Input Validation

  • Use
  • Unit boundaries
  • Trust boundaries
  • Protocol parsing
  • Application entry points
  • Network

Input Validation

Other things

  • Testing!!!
  • Passord security
  • Server security
  • POST request limits
  • Path traversal
  • Logging and notification
  • Side channel timing attacks
  • App::Cerberus
  • ...

Questions?

Peter Mottram (SysPete) <peter@sysnix.com>