Security hardening and drown attack prevention for mobile backend developers
-
Upload
jiri-danihelka -
Category
Technology
-
view
527 -
download
2
Transcript of Security hardening and drown attack prevention for mobile backend developers
Security Hardening and Drown Attack Prevention for Mobile Backend Developers
6.6.2016 Jiří Danihelka
2
IT Security
The high-level objectives of any IT Security activity are: Confidentiality Integrity Availability
3
Customer requirements
Customers expect a high degree of IT Security, it is a basic requirement.
IT security breaches may impact very negatively customer’s reputation
More and more of our customers will expect you to have formal IT processes for development, operations and security.
4
IT Security approach
Objective: To ensure top level IT Security objectives appropriate to customer’s need with a reasonable, optimal effort
Well-defined, lightweight IT Security process Consistent application of IT Security process over time:
Everybody is concerned Top-down: clear policy and instruction Bottom-up: contribution
5
Key chapters of the IT Security Policy
Generic sysadmin «good practice»: passwords, access rights, starters/leavers, physical & remote access
Backup, Recovery and Disaster Recovery/Business Continuity Risk Management Security Incident Management Security in the Software Development Lifecycle:
Segregation of Environment, Data and Duties Secure Coding Quality Assurance and Vulnerability Testing Source Code Management (CI/CD)
6
Security Hardening
7
Security Layers
There is no such thing as 100% security. We need security in multiple layers in case something fails.
8
Security layers
Automatic deployment accounts works with permissions restricted to installations directories (cannot change the operating system)
More security restriction on Firewall – critical internal servers are not available from outside
Server hosting in highly secure environment; databases are encrypted
Use cloud services
9
DROWN SSL Vulnerability
10
DROWN server vulnerability cross-protocol attack attacker misuses deprecated SSLv2
protocol to gain information about encryption key
obtained information is used to attack modern TLS security protocol
11
DROWN ATTACK possible scenarios
12
More reasons why to disable SSL protocolsUnsecure protocols can be decrypted using sniffing
13
More reasons why to disable SSL protocolsAttacker in the middle can disable secure protocols
14
Results of disabling SSLv2
HTTPS protocols will no longer work with some old browsers Except Internet Explorer all browsers updates automatically Internet Explorer supports TLS protocol from version 7
Windows Vista and newer do not have a problem Windows XP users can update their IE6 to version 8 Users of Windows 98 cannot use HTTPS in IE anymore