We’ll get started at 1[68]:05

dev sec ops

6[84]43 week9

Final exam

  • saturday, 27th april
  • 3 hours (1pm - 4pm)
  • worth 50%

whats in it

  • everything is assessableā„¢
  • not just stuff from wargames
  • submit a short writeup explaination
  • there’s also a shortish devsecops question

how2hack

  • my biggest tip is try not to stress out
  • + practice, practice, practice
  • start with recon before you write payloads

My Experience

How’d you find the course

  • What’d you like
  • What’d you dislike
  • What can be improved

https://myexperience.unsw.edu.au

CVEs

Common Vulnerability Enumerations

It’s really important that the security community works together

where to find em

Application Security Testing

SAST vs DAST tools

  • SAST: full access to source-code (white box)
  • DAST: just have the application (black box)
  • IAST: runtime specific (e.g. only specific times)

I accidentally pushed some secrets here

can you find them?

old commits

wayback machine

github events (commit is here)

who’d be dumb enough to…

me lol (it’s not a pub-key…)

top 10 images taken moments before after disaster

maybe check your old projects to see if you’ve made similar dumb mistakes?

What makes a good app

The fundamentals

  • Availability 💰
  • Reliability 💰
  • Scalability 💰
  • Security 🙈 🙉 🙊

At a high level

Ā 

not doing this

Supply chain attacks

dependency stuffs

Trusting code we didn’t write ourselves

  • npm
  • pip/pypi
  • pacman/aur
  • cargo

Vulnerabilities

Malicious developers

Dependency confusion

  • npm install xyz
  • how does it resolve xyz
  • public & private version of xyz
  • higher version number

read more

Typosquatting

  • pip install falsk
  • package named falsk:

read more

Vulnerability in the package manager

I don’t have an example 🤷

CI/CD

keeping it secure

what to keep secure

  • tokens
  • keys
  • .env
  • .git

basically just ~secrets~

dumb projects idk

VPNs

Browsing vs SDN (site-to-site)

Privacy

“providers who claim not to keep any logs of their users’ online activities recently left 1.2 terabytes of private user data exposed” 🤔

Privilege escalation

what to do once you have RCE

  • can execute arbitrary commands, but we’re executing them as a lower-level user (e.g. www-data or Nobody)
  • We want our commands to execute as root/admin/superuser

How to privesc

  • world-writable /etc/passwd (wait it is useful?)
  • cronjob running as sudo
  • setuid binaries
  • commands run as root without password
  • vulnerabilities in the kernel itself (dirtycow?)

Docker escape

Useful resources

what makes a secure web app

technology

  • NGINX, Lets Encrypt (TLS), Docker
  • don’t trust user input anybody (zero-trust)
  • good access control

Challenges/Walkthrough