Secure Practices in Development

[OWASP Developer Guide](https://github.com/OWASP/DevGuide)

Using 3rd Party Libraries and Packages

[52% of All JavaScript npm Packages Could Have Been Hacked via Weak Credentials](https://www.bleepingcomputer.com/news/security/52-percent-of-all-javascript-npm-packages-could-have-been-hacked-via-weak-credentials/)

[I’m harvesting credit card numbers and passwords from your site. Here’s how.](https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5)

[Part 2: How to stop me harvesting credit card numbers and passwords from your site](https://hackernoon.com/part-2-how-to-stop-me-harvesting-credit-card-numbers-and-passwords-from-your-site-844f739659b9)

[How to Reduce Risk and Improve Security Around npm](http://nodesource.com/blog/how-to-reduce-risk-and-improve-security-around-npm/)

Node Security Platform

The Node Security Platform maintains a record of NodeJS plugins with known security issues. It can be installed and run using the following lines:

Security Fundamentals (The CIA triad)

[Security Fundamentals](https://github.com/OWASP/DevGuide/blob/master/01-Foundations/01-Security%20Fundamentals.md)

Secure Development Lifecycle

[Secure Development Lifecycle](https://github.com/OWASP/DevGuide/blob/master/01-Foundations/04-Secure%20Development%20Lifecycle.md)

Secure Design Principles

[Secure Design Principles](https://github.com/OWASP/DevGuide/blob/master/02-Design/01-Principles%20of%20Security%20Engineering.md)

Testing

[OWASP Testing Project](https://www.owasp.org/index.php/OWASP_Testing_Project)

[OWASP Testing Guide v4](https://www.owasp.org/images/1/19/OTGv4.pdf)

Web Application Security Testing Topics:

Configuration and Deployment Management Testing
Identity Management Testing
Authentication Testing
Authorization Testing
Session Management Testing
Input Validation Testing
Testing for Error Handling
Testing for Weak Cryptography
Business Logic Testing
Client Side Testing

Areas we will cover in class:

Principles of Testing
Testing Techniques Explained

Read in class:

3 - The OWASP Testing Framework

Google's XSS Game

[XSS Game](https://xss-game.appspot.com/)

Handling Vulnerabilities

An important and often overlooked part of the maintenance process is having a system in place to report, manage, and fix vulnerabilities. This includes handling vulnerabilities reported by third parties.

How not to do it

First let's look at how not to do it. These are some examples of terrible vulnerability disclosure and management by companies you know.

[Paneral Bread Leaves User's Data Vulnerable for 8 Months](https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815)

[Uber Concealed Massive Hack](https://www.theguardian.com/technology/2017/nov/21/uber-data-hack-cyber-attack)

How to Handle Vulnerability Reporting

The keys to properly managing vulnerability reports are the following:

Have a Process

If there is no process in place, it is easy for reported vulnerabilities to slip through the cracks and remain unfixed. Who do the reports go to? Who will verify the issue? Who is responsible for fixing the vulnerability? These are the questions your organization should have clear answers to.

Have a Point of Contact

Often the most challenging aspect for a user to report a vulnerability is finding an appropriate point of contact in the organization. It is important to have clear and obvious contact information for reporting vulnerabilities. Furthermore, it is important to follow up and acknowledge when a report has been received.

Additionally, add a [security.txt](https://securitytxt.org/) file to your website.

[Handling Security Reports](https://www.cio.com/article/3157698/security/how-to-handle-security-vulnerability-reports.html)

Vulnerability Disclosure

A responsible organization will disclose breaches to protect their user's data and interests. The following process will help your be ready in the case of a breach.

[OWASP: Vulnerability Disclosure Cheat Sheet](https://www.owasp.org/index.php/Vulnerability_Disclosure_Cheat_Sheet)

[Data Breach Disclosure 101](https://www.troyhunt.com/data-breach-disclosure-101-how-to-succeed-after-youve-failed/)

Prepare

Determine the scope of security in your organization, have a process, and have a point of contact.

Have a [Disclosure Policy](https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components).

Here is a disclosure [Example](https://responsibledisclosure.nl/en/).

Identity

Document every step in the process of identifying, exploiting, and fixing a vulnerability.

[How to Write a Good Vulnerability Report](https://support.hackerone.com/hc/en-us/articles/211538803-Step-by-Step-How-to-write-a-good-vulnerability-report)

Report

Alert the company and appropriate persons within the organization
Request a CVE Identification if appropriate
Alert trusted 3rd party like National CERT, Data Privacy regulator, or security professionals
Full/public disclosure

Examples of Well-Handled Disclosure

[Austrailian Red Cross](http://www.donateblood.com.au/media/news/blood-service-apologises-donor-data-leak)

[Other Examples](https://blog.cyberint.com/our-favorite-examples-of-how-ceos-respond-to-cyber-breaches)

Server Hacking

To wrap up our time together, let's dig in a little more into web server hacking. In particular, we will practice acquiring shell access to a target machine.

[How I Hacked 40 Websites in 7 Minutes](https://hackernoon.com/how-i-hacked-40-websites-in-7-minutes-5b4c28bc8824)

Reverse Shell

via [Infosec Institute](http://resources.infosecinstitute.com/icmp-reverse-shell/): A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, allowing code or command execution to be achieved.

[Reverse Shell Cheatsheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)

[Simple Reverse Shells](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)

Using Netcat to Create a Reverse Shell

Here we will simulate creating and connecting to a Reverse Shell. In this case, we will be doing everything on the same machine. In a real-world scenario, you would be connecting to a victim machine's shell.

Start a Kali Linux docker image.

Make sure Netcat is installed.

Open a second terminal and connect to the Kali Linux container.

In one of the terminals, use Netcat to listen for connections on port `4444`. This represents your local machine.

In the second terminal, establish a reverse shell connection to your local machine.

**Challenge:** Try using one of the methods in the [Reverse Shell Cheatsheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) to establish your connection.

In-Class: Use the shell vulnerabilitiy in the Damn Vulnerable Web App to create a reverse shell connection between it and your Kali Linux instance.

White-hat Hacking

**Most Important Rule:** Don't access or attack someone else's property without their express permission! It is illegal!

Obviously, this makes reporting vulnerabilities a dubious proposition, especially if you've come accross them by chance.

[Penetration Testing by the Letter of the Law](https://www.securitymagazine.com/articles/88489-penetration-testing-by-letter-of-the-law)

[Legal Issues in Penetration Testing](https://securitycurrent.com/legal-issues-in-penetration-testing/)

Industry Experts

[Troy Hunt](https://www.troyhunt.com/)

[Have I Been Pwned](https://haveibeenpwned.com/)

[Brian Krebs](https://krebsonsecurity.com/)

[Top Security Blogs 2018](https://onlinedegrees.sandiego.edu/top-cyber-security-blogs-websites/)