PagerDuty's Security Training for Engineers, The Dramatic Conclusion episode artwork

EPISODE · Jan 31, 2022 · 1H 39M

PagerDuty's Security Training for Engineers, The Dramatic Conclusion

from Coding Blocks · host Allen Underwood, Michael Outlaw, Joe Zack

We wrap up our discussion of PagerDuty's Security Training, while Joe declares this year is already a loss, Michael can't even, and Allen says doody, err, duty. The full show notes for this episode are available at https://www.codingblocks.net/episode177. Sponsors Datadog – Sign up today for a free 14 day trial and get a free Datadog t-shirt after creating your first dashboard. Linode – Sign up for $100 in free credit and simplify your infrastructure with Linode's Linux virtual machines. Shortcut – Project management has never been easier. Check out how Shortcut is project management without all the management. Survey Says How awesome was Game Ja-Ja-Ja-Jamuary?! Take the survey at: https://www.codingblocks.net/episode177. News Ja Ja Ja Jamuary is complete and there are 46 new games in the world. Go play! (itch.io) Session Management Session management is the ability to identify a user over multiple requests. HTTP is stateless, so there needs to be a way to maintain state. Cookies are commonly used to store information on the client to be sent back to the server on subsequent requests. They usually contains a session token of some sort, which should be a random unique string. Do NOT store sensitive information in the cookie, such as no usernames, passwords, etc. Besides tampering, it can be difficult to revoke the cookies. Session Hijacking Session hijacking is stealing a user's session, possibly by: Guessing or stealing the session identifiers, or Taking over cookies that weren't properly locked down. Session Fixation Session fixation is when a bad actor creates a session that you will unknowingly take over, thus giving the bad actor access to the data in the user's session. This used to be more of an issue when session tokens were passed around in the URL (remember CFID and CFTOKEN?!). Always treat cookies like any other user input, don't implicitly trust it, because it can be manipulated on the client. How to Secure / Verify Sessions Add extra pieces of data to the session you can verify when requests are made. Ensure you actually created the session. Make sure it hasn't expired and ensure you set expirations for sessions. All of this just catches the easy stuff. Session ID's should be unique and random. Ensure the following when sending cookies to the client: Secure flag is set, httpOnly flag is set, and The domain is set on the cookie so it can only be used by your application. To avoid the session fixation we mentioned earlier, ALWAYS make sure to send a new session ID when privileges are elevated, i.e. a login. Always keep information stored on the server side, not on the client. Make sure you have an expiration that is set on the server side session. This should be completely independent of the cookie because the cookie values can be manipulated. When a user logs out or the session expires, ensure you fully destroy all session information. NEVER TRUST USER INPUT! Permissions Try to avoid using sudo in any shell scripts if you can. If you can't avoid it, use it with care. The the principle of least privilege, i.e. more restrictive permissions, as in, can you live with read-only perms? Revoke permissions you don't need. Create separate users for separate needs. If you need to delete files from a storage bucket, have a service account or user set up with just that permission. Same for managing compute instances. Use the least permissive approach you can as it greatly reduces risks. Other Classic Vulnerabilities Buffer overflow: This is when a piece of data is stored somewhere it shouldn't be able to access. From Wikipedia, a buffer overflow _"is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations."_ Typically these are used to execute malicious code by putting instructions in a piece of memory that is to be executed after a previous statement completes. One malicious use of a buffer overflow is using a NOP sled (no-operation sled) to fill up the buffer with a lot of NOPs with your malicious code at the end of the ride. Apparently you can use this method to easily get a root shell – article linked in the resources Metasploit (YouTube) Path Traversal: This is when you "break out" of the web server's directory and are able to access, or serve up, content from elsewhere on the server Remember, your dependencies may also have vulnerabilities such as this. You need to run scans on your apps, code, and infrastructure. Side Channel Attacks: This is when the attacker is using information that's not necessarily part of a process to get information about that process. Examples include: Timing attack: Understanding how long certain processes take can allow you to infer information about the process. For example, multiplication takes longer than addition so you might be able to determine that there's multiplication happening. Power analysis: This is when you can actually figure out what a processor is doing by analyzing the electrical power being consumed. An example of this process is called differential power analysis. Acoustic cryptanalysis: This is when the attacker is analyzing sounds to find out what's going on, such as using a microphone to listen to the sounds of typing a password. Data remanence: This is when an attacker gets sensitive data after it was thought to have been deleted. Resources we Like For Engineers – PagerDuty Security Training (sudo.PagerDuty.com) For Everyone – PagerDuty Security Training (sudo.PagerDuty.com) Session Management Cheat Sheet (OWASP.org) Channel-Bound Cookies (BrowserAuth.net) Origin Cookies (tools.ietf.org) Channel Bindings for TLS (tools.ietf.org) Firesheep (Wikipedia) Buffer overflow (Wikipedia) Smashing The Stack For Fun And Profit (phrack.org) The Visual Microphone: Passive Recovery of Sound from Video (YouTube) NSA's involvement in the design of the Data Encryption Standard (Wikipedia) The Data Encryption Standard (DES) and its strength against attacks by D. Coppersmith (simson.net) Differential cryptanalysis (Wikipedia) Power analysis (Wikipedia) American Cryptology during the Cold War, 1945-1989 (NSA) DirecTV attacks hacked smart cards (theregister.co.uk) Oh mother… | Family Feud (YouTube) Eagle Eye (IMDb) Tip of the Week Did you know you can use your phone as a pro level webcam? Thanks Simon Barker! (reincubate.com) From the tip hotline (cb.show/tips) – Mikerg sent us a great site for learning VSCode. Some are free, some require a $3 monthly subscription, but the ones Joe has done have been really good. Not just VSCode either! IntelliJ, Gmail, lots of other stuff! (keycombiner.com) How to use Visual Studio Code as the default editor for Git MergeTool (stackoverflow.com) Five Easy to Miss PostgreSQL Query Performance Bottlenecks (pawelurbanek.com)

Episode metadata supplied by the publisher feed · Published Jan 31, 2022

NOW PLAYING

PagerDuty's Security Training for Engineers, The Dramatic Conclusion

0:00 1:39:22

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

API Intersection Stoplight Building a successful API requires more than just coding. It starts with collaborative design, focuses on creating a great developer experience, and ends with getting your company on board, maintaining consistency, and maximizing your API’s profitability.In the API Intersection, you’ll learn from experienced API practitioners who transformed their organizations, and get tangible advice to build quality APIs with collaborative API-first design.Jason Harmon brings over a decade of industry-recognized REST API experience to discuss topics around API design, governance, identity/auth versioning, and more.They’ll answer listener questions, and discuss best practices on API design (definition, modeling, grammar), Governance (multi-team design, reviewing new API’s), Platform Transformation (culture, internal education, versioning) and more.They’ll also chat with experienced API practitioners from a wide array of industries to draw out practical takeaways and insights you can use.H Unshamed & Unchained: Carving Space For Self-Healing & Habit Transformation Danny Poelman Welcome to "Unshamed & Unchained: Carving Space For Self-Healing & Habit Transformation", the podcast where we break the chains of shame and societal expectations to create a safe space for self-healing, habit transformation, and personal growth. Hosted by a seasoned life coach, Danny Poelman DDS, with years of hands-on experience, this podcast is your guide to reclaiming your voice, embracing your story, and living life on your terms.In each episode, we dive deep into the topics that matter most to you—whether it's:-breaking free from unwanted habits like pornography-excessive people-pleasing-healing from past trauma-recovering from narcissistic abuse or religious/relational trauma-anxiety/depression-money mindset blocks-overcoming limiting beliefsWe’re not afraid to talk about the things that are often considered taboo, because we believe that through honest, unfiltered conversations, real transformation happens.You’ll hear real Khanyisa Keke TV Khanyisa Keke On Khanyisa Keke TV, developers can learn and improve their Android for Kotlin Development skills. On this podcast, programmers can learn Android for Kotlin coding from scratch, improve their existing programming skills, get tips, be kept up to date with all the latest happenings and get access to free resources. Powered by Firstory Hosting The Triathlon Mental Performance Podcast Neil Edge This podcast is for you if you are a Triathlete that is interested in learning about tools and strategies to overcome challenges and to utilize the power of your mind to race faster.I'm an experienced Triathlon Mental Performance Coach working with both Age Groupers and Pros.Episodes will cover the following and more.How to improve your mental toughnessRemoving the possibility of panic attacks in open water Removing the fear of fast descents on your bike -Removing mental blocks to improve your race times Completely remove performance anxiety (you don't have to just cope with it)4 weeks to race day - Strategies to  arrive at your a-race feeling calm and confident, with race day mental strategiesI will also talk about specific tools that you can use to ensure that you race faster.<b

Frequently Asked Questions

How long is this episode of Coding Blocks?

This episode is 1 hour and 39 minutes long.

When was this Coding Blocks episode published?

This episode was published on January 31, 2022.

What is this episode about?

We wrap up our discussion of PagerDuty's Security Training, while Joe declares this year is already a loss, Michael can't even, and Allen says doody, err, duty. The full show notes for this episode are available...

Can I download this Coding Blocks episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!