WEBVTT

00:00:00.000 --> 00:00:03.773
So, if I followed that NIST framework we talked about earlier,

00:00:03.773 --> 00:00:05.645
we've identified what the problem is,

00:00:05.645 --> 00:00:08.468
we talked about how to protect in two different ways,

00:00:08.468 --> 00:00:11.442
protecting in the browser and protecting at the web server,

00:00:11.442 --> 00:00:14.934
but let's assume, you know, the thing happens,

00:00:14.935 --> 00:00:18.682
the website's been owned, that one line of JavaScript is there,

00:00:18.682 --> 00:00:20.751
how are we going to find it?

00:00:20.751 --> 00:00:23.108
How can we detect, and this is a really interesting problem,

00:00:23.108 --> 00:00:26.309
how do we detect that one line of script tag added to a

00:00:26.309 --> 00:00:28.190
page delivered to a consumer browser?

00:00:28.190 --> 00:00:28.516
So,

00:00:28.516 --> 00:00:31.782
are you going beyond detection insofar as you might have

00:00:31.782 --> 00:00:33.230
intrusion detection systems and things like this,

00:00:33.230 --> 00:00:36.114
so you're sort of saying, look, someone has gotten in and they've left something,

00:00:36.114 --> 00:00:39.582
how do we now discover that your web page has moved from a

00:00:39.582 --> 00:00:41.316
known good state into something else?

00:00:41.317 --> 00:00:41.600
Absolutely.

00:00:41.600 --> 00:00:43.019
How do we do that?

00:00:43.019 --> 00:00:49.805
And I think you showed us something with the CSP that would say,

00:00:49.805 --> 00:00:55.633
if the script ran in the consumer browser,

00:00:55.633 --> 00:00:58.161
it's going to say, hang on, that's not allowed to run,

00:00:58.162 --> 00:01:00.574
and you can report it somewhere.

00:01:00.575 --> 00:01:02.969
Yeah, in fact, there's sort of a nuance to the CSP,

00:01:02.969 --> 00:01:06.241
so the CSP will say this is what's allowed to run from where,

00:01:06.241 --> 00:01:09.070
if someone put a block of script, the CSP can also,

00:01:09.070 --> 00:01:12.213
in fact, by default the CSP doesn't let you have a block of script,

00:01:12.213 --> 00:01:14.604
you actually have to enable it and do certain things there,

00:01:14.604 --> 00:01:17.180
but I think you're also sort of talking about

00:01:17.181 --> 00:01:18.969
attacks where the web server is owned,

00:01:18.969 --> 00:01:21.786
and we just had the discussion about the fact that the web server is owned,

00:01:21.786 --> 00:01:23.786
then they can take out out the CSP or anything like that.

00:01:23.786 --> 00:01:24.595
They can take out the CSP.

00:01:24.595 --> 00:01:25.539
But we could detect that, couldn't we?

00:01:25.540 --> 00:01:28.165
If they took it, if we had a CSP, so say we've got,

00:01:28.165 --> 00:01:30.192
so, let's imagine we've done this.

00:01:30.192 --> 00:01:33.179
We've gone and done SRI for our resources,

00:01:33.179 --> 00:01:38.802
we've put a CSP in place, and then the bad guy comes along,

00:01:38.802 --> 00:01:42.667
he puts his JavaScript in there, he either edits the CSP to include his host,

00:01:42.667 --> 00:01:45.572
or he takes out the CSP altogether.

00:01:45.572 --> 00:01:48.198
That's one thing we could look for, isn't it?

00:01:48.198 --> 00:01:50.426
Possibly externally, not natively within the site,

00:01:50.426 --> 00:01:52.152
because if you're looking for that within the site,

00:01:52.152 --> 00:01:54.231
you'd take out the thing that was looking for it,

00:01:54.231 --> 00:01:56.686
it's very "Inception" now, but --- Yeah,

00:01:56.686 --> 00:01:57.181
I know what you mean.

00:01:57.181 --> 00:01:58.840
Because once your web server is owned, your web server is owned.

00:01:58.840 --> 00:02:00.531
So you've got to have something independent.

00:02:00.532 --> 00:02:00.781
Yeah.

00:02:00.781 --> 00:02:05.059
If we were just looking to see if the CSP had changed or had been removed,

00:02:05.059 --> 00:02:09.915
could we put something out on the internet that went to our website,

00:02:09.915 --> 00:02:15.328
browsed the pages if it was a user, and then looked for that CSP?

00:02:15.328 --> 00:02:15.971
You could,

00:02:15.971 --> 00:02:20.120
so that the external service would have to have like a known good state of CSP,

00:02:20.120 --> 00:02:21.375
and then it would have to identify a deviation,

00:02:21.375 --> 00:02:24.951
of course your challenge then is that something like a CSP has to change

00:02:24.951 --> 00:02:26.355
every time you pull in content from somewhere else,

00:02:26.355 --> 00:02:29.084
so then your check for that has to change,

00:02:29.084 --> 00:02:32.073
and we just had the discussion about the marketing department

00:02:32.073 --> 00:02:34.026
wanting to put arbitrary script in there,

00:02:34.026 --> 00:02:37.275
which means they-- stay with us here-- you have to put arbitrary script in,

00:02:37.275 --> 00:02:38.778
which means you've also got to change the CSP,

00:02:38.778 --> 00:02:40.469
which means you've also got to change your external detection,

00:02:40.470 --> 00:02:42.739
which looks for a deviation of the CSP.

00:02:42.739 --> 00:02:44.149
So, now I've got a process.

00:02:44.149 --> 00:02:47.449
Now we need a process that says if I want to add a new

00:02:47.449 --> 00:02:48.871
line of JavaScript to my website,

00:02:48.871 --> 00:02:52.061
I need to follow a process that says I need to change the CSP,

00:02:52.061 --> 00:02:56.315
and I need to change the thing externally that's checking for the CSP.

00:02:56.315 --> 00:02:59.901
Yes, and like I get that some people will then turn around and say,

00:02:59.901 --> 00:03:02.841
well, that's a lot of mucking around, but in fairness,

00:03:02.841 --> 00:03:04.930
that maybe that is the discussion you need to have,

00:03:04.930 --> 00:03:06.570
particularly if you're doing something like taking payment cards,

00:03:06.570 --> 00:03:09.161
which kind of brings us back to the original point of this course.

00:03:09.161 --> 00:03:09.371
Like,

00:03:09.371 --> 00:03:13.212
you're not going to get out of all of this for free in terms of human effort.

00:03:13.213 --> 00:03:15.578
But if we're seeing that 50% of criminal attacks are

00:03:15.578 --> 00:03:19.200
going to payment cards or this, then as soon as they get payment cards,

00:03:19.200 --> 00:03:22.630
it's going to be login credentials, it's going to be healthcare forms,

00:03:22.631 --> 00:03:26.499
it's going to be anything where users are typing into their browser,

00:03:26.499 --> 00:03:28.659
so it strikes me that you want to be able to check that.

00:03:28.660 --> 00:03:30.804
It strikes me that, you know the world moves on,

00:03:30.804 --> 00:03:33.274
you know, we didn't have firewalls, then we had firewalls,

00:03:33.274 --> 00:03:35.876
we didn't have the OWASP top 10, then we have it,

00:03:35.876 --> 00:03:39.003
I think this is maybe one of those the world has moved on,

00:03:39.003 --> 00:03:42.513
and we need to be able to check what we're serving to our consumers,

00:03:42.513 --> 00:03:44.541
and if the only way of doing that is by looking at

00:03:44.541 --> 00:03:46.510
it externally like a consumer, we have to do that.

00:03:46.510 --> 00:03:47.843
Yeah, fair call, fair call.

00:03:47.843 --> 00:03:49.427
And that would be what, like, you just write curl,

00:03:49.427 --> 00:03:52.065
you just do curl and then hash it or something?

00:03:52.065 --> 00:03:52.852
Possibly, but of course,

00:03:52.852 --> 00:03:55.503
it's a little bit more than that because you want the servers to run

00:03:55.503 --> 00:03:57.797
unattended and you want it to notify you when it changes,

00:03:57.797 --> 00:04:01.342
maybe someone out there has built a service for this,

00:04:01.342 --> 00:04:02.484
that's maybe not a bad idea!

00:04:02.484 --> 00:04:04.998
I haven't seen that, but --- Don't build a service if you've thought of this,

00:04:04.998 --> 00:04:06.326
because I might do it, it sounds cool.

00:04:06.327 --> 00:04:09.491
It sounds like a really good idea, doesn't it?

00:04:09.491 --> 00:04:10.709
I mean, there are services out there,

00:04:10.709 --> 00:04:12.313
there are vulnerability scanning services that would

00:04:12.313 --> 00:04:15.848
tell you if something's changed, so you could ask them to tell you that,

00:04:15.848 --> 00:04:17.653
so there's some commercial services like that,

00:04:17.653 --> 00:04:20.158
but nothing I've seen that's exactly focused on this.

00:04:20.159 --> 00:04:30.159
I think that would be quite a cool idea, actually.