Registration is NOW Open
Marriott Wardman Park
2660 Woodley Rd NW
Washington DC, District of Columbia 20008 USA
Phone: 1-202-328-2000 

Book Now 
*discount rates expire August 19, 2019
Friday, September 13 • 10:30am - 11:15am
Keys Under Doormats: Problems and Solutions for Securely Storing Credentials in Web Applications

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Encryption keys and passwords are truly "keys to the kingdom." Acquiring them allows attackers to open all kinds of doors, and yet developers are often careless about how they handle them. We often see passwords and keys hard coded in the application source, stored with minimal obfuscation in configuration files, and in plaintext in databases. As a result, they fall victim to reverse engineering and software vulnerabilities such as Path Traversal, XXE, Local File Inclusion, and others.

To help illustrate these risks we review the most common methods of storing credentials in an application, and discuss best practices for storing them, such as using keystores.

Once your secrets are properly secured, however, there is an important remaining issue -- how do you secure the Master Key? The security of this “key that secures other keys" (often referred to as the Key Encrypting Key or KEK) is critical to the security of the system. Would it not be vulnerable to the same issues we just tried to solve with keys and passwords? In our presentation we discuss preferred ways for securely storing KEKs, from hardware to software, and their relative costs.

We propose several low cost ways for storing KEKs that any application can afford to implement, including what we believe is a novel approach that is resistant to remote attacks up to and including path traversal vulnerabilities where the attacker can obtain the contents of all relevant files. We then conclude by offering our open source library that helps to achieve that.

avatar for Dmitriy Beryoza

Dmitriy Beryoza

Senior Security Researcher, Vectra AI
Dmitriy is a Senior Security Researcher at Vectra AI. He spent over 25 years of his life building software before realizing that breaking it is much more fun. :) Dmitriy is passionate about all things security, with a particular interest in web and binary exploitation, reverse engineering... Read More →
avatar for Ron Craig

Ron Craig

Program Manager for IBM Security's Secure Engineering and Incident Response, IBM
Ron works to help bridge the gap between Security knowledge and practice. His passion is educating developers and business leaders in why secure engineering is important and how it affects all our lives. Ron has over 30 years of experience in development and engineering. His interests... Read More →

Friday September 13, 2019 10:30am - 11:15am
Lincoln 5