About this Episode:
Has COVID-19 impacted your security testing efforts? In this episode, security expert Adhiran Thirmal shares his thoughts on security testing, Covid-19, OWASP, and more. Listen up and find out more about changes to OWASP for 2020 and beyond and how you can help.
TestGuild Security Testing Exclusive Sponsor
Micro Focus Fortify is the recognized market leader in application security and is the most comprehensive and scalable application security solution that works with your current development tools and processes. Try it today
About Adhiran Thirmal
AppSec Professional based out of Vancouver, BC, Canada
Connect with Adhiran Thirmal
-
- Company: Micro Focus
- Website: www.fortify.com
- LinkedIn: adhiran
Full Transcript Adhiran Thirmal
Joe [00:01:30] Hey, Adhiran! Welcome to the show.
Adhiran [00:01:33] Hey, Joe. How's it going? Great to be back with you here today.
Joe [00:01:36] Awesome. Awesome to have you back. So before we get into it, is there anything more you want to tell the Guild about yourself that I may have missed what you've been up to since last time we spoke.
Adhiran [00:01:44] Yeah. The last time we spoke was when the whole Covid-19 was just kicking off. And yeah I have just been kind of stuck at home ever since. A few restaurant visits while that was open, but it looks like we're starting to hunker back down. So, yeah, I'm just getting ready for a long winter. I guess that's the way I want to describe it. How about you, Joe?
Joe [00:02:04] Yeah, yeah. I've been really busy, actually. It's funny how things changed along with the things that are going on. Not necessarily better, but different. So you just have to be adapt I guess. So speaking about adapting, you know, it's been like a few months now since Covid has been around, and looking back on maybe where we talked. We were saying before, we really got deep into Covid and how it impacted companies. Have you seen any impact on security since then that you thought well, I didn't realize this would have a…this type of impact on this type of security of this type of company?
Adhiran [00:02:38] Yeah. No, definitely. The weirdest one, the most interesting thing that I've seen kind of crop up is insider threat. So it's really interesting because when we were all in the office, you would have a lot of eyes on you as you were doing things. So typically, you know, you'd have your manager just around the corner, you might have your manager's manager, you have coworkers. And ultimately there is there's a lot of eyes on what you're doing. But now that we're all working from home, there is no one that can really peek over your shoulder and see what you're up to. And it's been interesting cause there's been a number of insider threat-related data breaches. Most recently, actually, Shopify had nearly 200 of its stores get attacked. And the way that they were attacked was ultimately two Shopify employees leaked the data from those stores out towards the public. And ironically or oddly enough, one of the stores was Kylie Jenner's makeup store. And she's got quite a big Instagram and Twitter followings. So when you're thinking of the mean girls influencers, Kylie Jenner is definitely one of those. And so you don't really want her tweeting or Instagramming about the negative aspects of your organization. And I feel bad for Shopify for having to go through that. But they did a good job of handling it. They've reported it, told all the various merchants that were affected, brought in law enforcement as appropriate by insider threat. That's a tough fight with Covid-19.
Joe [00:04:13] Yeah, I was going to say, I mean, even without Covid-19 like it, it's almost like unavoidable almost. I don't know. Are there controls you come in place to completely eliminate it or will always be social engineering where people are going to be able to get insider type of information?
Adhiran [00:04:29] So ultimately, it's always defense in depth. So it's just kind of like your front door. You always have the opportunity to leave your front door completely open and anyone can kind of walk-in. But even if you don't lock your door, even if you just close your door, it kind of deters people from coming in. And then if you take some of those next steps, if you might put one lock, you might put 20 locks. It's all up to you there. But very similarly, when it comes to insider threat, you can have a number of different deterrents and a number of different mechanisms to help you prevent it. I think the biggest of them has got to be logging. So ultimately, looking at what sensitive items your employees are looking at, what sensitive items your employees are doing, and logging those. And then the big next step on top of that is a reading those logs and then taking some more automated action on those logs. So if you have, you know, whether it be a script or whether it be a more comprehensive tool that will actually go in and trigger a specific sequence of events if something happens. So, you know, if you have an employee that goes into your sensitive accounting data and it happens to be one of your developers, I think you have to raise the alarm. Why is the developer there? And you might want to take some corrective actions and ideally just stop the developer from being in that spot. So kick off their connection. And I think that's a little bit easier to do now as we're all on VPN. It's just a matter of toasting that VPN connection and all of a sudden the employee can't do anything else that they don't have connectivity into that specific spot. So lots of different ways to approach it. But you've got to think back towards locking that door so you can leave it wide open or you can put a bunch of locks on it. So it's all up to you.
Joe [00:06:14] Absolutely. And I guess there's a lot of things that are in your logs, but there's so much of them that it's hard to know when to pass them or what's a real issue. So any strategies for that? Are there new tools to just turn some like Splunk and then, you know, put in a dashboard? How do you monitor logs in general for security issues?
Adhiran [00:06:31] Yes. And so it's interesting, even with a tool like Splunk ultimately, it's really geared towards helping you read those logs. It's really helping you kind of capture those logs. There are a number of different tools that are more in towards kind of this area called SOAR and it's this idea of automated response. And ultimately there are…there's a huge variety of those. The easiest approach, though, is ultimately creating scripts. So being able to actually take decisive action based on activity that you're seeing. And there's a number of vendors that support this. And you can go even as low down as your firewalls and a lot of firewall when vendors do have capabilities and they have some mechanisms in place to allow you to be able to prevent attacks. So, you know, if you see someone going into a distinctly unique area of your network, your firewalls could take decisive action. And so you can obviously expand that up. And if you have some better tooling out there to capture better data, that's always awesome. So if you have more of those, like PSIPS devices, that's always perfect. But then on the automated response side of things, if you've got some better capabilities in there for you, you can tap into things like the buzz word of the day, machine learning, and artificial intelligence and be able to actually understand what an attacker looks like at that specific point in time, because as you and I both know, security changes by the second. And so the what you know, when you might have deployed those firewalls might not necessarily be true today. So being able to have capabilities and tools that are constantly changing with the times, that's the way to go. But, yeah, there's a number of different approaches. And it's a really tough nut to crack. I think there's a whole lot of multi-million dollar companies and multi-million dollar products that are trying to do it. So anyone of those, I'm sure, will definitely out.
Joe [00:08:26] Yes. So this shows, I think more gets towards beginners. So anytime I hear something about creating your own scripts. Is that a common thing? People creating their own homegrown type of solutions? And if so, is there a common language that usually lends itself to be easier to do this type of activity? Like I know I was kind of surprised to talk to another security expert and they're really up on PowerShell. Other people like C, other people like Python. Does it matter or is it just a preference?
Adhiran [00:08:54] It's interesting. I don't think you necessarily always get the choice to pick any language in the box. I think it's really dependent on your actual infrastructure. So for those PowerShell users, they're probably on either Microsoft Azure or they've got a number of different Windows text infrastructure. If you've got more of a Linux type of an environment and you've kind of got your own homegrown environment, you know, you might have the ability to use things like Python, Perl. But if you are using another cloud provider, you might be on the hook in terms of leveraging their own API. And so, for example, with Amazon and Google, there are a number of different APIs that exist within those environments. And then those APIs are only addressable through specific languages. You kind of are at the whim of those providers. But yeah, it's a little bit of choose your own adventure, a little bit more constrained than that.
Joe [00:09:52] Cool. And I know we've been talking about Covid-19 a lot. But you know, you brought up something. And once again, I've never worked on a security team. I always thought of security as being a lone wolf. So I mean, does Covid-19 really impact teams ability to really create better secure software because they're not altogether in the same room or does it matter? Is it just like any other type of Agile type project?
Adhiran [00:10:15] It's a big challenge with Covid-19, with not having people right beside you. When it comes to security, one of the tough things is there's always this air of secrecy with a lot of what's going on, especially as you are being attacked. I know prior to Covid-19, you have the ability to round up the people that you need into a room. You can close off that room and no one else can really hear what's going on. Just in case the attacker can somehow get a hold of that information you're able to really kind of block things down versus now with Covid-19, we're all in unique environments and we can't bring ourselves in testing over it anymore. So you're at that whim again of different communication channels and being able to maintain their secrecy. But even beyond the secrecy, if even if that wasn't there, I think security suffers from the same, you know, problems that Covid-19 has created for offices and organizations, you know, and all walks of life. Ultimately, you've got to deal with a brand new communication mechanism, right? Of being completely virtual. And it's something that we're all dealing with. We're not perfect at it by any means. I think now we're about seven months, eight months into the whole of Covid-19. Maybe a little bit longer for certain regions. And we're starting to get understanding and a good feel for what communication looks like in this new normal that we're in. But I think there's always new challenges and new things to kind of face with that. So I think Covid has been tough for security in communication.
Joe [00:11:49] Absolutely. So now want to pivot a little more into OWASP Top 10. And I think you mentioned some of the OWASP Top 10 2020 and beyond. Now, does the top 10 ever change? I've been looking at like the top 10 for a while and it seems like these attacks are always the same. Unfortunately, it doesn't seem like we ever find solutions that people realize that they should be hardening their systems against it, like sequel injection. So little thoughts for people that don't know for us, what is OWASP? Then maybe we can dive into maybe OWASP Top10 and maybe did it change at all with Covid or is it the same or are there new attacks because of Covid that you see happening more and more that people need to know about in the new year coming up?
Adhiran [00:12:30] For sure. Yes, so we're starting off with OWASP itself. So OWASP is an organization that's out there to provide more information about application security. So it is an opensource, centralized body that is supported by organizations around the world and individuals from around the world. And ultimately, it is a group of professionals, ultimately. And so you have the ability as an application security engineer, manager, practitioner, you have the ability to join OWASP to get more information. And OWASP itself does take great pride in publishing a lot of information just publicly. The OWASP Top 10 is probably the most famous of them all, and there are some unique variants for that OWASP Top 10. There are some mobile-specific top 10s and there are some more top 10s for other areas. But generally, we're always talking about the web application based OWASP Top 10. And it has gone through actually quite a number of different iterations. And so the latest one that exists currently was the one that was created in 2017. And by that I mean the data that's underneath the OWASP Top 10 2017 was captured in 2017 and prior to that. And actually, there were some changes in 2017 with the prior version which was the OWASP Top 10 2013. And so the biggest change was primarily there is this insecure direct object references which ultimately kind of got broken up. And it also merged with the missing function level access control. And so in the OWASP Top 10, 2017, there is this idea of broken access control. So it's the fifth item in there. It's A5. And so that really combines the previous insecure direct object references and the missing function level access control and both of the previous A4 and A7, they just disappeared out of the OWASP Top 10 and got merged obviously. The other big one, too, is cross-site request forgery. So that got completely knocked off of the OWASP Top 10. It's there kind of in theory. So there is kind of this idea within cross-site scripting that ultimately you could use cross-site request forgery as your end mechanism that you want to get towards with cross-site scripting. So it's kind of there, but it's not in the top 10 at all. It's not directly called out. The other big one, too, is unvalidated redirects and forwards. So that has completely been eliminated off of the OWASP Top 10 in 2013. And in 2017, there are two brand new items actually sorry I should say there are three brand new items that were introduced. The very first one is something called XML external entities, and this is…this XXE attack itself is related towards XML having extra pieces of data that you can go in and actually capture and go in and actually exploit. And so it goes back towards poorly configured XML and the X role, external references that exist within your XML. And so there are a number of attacks that can result from this, and primarily it could be remote code execution, denial of service, or even just more port scanning and just kind of identifying what you have in your environment. The insecure Deserialization A8 is a new one that also came out in 2017 and insecurity serialization is around remote code execution as well. And so ultimately, you have the ability to replay attacks, injection attacks, and escalation attacks through that deserialization. And the last one that came out, too, is insufficient logging and monitoring and we touched on that a little bit earlier. In terms of…with Covid-19, if you don't have sufficient logging and monitoring, you ultimately are at the whim of attackers. So that's a lot bit of a mouthful but yeah. So that's kind of what changed with 2017 versus 2013. And definitely what I wanted to chat with you about is there is a call to action within OWASP Top 10 2020. And what that really is calling for is more data. Right now it is open and OWASP is, as an organization is looking for contributions. Contributions will close on November 30th, 2020. But we, the OWASP organization is looking for data from 2017 to the current time. And what they're going to do is sift through that data and be able to create a new OWASP Top 10 to figure out what are the things that are changed. One of the things that are still the same. And ultimately, refresh that for a more of a modern-day.
Joe [00:17:32] So I guess how does that work? Is it just people saying yeah I had this exploit? Well, a lot of people have this exploit. Is it more scientific than that? Is it…do you actually check all like government data and say, oh, this actually was a common attack since 2017 that we need to add to the list?
Adhiran [00:17:47] It's very, very scientific. And I'm not the greatest data analysis person. So I get this really go into the specifics. But it is very, very scientific. They OWASP being a very open organization completely makes it transparent in terms of how they're calculating the top 10. And ultimately, it's not up to a specific organization just kind of calling out, hey, OWASP make sure this is kind of on the list. They are going to be looking across organizations, across regions, across industries. And as you mentioned, the public sector versus the private sector ensuring that vulnerabilities exist across the board there. And so there's a lot of different things to consider. The most primary of those, though, it has got to be language when it comes towards development. So very similar towards what we chatted about there a little bit earlier in terms of how do you kind of automate your actual scripts. When it comes towards identifying security flaws it's really different in Java versus a JavaScript versus a Golang, right? So it's really kind of dependent on language. And the OWASP Top10 is across all languages in theory. So I think realistically, what that means, though, is if there is more data that's being submitted that's on Golang, on Ruby, on brand new languages that are emerging, then those are going to be captured more so than languages that were maybe potentially older. So I'm not sure exactly how many submissions we're gonna have in 2020 that are going to be on C. But I can definitely assure you there's a lot more in 2017. Way more in 2013 and even more in 2010. So I think that it does change over time and the data hopefully reflects that.
Joe [00:19:33] So what do you mean by submission of data? What kind of data are you all looking for that people could submit?
Adhiran [00:19:38] Yeah. And so primarily the OWASP organization is looking for metadata related towards vulnerabilities that were identified. So what was the testing mechanism that you might have done to be able to capture that specific finding? So did you use a specific tool? And, you know, at the top of the program we talked about MicroFocus is Fortify tool, and there are a number of other tools that are out there that could help you identify those vulnerabilities. But there might also be just in-house type testing that you have. So through that mechanism, what did you find? And then, you know, when was it found? What's the time period for it? How many applications did you test across your organization? And how many times did this specific vulnerability crop up? And then, you know, other things around what's the language that was used? What's the geographic region that actually captures that vulnerability? And what's your primary industry as an organization? Are you a software company? Are you a finance company? Are you a manufacturing organization? And OWASP actually just calls this out in their data structure section of the 2020 data analysis plan. So it's definitely there wide open for people to go in and take a look at. But I would say, please, please, if you have vulnerability data, definitely consider contributing to the OWASP organization. Again, this is anonymized such that OWASP isn't going to go out and actually publish this data publicly. They are just looking for that metadata to be able to go in and create a brand new version of the OWASP Top 10.
Joe [00:21:13] Now, I know there's a lot of different OWASP Top 10. There's one for web application security. There's one for mobile. So is it for all top 10s that they're looking for or just web application security risk?
Adhiran [00:21:24] The primary focus of this collection is web applications. But from my understanding, if you do have mobile apps, if you do have other applications, definitely you can submit them into this mechanism. It's probably one of the bigger ones that OWASP does have. I think they will have some more targeted data capturing mechanisms that will be out there for specific OWASP Top 10s. But this is probably going to be their primary one. So if you do have unique environments, things like IoT might be a really interesting one. I'm kind of curious that people do have IoT-related vulnerability data and this might be a spot in which you can submit it to try and poke OWASP to create that OWASP Top 10 for IoT environments. Then there might be some others out there as well. So definitely submit the data. But I think the focus is on web application.
Joe [00:22:16] I know you said it's very scientific. So this is probably not a good question. But is there anything that you think should be on the list? And I've been speaking to a few people. They keep bringing up AI data poisoning, which I didn't know is a thing, but apparently, it is. So anything you think should be added or, you know, especially in 2020, with AI machine learning growing or anything you think should be taken away? Or is it just, you know, not really up to you, you need to see the data?
Adhiran [00:22:40] Yeah. So definitely I can't really make the call until the data is there, but I've got a few speculations. And definitely, when it comes towards…your…the AI data itself, it's interesting because ultimately if you do go back towards data integrity it's something that really was pertinent way back when and I feel as though things are kind of cyclical. I feel like we will go back towards that data integrity aspect being really important. And you're going to see across many organizations around the world, there's going to be more security data lakes. And so if you flood those data lakes with invalid data, you're ultimately going to prevent your organization from being able to take appropriate actions, being able to understand what's actually going on. And it's interesting, though, because flooding that AI dataset, whether it be a data lake, whether it be a specific database system that's out there, you are typically going to use one of the other OWASP Top 10 type attacks to get that data there. But I think it is worth calling out data integrity for sure. The other one, though, that I think is going to be really applicable for the OWASP Top 10 is this idea of least privilege. It's one of those table stakes court tenants within security, and especially as we've come towards Covid-19, as we've all moved to working from home. This idea of least privilege is just becoming more and more prominent. One of the interesting things that I think has transpired within applications over the last five to 10 years is applications have gotten much smaller. You know, 2010, we had a lot more monoliths out there versus right now we've got some applications that might only need to run for five seconds, 10 seconds. And so they are much smaller, very thin slices of what needs to get done. And I think that's a really good mechanism when it comes towards least privilege because if you have to do something, you can actually do it in a little 10-second slice and then shut that entire application off for the rest of the time. If it's off, you know, an attacker can't go in and exploit it. It's not there to be flooded with denial of service attacks or be flooded with, like false data with injection tax or anything like that. I think least privilege is going to be huge. And there is this idea of broken access control with A5. And it does really talk to the idea of least privilege. But I feel as though this privilege is going to be a little bit more than that. It's going to get into awards for how long your application is going to be running for it and then also your network design. I think over time, OWASP Top 10, the OWASP Top 10 has moved really far away from this idea of like network segmentation and network focus and specialization, like where you keep the things that you need in a very specific, secure zone and you really control the access. So we go back to that Shopify attack. Was the data that those employees access really necessary for their day to day job? And I can only speculate because I haven't seen the data and I don't believe Shopify will ever release this. But I'm going to speculate that that data is probably not very useful for the day to day life and or for their day to day work. And they shouldn't have had access to that data anyways, right? So just removing that access completely is going to be huge and just really thinking through does an individual need that access? Does that individual need to be able to go to that specific network zone? And I think you are going to see a little bit more of that, because when it comes to injection attacks when it comes towards cross-site scripting, ultimately I feel as though if you do have some control mechanisms in place around least privilege, your injection attacks, and your cross-site scripting attacks are going to be a little bit less fruitful from an attacker perspective.
Joe [00:26:27] Now I'm curious where you just mentioned there where about Shopify, you don't think they would release it. So does that impact the results of the OWASP Top 10? I know you said it's anonymized. But does there are a lot of companies actually, like I'm not even going to report it? So there may be a lot of things missing from OWASP Top 10 because people are just secretive about their security exploits, I guess, or security leaks or issues.
Adhiran [00:26:51] And that's a really good question. And I should clarify ultimately, when it comes to organizations within Canada, within Europe, within a lot of countries around the world. California specifically as well, has just created their CCPA. And so what a lot of those mechanisms are out there for, is for organizations to report to the law enforcement, to public bodies that an attack has actually occurred and ultimately to inform the consumer who has been affected that their data has been leaked. A lot of times when we kind of think about it, a lot of organizations have been attacked. I was actually just listening to General David Petraeus this morning and he talked about this idea of there are only two types of organizations. There are organizations that have been hacked and then there are organizations who've been hacked and don't know it. And what ultimately, a lot of these mechanisms, new laws are out there to do is to go to those second groups and make them look through their data to see if they have been attacked and if they have to go and report it. And I think you've seen more and more of that, especially after the onset of GDPR. We've had some organizations come out and talk about breaches and talk about long term attacks that have resulted in data coming out. And so I hope that means that the organizations will report it, but they won't necessarily report it publicly for any consumer to understand what's going on. They ultimately don't want to necessarily…it gets glamorized those specific attacks, glamorize the attackers themselves. So I think it's it's a tough balance. But you do not, you definitely don't want to necessarily bring those attackers into the limelight such that there be more attackers kind of encouraged to do that. When it comes to OWASP Top 10 definitely I do hope Shopify and other organizations around the world consider sending their vulnerability data over. It's interesting because the OWASP Top 10 with this data collection, they're not necessarily looking for exploits that have actually been attacked. It's just vulnerability. So what are the weaknesses that are out there? It's great if you do have legitimate attacks that have occurred and especially if those have been cleaned up. I think that could definitely help with the data collection itself. But there's actually not even a mechanism within there, the OWASP data structure to determine whether or not a vulnerability has actually resulted in an attack or not like a successful attack or not. Definitely, something that you can maybe attach into the metadata and call out. And hopefully, that can be something that the OWASP organization and community can look towards for the next top 10 data collection.
Joe [00:29:37] I know we talked about OWASP for a while and I make, we make assumptions everyone knows what it is and how to use it. So if you work for an organization, if you're a security professional, how can you get the best of, the most out of using OWASP Top 10? As an organization how would you approach it?
Adhiran [00:29:51] Yeah, so the big thing with the OWASP Top 10 is it's a training mechanism. It's a training tool. So if you have a brand new developer that has just come out of college or if you have a brand new developer that's just come out of a development boot camp security might have been a small topic of conversation, but it's not something that has been drilled home. And the OWASP Top 10 is a great mechanism to use as a brand new employee or even as a seasoned developer who wants to learn more about application security and security in general. It's a great mechanism that's there to talk about these are the common attacks that we've seen. These are common vulnerabilities that we've seen and this is how you go out and actually remediate and fix them. So within the OWASP Top 10, it is a very long document. But there is a lot of good data around how do you fix these vulnerabilities and how do you prevent from occurring in general. And so it's a great training tool. So if you've got that brand new dev who's just joined your organization you might want to set aside a day for them to go through the OWASP Top 10. There's a lot of great organizations that have made this content a lot more consumable. There's good YouTube videos out there and there's just great training material. So if you can consume that and get that towards your new hires, your entire organization will be safer for it.
Joe [00:31:10] Awesome. Okay Adhiran before we go, is there one piece of actionable advice you can give to someone to help them with their OWASP security testing efforts? And what's the best way to find and contact you?
Adhiran [00:31:20] For sure. And so the best way to contact me let's tackle that one first is either through Twitter or through LinkedIn. It's Adhiran Thirmal. If you look up my name I'm usually the only one. If there's more than one, it might be someone trying to steal my identity. So let me know. I'll take a look. But when it comes to the OWASP Top 10, one big thing that I want to talk about is to make it actionable. You don't want to necessarily boil the ocean by trying to tackle all 10 of the OWASP Top 10 items. You might really just want to pick one, maybe two, and hone in and focus in on those. So a lot of organizations that I've seen look at the OWASP Top 10 for the very first time, injection A1 or A7 cross-site scripting are typically the two big ones that I've seen where an organization just goes we are really bad at this and we should create some new programs and new training, some new mechanisms to be able to go out and just squash those attacks. And so I would just pick one or two of these and really just focus in on that, because your program is going to get really good, really fast. And then you can start adding in more of the OWASP Top 10 items. And there is, you know, more attacks out there. These are just things to allow your organization to focus and it's not, you know, a one size fits all. Also, you know, maybe A10 insufficient logging and monitoring, although it seems like it's the last item, it might be the first one for your organization. So not a one size fits all. Just pick one or two and just tackle away from there. And yeah, definitely reach out to me if you have any questions with your journey and definitely poke your security team if you do have one in-house because I'm sure they've got a lot of good opinions and a lot of good advice for you when it comes towards OWASP Top 10.
Rate and Review TestGuild Security Podcast
Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.