Join us on our upcoming BYOP (Bring Your Own Pizza) "Application Security Meetup" to hear about the latest cyber security breaches, trends and technologies in modern application development.
Agenda:
17:00 - 17:10 - Opening words - by Lior Mazor (Organizer)
17:10 - 17:35 - 'Recent cyber security attacks in Israel' - by Lior Mazor (Organizer)
17:35 - 18:00 - ‘How to deliver a secure product’ - by Michael Furman (Tufin)
18:00 - 18:30 - 'Hacking serverless - Introduction to Serverless Application Security' - by Yossi Shenhav (Komodo)
18:30-19:00 - ‘Post Apocalypse: Exploiting web messaging implementations’ - by Chen Gour-Arie (enso security)
3. Agenda
• 'Shirbit’ Israeli Insurance Company Security
Incident
• Chain of events
• Point of Failures – Self Evaluation
• 'Solarwinds’ global Incident
• Incident analysis
• Correlation – corporate and as a vendor
4. ABOUT MYSELF
• Leading and Managing the S-SDLC and information product
security at Amdocs
• B.Sc. Math & Computer Science
• Over 18 years of cybersecurity experience
• Implementing and promoting Information Security & Cyber
Awareness in various enterprise organizations across the world
• Building Enterprise Cyber Defense Methodologies and ‘Execution
Practices’
• Expertise in Secure Development, Code Review & Application
Penetration Testing
• Certified as ISO 27001 Lead Auditor
Lior Mazor
CISSP, CISM, CDPSE
6. Shirbit Insurance Company – Short Facts
With regards to security, the
company choose a “CISO as A
service” approach – 2 days a
week
Established officially in 2000
and Considered as part of the
small insurance groups in IL
The company has ~220
employees based in Israel.
The company won a major IL
project for insurance hence holding
significant personal data (2005)
The company holds a cyber
security insurance policy by AON
(no further details are known)
The company utilized an external
MDR service, not working on
weekends with monitoring abilities
only
7. Chain Of Events
29/11
High level
understanding of the
incident by Shirbit
company begins
Active Incident in Place
30/11
Shirbit Company
notifies the regulators
about a potential
breach
Regulation Update
31/11
The leakage is notified
by the media and
published cross
different media
channels
Media Notification
1-2/12
Actively from
operational to
technological and other
factors, company begins
its response
IR kick in
3-4…/12
Black Shadow post its
ransom demandd and
actively threatens to
publish more data
Official Ransom demand
…
1. Social media
accounts on twitter
and Telegram
opened with the
name “Black
Shadow”
2. Darknet search for
“technical writers”
…
1. Shirbit company
takes down (willingly
or not) its website
and all other internet
connected
servers/applications.
2. Examples of data
stollen is leaked
…
1. Data examples
continue to surface
outside, stating the
intention and
seriousness of
Hackers
…
1. First TXT message is
sent to customers,
stating about a
potential cyber
breach.
2. Company utilize and
hire external IR
teams and align Gov'
…
1. Data continue to be to be
published
2. Shirbit doesn’t plan to pay
ransom
3. Data is offered for sale on the
darknet
4. Shirbit posts FAQ and additional
SMS sent to customers
8. Partial Facts, Speculation and Assumptions
The details below are taken from OSINT data sources (crowd strike, clear sky, general media channels)
The attack didn’t happen overnight – in these types of scenarios, the hacker was able to reach a footprint
over the past 2-4 months, waited for a trigger or worked under the radar to achieve significant footprint
(“living off the land..”)
What about their Security Solutions?
Very limited ESET AV with no advanced abilities, their DLP software was not configured well.
How were they hacked? From known vulnerabilities never patched on their VPN (Pulse) to security
gaps on their OWA (outlook web access) that allowed the injection of a backdoor and from there –
direct access to their backup servers
Hacktivist, nation planned attack or a Cyber Criminal – all theories apply, some state that the group never
existed before (no prior knowledge) and is an Iranian/pro Palestine retaliation.
Some state that that during negation it seemed to be IL based attack (publish of Infosec policy and origin of
opening the telegram group)..
9. Postmortem Analysis – Points of Failure Self Evaluation!
Detect &
Analyze
Contain,
Eradicate &
Recover
Post-
incident
activity
Prepare
Yet to be seen…
1. No official government
regulatory statements
2. 4 'class actions' were
already filled
3. Company is already
“back to business” and
issuing new policies
1. To be improved
communication to
customers and support
(minimal FAQ).
2. Ability to evaluate what
is the magnitude of
breach (Media based)
3. Major attempts to “pass
the risk” that are not
seen lightly by public
1. The company is still under
active incident.
2. Some minor customer
notification improvement
People
Process
Tech'
12. 'Solarwinds’ – Supply Chain Type of Attack
A different type of attack, not the traditional data leakage or ransomware
Different Actors – This type of attack usually has catachrestic of what is define as “nation-based attack”, not
the traditional type of attacks, it’s a carefully planned attack involving aspects of espionage with a completely
different type of scale and impact
How didn’t they find it?
Requires maturity around their code, understanding of insider threat and overall security controls to learn
about the potential anomaly
How is this happening? Backdoor in the code in the mask of a dedicated file or feature, requires
inside and internal access to the CI/CD eco-system
Look for the weakest chain & major footprint– supply chain attacks are different; they focus to get major
footprint via a weak point. Any type of company that can fall under this category can be targeted
13. Solar Winds – SUPPLY CHAIN Based Attack
• Sophisticated Way of Attack
• Almost impossible to detect (if
at all)
• The attackers inserted malicious
code into DLL
• SolarWinds Orion Platform
installed
• The backdoor activates
• Randomly between 12 to 14 days
after installation
• Attackers ping the backdoor
• Gathering and sending info
• The backdoor runs commands
from attackers
14. What can prevent SolarWinds type of attacks?
• As a Corporate:
• Perform SDL (Security Development Lifecycle)
and change management processes
• Map “supply chain” and most valuable assets.
• Remove Default credentials from vendor
installation play book.
• Ensure conditional access to valuable assets.
• Enable anomaly detection systems.
• Control and audit privilege accounts
• As a Vendor:
• Perform SDL (Security Development Lifecycle)
and change management processes
• Secure the development eco-system (CI/CD).
• Digitally sign artifacts (yes, still do it).
• Peer internal review by R&D
• Secure overall corporate environment against
rouge actors (corporate accountability)
16. How can you deliver a secure product?
Michael Furman, Security Architect
17. The Legend of SDL
● Steve Lipner
Senior Director of Security Engineering Strategy for Microsoft
Key person for the Microsoft SDL
18. What will we cover
today?
What is an SDL?
Why is an SDL important?
Sample: Tufin SDL
How can you deliver a secure product?
19. About Me
● >12 years in application security
● >8 years with Tufin – Lead Security Architect
● >20 years in software engineering
● www.linkedin.com/in/furmanmichael/
● ultimatesecpro@gmail.com
● Read my blog
https://ultimatesecurity.pro/tags/presentation/
● Follow me on twitter @ultimatesecpro
● I like to travel, read books and listen to music
20. About
● Market Leader in Security Policy Automation
● Tufin is used by >2000 enterprises
To segment networks and connect applications
On-prem networks, firewalls, cloud and K8S
● We are the Security Policy Company!
21. Journey to our SDL
● Resolving security issues? Easy for me!
● Creating a “security” process? Brand new for me!
● Soooo many things to manage ....
Vulnerabilities discovered by customers
CVEs
Upgrading 3rd-party software
Pen tests
... and all the other stuff I did not yet even know about
● Saved by the SDL!
● No need to reinvent the wheel
Picture is from the “Journey to the Center of the Earth” movie.
22. What is an SDL?
● SDL is the process for developing secure software
● Adds security controls in each development phase
SDL = Security Development Lifecycle
23. History of SDL
● Mail of Bill Gates
From: Bill Gates
To: to every full-time employee at Microsoft
Sent: Tuesday, January 15, 2002 5:22 PM
Subject: Trustworthy computing
● Microsoft shutdown Windows development to handle the security issues
● Microsoft SDL
v 1.0 - 2004 (internal)
v 3.2 - 2008 (public)
v 5.2 - 2012 (recent)
…
Security: The data our software and services store on behalf of our customers
should be protected from harm and used or modified only in appropriate ways.
Security models should be easy for developers to understand and build into their applications.
Photo from yahoo.com
24. Why is an SDL important?
Why
SDL?
• Helps developers build secure software
• Ensures security is enabled out of the box
• Defines how to respond to discovered vulnerabilities
29. Security Training
● Security awareness training for the
Development and QA teams
The latest security threats, mitigations,
and technologies
OWASP Top 10 best practices
● Security Champions
30. Security Training
● Q: How can a Security
Champion be successful?
● Tip: Identify and resolve
specific security issues
● Examples of investigations:
Best way for us to handle
Content Security Policy (CSP)?
Best way for us to prevent
XML External Entity (XXE) attack?
● Tufin success: OWASP meetup lecture
https://ultimatesecurity.pro/post/xxe-meetup/
32. Security Requirements
● Incorporated into the requirements stage of S/W development
● Why do we want to handle security early?
Allows us to design a feature and to write test plans which incorporate security requirements
up front
Saves time for all of us – developer time, QA time, documentation time
33. Design
● Designs of new features are done jointly by both development and security
teams
34. Security Requirements & Design
● Q: How can you ensure Dev & QA handle security?
● Tip: Make it easy - create a security checklist
● Examples
New API?
• Make sure the API has proper authentication
• Make sure the API has proper authorization
• Implement input validation
Confidential info not stored as plain text
• Use appropriate encryption or hash algorithms
Confidential info not stored on a client side
Confidential info not sent via HTTP GET method
…
36. Static Application Security Testing (SAST)
● What is SAST?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least weekly
Daily is the best option
● Your goal: Fix High issues immediately!
37. Software Updates
● All 3rd-party software is regularly updated
● Q: Can I ensure all 3rd-party software is
kept up-to-date without a tool?
Open-source 3rd-party software
Commercial 3rd-party software
● Tip: check that recommended upgrades
don’t introduce new vulnerabilities
● Your goal: upgrade to a version without
High or Critical issues!
38. Peer Reviews
● Mandatory for every code change
● Tip: ensure all code changes adhere
to security requirements
Passwords are not stored in plain text
Passwords are not stored on client side
…
40. Internal Security Scans
● What are Internal Security Scans?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least monthly
Depends on your release cycle
● Your goal: Fix High issues immediately!
41. Internal Security Scans
● Qualys SSL Labs Report – free service
https://www.ssllabs.com/ssltest/
● Tip: Ensure you check the “Do not show the results on the boards”
checkbox
43. Dynamic Application Security Testing (DAST)
● What is DAST?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least monthly
Depends on your release cycle
● Your goal: Fix High issues immediately!
45. External Security Tests
● Why External Security Tests?
● Tips:
Scan at least annually
• Best each major release
Ensure to create a valid test scope that covers all areas
• WebApp
• Infra
Ensure an External Test is added into R&D calendar
● Your goal: fix High issues immediately!
Coordinate retest after your fixes
47. Vulnerability Response Policy
• A patch will be made available as soon as possible
CRITICAL
HIGH
MEDIUM
LOW
NOT
VULNERABLE
• A fix will be included in the upcoming release
• A fix will be included in a future release
• A fix may be included in a future release
• Nothing to fix
48. Vulnerability Response Policy
● Define a vulnerability response policy
Document it
● Tip: the policy should be approved on the corporate level
Affect sales, support, development
49. Rolling out an SDL
● First phase (minimal SDL)
Vulnerability Response Policy
Internal Security Scans
• Qualys SSL Labs Report
Software Updates
• Using a tool
● Second Phase
External Security Tests
● Third phase
SAST
● Fourth phase
DAST
50. Rolling out an SDL
● Ongoing
Security Requirements & Design
Security Training
Security Champions
Peer Reviews
● Further improvements
https://www.microsoft.com/en-us/securityengineering/sdl/practices
…
51. Selecting a tool for any SDL phase
● Perform POC
Define requirements very well before the POC
● Tools can be commercial or open source
● Tools from the same provider is not essential
52. How can you deliver a secure product?
● Start to roll out an SDL in your organization
● Improve SDL on a regular basis
53. Take Aways
SDL - the framework that ensures secure
software
Roll out an SDL
... And follow it!!!
You will deliver a secure product!
79. Conclusion
Application level vulnerabilities are to stay
– write secure code
Misconfiguration of permission in serverless
application may result with attackers taking over
the entire cloud environment
Serverless architecture provides improved
security over traditional web architecture
83. Enso.security
Application Security Virtual Meetup 2021
Live in Tel Aviv, Israel
Have been breaking & building all
sorts of applications since 2004
Chen Gour-Arie
Chief Architect,
Enso Security
Exploiting cross-document messaging
86. Enso.security
Any window in the
document hierarchy can
send a message to any
other document
The “message” event
will be trigger on the
receiving window.
Sender window
Sender document
Sender script
Receiver window
Receiver document
Receiver script
Cross
document
messaging
Functional Flow
Enso.security
98. Enso.security
Conclusion
Cross document messaging weaknesses
are:
● By default windows can send
data to each other.
● On receiver script, there is no default
authorization check.
● Sender scripts can publish
data without restrictively
choosing recipient.
To avoid these, we must spot
implementations and test them!
99. Enso.security
Conclusion
For engineers
Safe use of cross document messaging
● Use XFO/Cross Origin Policies to avoid
talking to unwanted origins.
● Send to explicit targets only as in
postMessage(message, [explicit target
origin])
● When handling messages, always
check event.origin but beware of regex
bypass techniques
To avoid these, we must spot
implementations and test them!