The document discusses a case study from a Fortune 500 fintech company focused on leveraging graph-based models to identify zero-day vulnerabilities in source code. It highlights the development of a Code Property Graph (CPG) to represent source code and track sensitive data flows, along with challenges related to manual testing, static analysis tools, and the need for advanced security practices. The study emphasizes automation and the integration of security measures to improve vulnerability detection and mitigate risks associated with data exposure and logic flaws.

1. Finding Zero-Days Before The
Attackers
A Fortune 500 Red Team Case Study
Shannon Leitz, DevSecOps Leader
Chetan Conikee, Founder/CTO

2. Visual
Reasoning
with Graphs

3. Planning your trips with Maps

4. How engineers reason about code

5. When code is deployed in production

6. How attackers use graphs

7. You code as a graph !
Why are graphs interesting ?
How can we represent source code as graph ?
What can we learn from a source code graph ?

8. Data Modeling using graphs

9. Code Property Graph
A new representation by combining three existing representations
- the standard Abstract Syntax Tree (AST) specific to the grammar
defined by programming language
- the Control Flow Graph (CFG), which represents the order in
which statements are executed depending on the conditions, and
- the Data Flow Graph , which tells us how variables are initialized,
transformed and dispatched by statements.

10. Code Property Graph (CPG)
Source Code
Byte Code
Code Property Graph
source
sink
sink
transformdata
Code Property Graph
with semantic
tagging overlay

11. - SQL Injection
- Data Leak
- and more complex models ...
Modeling vulnerabilities using CPG
IO_FLOW = SOURCE (HTTP) -> TRANSFORM (SQL_STATEMENT) -> SINK (DB)
IO_FLOW = SENSITIVE (VARIABLE) -> NO_TRANSFORM -> SINK (LOG) & SINK
(HTTP)

12. A Fortune 500 Fintech Company
● 4000+ Developers
● Specializing in Small Business and Tax
Preparation Software
● Web, Desktop and Mobile products

14. Cloud Evolution
● Go to the Cloud! (2012)
● Lots to be desired in terms of security
● Increase speed of solving problems
● Evolution or Extinction?

15. SHIFT
LEFT

16. Red Team =-(
● Not a well-known concept
● Lots of different approaches
● Tools are immature
● Outcomes vary
● Stay ahead of Adversaries (Cultural Impact)

17. Manual Testing and Research
● Easier barrier to entry
● Slow, time consuming
● Dependant on tester skill level
● Rare discoveries

18. Static Analysis Tools
● False Positives
● Requires significant tuning to be useful
● Infrastructure and maintenance required
● Poor experience between Security and
Development

19. Red Team!

20. Focus on Exploitability
1 Implementation Enumeration
2 Protocol Protocol Analysis
3 Code Code Analysis

21. Focus on Exploitability
1 Implementation Enumeration
2 Protocol Protocol Analysis
3 Code Code Analysis

22. Red Team Strategy
Started with Joern and quickly found 3
new vulnerabilities in open source linux
dependencies. (Interns!)
Currently using Ocular to find and report
new vulnerabilities in our products to our
developers.

23. Results
Leveraging Ocular to perform automated scans of our 3rd party
dependencies to find 0-days faster
Use Ocular to facilitate 0-Day exploit development for Red Team
weaponization
Publish 3x more CVEs in both Java and C

24. Future?
Improve on shifting left by advancing graphing upstream.
Apply more of what we do to determine exploitable opportunities.
Continue to evolve with automation and intel

25. Demo

26. Data Leaks - Case File

27. Origins of data
Data originates in code. Let’s examine various forms for sensitive data
val user : User = new User(“Mike”, “SSN”, “DOB” , “Address”
val awsKeys : String = “AKIA2E0A8F3B244C9986”
val cldTk : String = System.getEnv(AZURE_TOKEN)
User Defined Type
HardCoded Credentials
Environment variables

28. Fix the problem, not the symptom
Data is created/updated in your application. What is the mitigation
strategy to prevent data leaks?
● A method to identify all sensitive
data elements defined in code
● A method to track all
transformations applied to
sensitive data
● A method to track all outbound
paths of sensitive data flow - log
file, network, filesystem, etc

29. Demo - Data Leaks

30. Business Logic Flaws
A business logic flaw is defined as security weakness or bug in the
functional or design aspect of the application
● It's a logic based flaw and not a code
based flaw
● It’s a legitimate business workflow
used in a malicious way
● It’s about how to bypass conditions in
workflow using inputs
● Can be specific to an application and
business domain

31. Business Logic Flaws - Case File

32. Discovery of business logic flaws
What are the common traits that led to data exposure in both of
these vendors?
● Predictable sequence (database
primary key) directly exposed in
URL embedded in email
● Upon clicking the link in email,
user was directed to a page
without authentication, thereby
leading to cross tenancy access

33. Demo - Business Logic Flaws

34. Backdoors and RootKits
Can we determine the risk associated with a renegade software
developer or consultant?
● Malicious code is not as same as a
vulnerability
● Inadvertent vulnerabilities are introduced
by developers who wasn’t trained in secure
coding or didn’t have access to secure API
● Malicious code is sabotage - with intention
to cause harm directly
● RootKit techniques are employed to make
malicious code hard to find in applications

35. Backdoors and RootKits - Case File

36. Discovery of RootKits - Wabbit virus
:(){
:|:&
};:

37. Demo - RootKits

38. Software Composition Analysis
About 80% of companies run their operations on OSS and 96% of
applications utilize OSS as the software components

39. Software Composition Analysis - Case File
● Apache Commons Collections in the classpath
● Exposes an endpoint that takes binary data and creates objects without checking
● Lets untrustworthy parties access the endpoint without authorization

40. Demo - Contextual SCA

41. Thank you ...
● 14 Day FREE Ocular trial
○ Download: https://go.shiftleft.io/ocular-free-trial
○ Java Only
○ Does not include scripts, policies, security profile
● Ocular Proof of Concept
○ Email: sales@shiftleft.io
○ Supported Languages : C/C++ , C#, Java & Scala
○ Coming Soon : JavaScript, Node.JS, Go & Python
○ Support and Training