Rishi Malik - How to write insecure software: It's easier then you think!

SEP 16-20, 2019
DenverStartupWeek.org
#DENStartupWeek
HOW TO WRITE INSECURE
SOFTWARE: IT'S EASIER
THEN YOU THINK!
Rishi Malik - backstop.it
@whoisthisogre

British Consulate
Charter / Spectrum
Checkr
The Commons on Champa
Cooley
CTRC
Ford Smart Mobility
Fremont Economic Development
General Assembly
Hilton Garden Inn
ImageSeller
Nanno
CoastalCloud
Formidable
Granicus
Hogan Lovells
Iterable
Name.com
Plante Moran
Slifer Frampton
Starry
Swiftpage
Syntropy Partners
Yoonit Wine
HEADLINE SPONSORS
PARTNER SPONSORS MEMBER SPONSORS
Nix Media
Officescapes
Procare
Quizlet Ridg
Segment
SimpleBooth
Slalom
Tendril / Uplight
Test Double
Two Parts / The Passport Program

DIVERSITY, EQUITY, INCLUSION & ACCESSIBILITY
At Denver Startup Week we strive to make all of our sessions a space where attendees can connect, learn, and
grow — regardless of gender identity, gender expression, race, ability, sexual orientation, and the combination of
those identities.
As you leave today and throughout the week, introduce yourself to someone who doesn’t look like you or who
may identify differently than you.
#DENStartupWeek

HOW TO WRITE INSECURE SOFTWARE:
IT'S EASIER THEN YOU THINK!
Rishi Malik - backstop.it
@whoisthisogre

@whoisthisogre - rishi@backstop.it
About Me
Software engineering background
Startup background
Specialize in companies too small
to have a dedicated security team
Backstop is education +
automation

Goals
Writing vulnerabilities is surprisingly easy
You’re not a bad engineer if you make
a mistake (especially under pressure)
Think differently
How can this be broken?
Security vocabulary
Audience is application engineers /
startups

You know someone affected
Equifax - 147 million people
Marriott - 500 million people
Yahoo - 3 billion people

Equifax
One of the big three credit reporting agencies
“As a user, I need to be able to dispute items on my credit report.”
Apache Struts
“Apache Struts is a free, open-source, MVC framework for creating
elegant, modern Java web applications. It favors convention over
conﬁguration, is extensible using a plugin architecture, and ships with
plugins to support REST, AJAX and JSON.”

Equifax
Batteries included (logging / OGNL)
Site goes live sometime before March 9th, 2017

Equifax

Vocabulary Break
Remote Code Execution
CVE / NVD
Severity

On March 9, Equifax disseminated the U.S. CERT notiﬁcation internally by
email requesting that applicable personnel responsible for an Apache Struts
installation upgrade their software.…Equifax security department required
that patching occur within a 48 hour time period.…

NARRATOR: They did not

“Based on the investigation to
date, it appears that the ﬁrst
date the attacker(s) accessed
sensitive information may have
been on May 13, 2017.”

Working backwards

Object-Graph Navigation Language
Textual representation of part of an object
Similar to jxpath/jsonpath
“OGNL stands for Object-Graph Navigation Language; it is an expression
language for getting and setting properties of Java objects, plus other
extras such as list projection and selection and lambda expressions. You
use the same expression for both getting and setting the value of a
property.”

“Most of what you can do in Java is possible in OGNL, plus other extras such as
list projection, selection and lambda expressions.”

Recap
We need a ﬁle upload to trigger the issue
Content type must have “multipart/form-data”
Remainder is OGNL that is evaluated
Let’s try it

How did we get here?
Struts Devs
Multiple people working on different parts of the code
Each piece makes sense individually, probably made good design
choices
Equifax Devs
Didn’t upgrade. No process? No ability?

What do we do about it?
Automate alerts, mostly automate patching
Know when vulnerabilities are announced
CI/CD
Think offensively
Code Smells

Code Smells
Eval Anything
Complexity
User input - “worry”

Dependency hell

event-stream
Stream processing library for Javascript
Downloaded 1.5 million times / week, 1701 dependents
Stable

ﬂatmap-stream

What happened?
Backdoor is added to ﬂatmap-
stream, not to GitHub
Miniﬁed code uploaded to NPM
Event-stream is revved

Still sneaky
./test/data is AES encrypted strings
Encryption key turns out to be a package name
Malicious code is executed if the dependency tree is right

What did we learn?

Read through the source of every dependency
For every change
Include tests
Use static tools?
Unreliable. Obfuscation works.
Don’t immediately upgrade packages until they’ve been audited /
established?
Except struts. And this baked for a few months.

Vocabulary Break
Threat model
Know what’s most relevant, what’s most damaging, how am I most
vulnerable
Fintech/Medical/Social/Blog

Let’s write some vulnerable code
Rails webapp
As a user, I need to be able to edit my proﬁle information

user[user_id] = 8
user = User.where("id = ‘#{params[:user][:id]}'")[0]
user[user_id] = 8’ OR admin=’t’) --
User.where("id = ?", params[:user][:user_id]).ﬁrst

What did we learn?
Not just small apps (Heartland, Sony, 50+)
Know the ﬁne grained details of framework functions
Know details of how your database works
Be extremely careful with raw SQL

Learn more
OWASP
Top 10
Sample apps / practice
Go offensive

What we didn’t talk about
Lateral Movement

Unsecured databases

Unpatched cloud instances / bare metal servers

Cloud security

Social engineering

Password spraying

Mobile security

Rishi Malik - How to write insecure software: It's easier then you think!

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Rishi Malik - How to write insecure software: It's easier then you think!

Similar to Rishi Malik - How to write insecure software: It's easier then you think! (20)

Recently uploaded

Recently uploaded (20)

Rishi Malik - How to write insecure software: It's easier then you think!