CREATING DEVELOPER SECURITY AWARENESS: USING ATTACKSDavid Klassen

TL;DR

INTRODUCTION

• Evolving methods of communicating security problems to developers:• OWASP AppSec Tutorial Series : Shock value, easily demonstrates

risk/prevention• I have noticed that web developers really take-to powerful/short introductions

• Michael Howard @ OWASP AppSecUSA in 2012 : • won't work if its too long or overloads the listeners (retention?)• best done in short presentations that can quickly explain (ie. Zest/Punch)• Have a whole website(book?) available for people looking for more

clarification

• It is hard to find good information that couples vulns with attacks, and fixes

• You can tell them to fix, but if you don’t W5 the issues, things get dropped

• Somehow security groups need to model to others what is at risk in an attack

• Remind them why we want to prevent attacks, and cite reputation issues

ENCHILADA

FOG OF SECURITY RE-ENGINEERING

• Some bugs get fixed… but the pen-testers continually report issues that are not fixed and probably won’t get fixed.

• Flaw is buried in the most popular feature

• You’ve performed or reviewed the millionth assessment with bug X.

• You’ve had that 24th meeting…

• Burn out is here and even you need relief

• Its time to take an issue with Awareness, somehow blow them out of the water!

• Pick your darkest bug set and detail what exploitation might look like…

PILE IT HIGH

• After working in software security you might start thinking like a philosopher:• While an XSS might divulge a user's session cookie, and even that is a really

really critical issue to fix, certain individuals might rightly state, well a login provided to such and such a feature has no access to anything important.

• So you see what this XSS provides to an attacker doesn't really mean anything, because that webapp has no access to critical information assets???

• What such a response glosses over, is that exposing a User's session cookie is only just one issue of a plethora of other possible attack vectors (via. RCE)

• Everyone knows that SecBug X is bad ass however, “they don’t know how…”

• Actually you don’t really know, lets start to build some kind of integrity here

• By debunking the arguments and rebuttals provided, we bring people closer

RAISE THE BOO-YAH

• Use attacks that have been used in reality, and discussed in the news.

• See if you can’t pair common bug X with this real attack payload, so they can later look up and learn about it.

• Don’t allow yourself to make a boring communication. Make it with pizazz!

• Get yourself excited about the problems, by taking the training.

• There are lots of security training groups out there (get up-to-date).

• Don’t cheap-out telling yourself I can learn this on my own (time == $$$).

FILTER THE BS

• YouTube is great and I have seen great videos there, but its nothing you can show your company usually

• The is a certain way of being cool cat that really isn’t that cool. In a year or two its not cool

• If you want the audience for your video to actually be people who develop software you are going to need to adapt to meet their needs

• If we don’t take developers all the way to s-hell, then were not really taking them anywhere

• Is making it simple not your job? Then stay solo

• Look at the experts in communication do they skirt around the issues, or aim for the heart?

GET OVER THE AWARENESS BUSINESS

• The executives talked about raising awareness

• However when it came to meeting the expectations of your common developer…

• When I started making presentations and videos to summarize, everything just felt better.

• After creating this video I noticed the executives subscribed to an official set of security awareness material

• As I look at what was out there though, I realized I am a party of one, and really the only one with an incentive to learn more.

• There are many hats you can wear in this business, but which one will have an effect?

KEEP IT ORGANIC• If you create a company directed security

promotional like this, which you can post links to it everywhere:• Wiki• Bug Pages• e-mails• chat• etc.

• There are more chances for people to run across it in their everyday work

• By peaking people’s interest, we are exposing the worst of issues and trying to steer people towards real risks.

• Helping the company to build integrity.

GET THE FACTS

• I spent time, effort, and money to chase down exploitation beyond session cookies, because it seemed interesting to me, and I didn’t remember seeing this anywhere:• Research the topic• Listen to podcasts/conference talks• Speak to others (hardest)• Take the training

• Can we find it in our own code anywhere? (Do it.)

• If we consider it APT-possible, what things can happen?

• By trying to attempt to understand what is attackable, we have a better awareness of what is probable

• We will also learn about the protection others believe is there

DREAM BIG

• Focus on your attacks first. Your story.

• Everyone has heard about hacking

• We mix in legalities and $kirt the field

• I wanted to work in software devel

• I didn’t want to be a QA any more

• I ended up finding quite a few vulns

• I knew the vulns were bad but not how

• As paid employee legally this info is?

• Enlighten on these scary predicaments

PERFECTING YOUR ATTACKS

• To be honest I hate the spy concept

• But considering our industry it works

• Ensure you exhaust all your resources

• When you find that last morcel Boom!

• Aurora video I found online did it

• If I didn’t search long enough?

• After its starts rolling for you, perfect it

• Legitimate attack scenario is not easy

• Task of explaining to others is hard

PERFECTING THE EXPLANATION• No exploitation, no explanation

• Tell the whole story and real risks

• Yes it is a bad subject, but its also work

• Practiced attack gives you domain info

• Record your video as if for strangers

• Use all the VMs/tools, and cut it out later

• Explanations demand more video/story

• After you have perfected attack and explanations video, create a script

• Working back from this you will find introduction tie-ins and more.

DO THE POST-MORTEM• Mastered attack -> easier explanations

• Tie it back to reality in the simple or hard

• Show the proof of what happened

• Relate to other attacks: CJ of FB login

• In some way all attacks are the same

• Good place for lead-ins to other vulns

• Emphasize the attack line if important

• Doing this well, leads to a good intro

• I wanted to jump into the fix, but it didn’t make sense quite yet to do that

• Make it as detailed as necessary

A STORY BUILDS IT UP• A video that displays real compromise

should be easy to create a story for

• It also might mix with real life (A/V)

• If you get better ideas just go for it

• Redo’s are common with a new script

• Video editing software is so buggy!

• New ideas will come, weigh the value

• It is best to at least cover these:1. Something everyone has heard/seen2. A full exploit that hits fast and deep3. A fast automated attack

• People should start to think differently

WHY DO WE CARE?• They are not going to get it… So!

• Make a laughing stock of yourself

• Phishing intro: the first thing in my mind

• Later it felt sarcastic, and a good vice

• It made the problem more plain to see

• I was hoping someone would laugh, and then run smack into realization

• That’s just it! A real XSS exploit appears to be just like any other web page

• It is important to realize that a website can be made to do anything and developers are in charge of appearance

HOW DID WE FIND THE BUG?

• Are we ever asked to fix the bugs?

• Do Devs become security conscious because they know how to program?

• Show Devs how to consider STDD

• This might lead to something else, like the discovery of problematic ThirdParty code

• Let them know about SAST/DAST

• Detection knowledge leads to prevention

• Attempt to include your product or company in the video

• Bring up reputation and liability issues

REMEDIATE• Go beyond insults to engineering

• No one is perfect. We need a common ground for discussion make one.

• Some bugs might be simple to fix

• RCE bugs are anything but simple because the fault is in the genetics

• When dealing with RCEs go deep

• Try to use the best sources/definitions

• Provide them framework suggestions

• Map the entire issue lifecycle + fix

• RCE preventions and counter-measures

SOCIAL

EXPLAIN THE EQUIPMENT• Are we fighting this battle bare handed?

• Explaining prevention can be simple…

• For RCE it is hard, so go as far as required

• OWASP XSS Prevention was thorough, but I had to bow out and exit stage left (time)

• Don’t go so deep that no one is listening

• If they don’t watch it, they can’t mock

• Make it fun, but try not to waste time

• Aim to gain the respect of your groups

• Use a Dev-possible mindset for awareness

• Create wiki page detailing equipment

JU$TFICATION

• Who? Me? If not you who else can/will?

• There is lots of philosophy in business, but try not to get caught up in the rat race

• Be prepared to justify your videos/cause

• Make your video respect worthy

• Put your own time into it, or just go home

• Having security training is good, but an in person explanation can be specific

• Be prepared to poke holes in the other strategies presented by management

• There is no fail in attempting to help…

• If you think your failing, speak to others!

IDENTIFYING WITH MANAGEMENT

• Accountability: is another word for this

• Luckily you are not alone. People have been selling security to other people, since before we had democracies…

• Look-up some of these people. Metricon

• Many reports out there to reference/facts

• Statistics not there? Use news headlines

• Make friends with the management team.

• If you’re an employee don’t shame us…

• The reason you start with report citations, is to make it a business issue; not personal

• Everyone should admit their shit, even you

THE GOLDEN BLUEBERRY

• Here is my magic word slide (Secret Sauce)

• Rethink the video so you sell it to the group

• Not management heavy? Your lucky!

• A report will help to bring it to the business

• Introduce the issue typical way (atypical?)

• Start where they are at, but carve the path

• I used vulnerability finding to put it in scope, something that DEV might have seen before

• Every “Seminar” has a magic sales slide

• You can do it, feel the magic, believe it

• Don’t forget everyone is special… in that they have a chance in this life (in some way)

GIVE IT A GOOD HOME• Ask others where the best place to

showcase it is. Find usual locations.

• Some place that has high visibility where people look all the time

• I recommend an internal location

• Don’t post it on youtube, if it is any good it will contains privileged info

• If awareness doesn’t make people question things, what is it doing?

• If your company is small or lean enough, perhaps other methods will work better. Are they listening?

• Perhaps a general video that describes key industry issues.

COMMUNICATE IT

• If you have created something new

• If you are really interested in it

• Make it a big deal

• Invite the dev teams you work with, and anyone else interested

• Send them an introduction e-mail with a good link to your video.

• Ask them to watch the video, and consider coming out to discuss it

• Ask everyone when they want to meet

• Plan Lunch and Learn for small groups

• If you have a large group have an open forum, and invite discussions…

IN PERSON DISCUSSIONS

• Book a good time for everyone, or plan to have multiple meetings

• Create a slide deck that covers all the issues they might need to know.

• We can answer questions, but if no one has any questions, have it ALL

• From recent issues to academic

• Ask the audience questions (reflect)• Attack – history, variations, and risk• Exploitation – how far does it go?• Detection – perform tests to check• Prevention – library features etc.• Monitoring – is it in the logs? OODA• Protection – Policies/Controls

available

TALKING SHOP

• These slides can be a bit boring, but the topic isn’t boring, try to keep it exciting

• The talk is going to reflect your wiki and aim to completely cover the issue

• Engage with the audience

• Make sure they understand the depth of the problems. Ask for their opinion

• What did XSS allow us to do to victim?• Steal their cookie jar?• Or insert a key logger?

• We want to highlight their knowledge

• If no one is answering questions, ask them why, learn to communicate

RESULTS• From my experience, not sure if they are

listening

• Its like you are working with silence, not people

• The important part is that they have been told

• If they understand this… watering hole, malverts?

• We are trying to get them to think about it

• Developers who get it are really rare

• However those who do can really help you out

• Reach horizontally and vertically in your corp.

• HR can help with spreading some messages

• Alter corporate processes and remove oversights

• The whole goal here is to help the team work well

HERE’S WHAT I THINK WORKS

• If you think you have covered it all, have you managed to cover:• Monitor• Attack• Prevention• Protection• Exploitation / Explanation• Detection

• In other words, is the issue MAPPED?

• We often spew vulns not explanations

• We need to gain engineering buy-in, where money is king, security has a cost

• There are so many experts who say this

GET THE PEOPLE LISTENING

• AS: Learn more about why developers don’t want to fix the problems, instead of debating probability of attack

• We need to be creative about how we get Development into the discussion

• JW: We need to remember Software Priorities According to Developers are:

1. Expected functions and features2. Performance3. Usability4. Uptime5. Maintainability6. Security

• If we can do 1-5, then probably Security

ISSUE IMMERSION

• Ideally you have researched: • the exploitation topics• the corporate vulnerability history

• Stayed aware for your company:• full-disclosure, bugtraq etc.• or out there through other sources

• Participated in:• penetration tests on assets• leading the bug triaging process• assessment/reviews on your group

• Good sources for a starting point

MAD SKILLS

• If you have been at this for a while, you might be a bit bitter for who knows why

• I suggest you spread the venom in a creative way with much fore-sight

• You are the eyes and ears for your place of work, replaceable but +++

• If you can’t work with management to make it work, it probably won’t

• “You set the goals, its your mission”

• Apply your own individual style

• If your committed to this it might change your career (don’t blame me)

SEE THE SLIDE NOTES FOR MORE !!!