Whose Input Is It Anyways?

uh so first of all I just want to go so yeah this talk is called who's input Is It Anyway so you're in the wrong talk you can start leaving now um the story that named this talk so this this talk came about because I was working as an application security specialist for a company and what that used what that meant was that in my office I was working I work in Amsterdam where I worked in Amsterdam uh if anything an incident happened to anything that one of the teams in the Amsterdam office worked on they would come to me and then I would help coordinate that team's fixes I would also kind of make sure the whole teams

were doing security training or kind of understanding security trying to make sure that all of our Engineers are secure so we received a report of an xss on one of our customer support pages and in Customer Support was based in Amsterdam I get sent the link hey can you verify this is it real we don't know what the hell xss is does it work if it if it's a problem coordinate effects and I looked into it it's a reflected exercise on a thank you page so customers sent in a message we say thanks for the message we'll respond to you in a couple of days let's say um and so I've got to validate it liaise

with the engineering team and so just for a stupid bit oh it's not going to show up on that screen so I'm going to pull that across let's say that there's a web page here um I'm not going to code up the actual web page but there's a web page here we've got I'm serving on localhost thanks with language code on it and language codes are fairly common when you've got multinational websites because uh you know we presented a bunch of languages you say hey it's Ashley I need this language to explain French and then I'm going to call an API and it's going to get all the translations of the strings that should appear on that page

but the French versions of it and so well I validated that the xss works there was a you could just it was the Lang x uh the Lang parameter but when you're validating things like that uh you always get given alerts and those are really boring and I hate those and I just realized this demo won't work because I'm not actually connected into the internet and I forgot to do it but you can have to trust me that if you are in the position where you have to show off to an exec code that there is an exercise on your vulnerability or exercise on one of your websites look into a website called cornify kona5 provides you with a JavaScript API

and every time you call it it will put another unicorn on the screen and then another one and this script here basically just sets it to put a new unicorn on the screen every five seconds and it's very hackers 1995 but execs get that they understand that that's really bad if there's unicorns popping up all over their nice screen that they spent you know years or thousands of in engineering costs so rather than just alert one get yourself a qualified script and put that in your payloads where possible this one was really easy because I could literally put as much as I could in so at this point you know I've confirmed that the xss is a problem

um but you know my job is more than that my job is not just saying ah there's a problem blah blah blah it's why did that problem come in place what's the procedures that we were lacking as a company that led to this problem existing you know their tools or anything like that because we need to fix that one to make sure it doesn't happen again well so I'm gonna start digging around in the code base because never trust an engineer trust the code first uh so and I kind of find something that looks like this in a code base and this is kind of classic PHP unfortunately um there's some HTML above it there's a

script tag that gets opened and then they put in a language parameter and they take whatever was in the get parameter of the Lang slap it between coats and quotes in the script tag and go fine straight into your script tag hopefully you all realize why this is really problematic and the the stupid amounts of problems there are with this but you know hey why did this happen why did someone think that this was acceptable so I go and find the person um get blame is a thing uh and I want to talk to them first as opposed to their team because maybe there's something really embarrassing that I have to talk to them through first before I do a

wider lesson so I asked him like why is why was it coded like that what is the thing that you were trying to achieve and they say well it's so that we can display the page in the user's language as they were navigating you know we need to maintain English French Portuguese okay yeah but why were you putting the language parameter straight into a strip script tag you weren't filtering it you want you know Dom sanitize anything no no filtration no checking you know it's a country code did you at least check it was two letters only well it's not user input is it we've set it during navigation this is a 301 redirect when you submit your post we send a 301

redirect we put the Lang parameter in is wherever the Customs count it's not user data well so whose input Is It Anyways and that's really what kind of made me to understand that especially as security people we have to recognize where our language is not effective for other people who have different understandings of what that language means so always remember languages communication not code I don't really care what uh the meaning the the meaning of what you say is more important than how you say it I don't care if you use incorrect grammar when you're saying something as long as the meaning is put forward and that's the real thing we need to care about

so when I'm saying to someone or when you're teaching people in engineering you're saying hey remember to always validate and sanitize user input you know oh wasp top 10 says injection is a bad thing so you always sanitize and validate user input wherever possible and you're thinking to yourself any user any data that a user haven't has influence on and also because you're a security person you're not just thinking users malicious users attackers some random script kiddie somewhere out there anything someone external to your company can influence well the dev just hears anything that a user types in that's user input I don't see why anything else is you know again the server set that URL when it was

redirecting and then you've also got to understand that the devs don't necessarily understand what is vulnerable and they will have a lot of pressures within their scope that they might understand not understand the full context of the attack that you've just told them so this exercise was on the thank you page and the customer support person the engineer who would coded that page for customer support was saying you know well what does it matter if someone gets an exercise on the support Pages they don't get access to the back-end database that's so and it's just a reflected access it just presents to the user as something else they can deface it maybe they can throw

some unicorns on it is that a business impact well it is because then I had to explain to them yeah but I can rebuild our login page inside this page now and it's being served from our domain so I send someone a link with it to my company.com it's got on my company.com domain and it shows up with the login screen that looks exactly like the normal login screen from the same domain all of the browsing things are the same so they type in their credentials it ends up being an attack on some other part of our company but through their their issue and the other thing they said was that you know users don't see this page

unless there's a bit of a message to us it was the last page in a journey well they didn't really kind of couldn't comprehend the idea that someone would just take the URL as is and send it to someone just as I'd sent it to them in teams this is the link if you click on it you get to it you don't have to go through the whole journey where you post the message first you can just access that page but you know you're telling devs what is vulnerable um but often we fall back on very easy things if we're insecurity what are we going to tell people when there's you know hey we've got to do some security

training well we're going to tell them oh what's top 10. learn that you're secure right this this covers the most the attacks that happen all the time this is the things that are really causing us issues learn that devs will be secure well that's a lot in there especially when we look at how we've been folding more and more things into certain categories what we just talked about in the xss was injection injection also has sqli that's a completely different style of attack to what the SSS is injection also has command injections none of what they were doing could have would have been or none of their work would have been impacted by sqli or

command injections so if they're looking and they say oh I'm looking at the injection tax there's a lot of content in injection attacks learning about how to prevent them that wasn't relevant to them maybe there was a sentence down at the bottom that said oh by the way xss or well ideally there's more than that but you've got to understand that out of the scope of just injection they had a tiny bit that was actually relevant to them and maybe they missed it and you might be saying to yourself well it's okay you know we've got OAS top 10 training and we have training that repeats every year we have some uh product that you know you join the

company you have to have certified yourself in a self-study course in my experience self-study courses are rarely effective at fighting misconceptions someone comes in going I know injection attacks they're that thing where you know you hack into a database because you put in a wrongful app or you make it sleep for a while they know what injection is so they go yeah yeah injection page skip to the next bit of it let's look on to the other bits that I don't know yet you're not fighting those misconceptions if people can skip over things and often I find instructor-led training is better for that because people can ask questions they can be like hey with this

also classes that or you know is this also a problem what about if they've got a different web browser they can ask these weird questions but that really helps them understand the Nuance of what you're telling them it's not just user input it's malicious users anyone can be a malicious user anything can be changed and if you want to understand a bit more about you know bad mandatory training I've done a talk preview well I've done a talk but the slides are available called Confessions of a software Dev where I talk about how as a software Dev I have ignored training or how I've got around requirements that have been set for me because it's just not worth my

time right it's not just me it's a whole bunch of it's a collection of stories from a bunch of people well what are we going to do as security people and what I want you to kind of take away is to be more aware of what it's like to be an engineer in a company and not just a security person because when I moved into security I found that a lot of people had some engineering background or maybe from a while ago or maybe they never came in from that maybe they came in from completely you know different set of things and they never worked in a corporate environment with this pressures and struggles of Engineers

let's say so let's go for a classic one that people like to laugh at including myself front-end devs they are the shittiest of devs um I have been a front-end Dev so I can say that um I moved out of it as soon as possible um but a good front-end Dev and I will say not all of them look at all of this but a good front end Dev cares about accessibility they're checking every web page does it have the right arrow tags does have the right alt texts on things have we got good contrast between elements you're making sure things aren't flying in how is this built so that screen readers can read it

correctly right well they also have to care about customer experience uh research shows that if a customer a page takes more than a second and a half to load you drop off a whole bunch of traffic um so you need to be presenting things something for the user to engage with as fast as possible and if you're typing into a search box and you type and then letter appears later you're going to be infuriated you're going to think it's crashed again we care a lot about input latencies we have to care about browser automation testing prove this person was talking about browser automation if you're a front-end Dev you have to make sure everything works everything clicks

everything you have to learn a completely separate method of testing the web page you just built see that's another thing you have to learn about if you've worked in a bank you have to care about Internet Explorer 7 for some reason [Music] um but all the time there are browsers coming out with new apis new things that are happening there's this new thing in CS styling that you now have to rebuild your web page because we don't use tables for layouts anymore please don't use tables for layouts um you've got to make your design cohesive responsive As you move around your screen as the person Clips it to the right side of their screen the browser

looks different the web page has got to be still accessible every single API that your front end calls has a way it fails and they have to know about every single way in which it can fail because if it fails and the browser stops working on the website stops working customer support calls come in and you get blamed for the fact that you know some other person's API started throwing 500s because they didn't scale up correctly but you have to know that and you account for that in your front-end building and then you have to care about security after all of that you also got this other part of your job that wasn't what you signed up to be a front-end Dev for

telling you hey by the way also there's this other thing but also there's a whole bunch of other things there um and one of the ones I want to call out in particular is incidents from teams as someone who's worked front end and who then worked in authentication for the back end apis uh if anything goes wrong on your website you as the front end team are the first people to be called out and you your job basically becomes find out whose API failed and actually say that team failed subscriptions team is failing at the moment it's not our fault so front end Dev actually has a lot of frustrations from just other teams failures coming

through them first even though again it wasn't their job I recognize the proficiencies of different people and even something that you take for granted a lot of people will assume everyone else has a knowledge like them recognize that your experiences are unique to you and you are the only person who's ever had that chain of experiences in that particular order it's a great extra DC Comic that says you know there's a 30 000 people every day who are discovering that new thing that everyone should know before they're 30. right knowing what to Google is a skill often times being in security knowing what phrases are going to go into the search box to get you the information

you need is the thing you need to do and if you're a Dev that doesn't really understand security you're just like alert 1 is being popped up on my screen how fix what is that there's a security person you go oh yeah reflected xss um and they were using PHP uh is there a Dom sanitization API for PHP something like that and even experts get security wrong like we've seen Heartbleed and various other kind of high-profile security products with issues so don't blame anyone for getting security wrong right only when you know questions do you know answers to things and that's the first step that you have to get into Engineers is having them being able to ask the

right questions so I already mentioned the all of your unique uh your your experiences are unique and if you're sitting in this room and your team isn't then chances are you're the security person for your team I don't care what job role you're in but if you're the person that's here and your team isn't you're probably the person that people go to for security questions you're the person that people go hey um something went weird or hey I've got this idea for how we can make things better they might ask you first and let's acknowledge that let's take on that responsibility um and so I want to give you some ideas on what you can do things that I found

effective so one of the things I've absolutely loved doing um and one of the things I found really effective is supporting people who are pretty good so you're in this room and people come to you with an idea and let's say for example so I had a an engineer in my previous company and their team was being asked to implement something to protect media that was being streamed and they had been asked to put in some watermarking systems but they thought it would be much more effective if we really uh solidified down our player systems on browser and they wanted to kind of push the business talk away from this watermarking system which was just

going to be like a HTML overlay it said that's not going to be effective what we really need to do is something more like this but they didn't feel like they had a voice to say that to the business people you know they're not going to trust me I'm just an engineer they think I'm trying to get rid of the boring work and do the fun work that I want to do so he comes to me because I'm a security person and he talks me through the concept of what he wants to do and he's asking for acknowledgment and I say yeah that's that's actually a great idea you know here's some extra things you can

mention as to why what they're trying to do is problematic and I think but I said at the end of it let's go into a meeting with you your team manager and whatever business owner we have you lay out the plan and all I will do is say yes and if anyone asks me a question I will probably just repeat what you said but I'm just gonna say yes I'm not gonna present this idea this isn't my this is your idea and after that meeting that person feels really confident they they came up with a security thing they can do security they didn't train for it but they know hey this was validated everyone in the team knows that that

person had good security ideas so now no one has to come to me from that team they can talk to that person who's already there that they work with day to day and just leveraging your position as the security person doesn't have to mean you step in and fix everything it can just mean you support other people who already have good ideas and ease your own load right I didn't I no longer have to care about that team for a while because they can talk to that dude maybe you're working in a bit more of a big corporate scenario and you're looking for you know hey I need something that's written on a uh month

to month or you know something that happens regularly that we can write in our audit reports that we do this and so this is what I've typically found effective uh security Champions hopefully it's a system you've heard of so the idea here is that every team has to either assign designate or elect a person who is the security Champion for their team that person becomes the main channel of contact into and out of that team if the team has concerns about something they want to implement or they want to get some more expertise on something that person is sitting in on every team meeting because they're part of the team channels that back to security maybe

asked hey we can we get some budget for this or we want to do this we've got some concerns about this we've got some things equally if an incident comes in on my end I and it's for that team I talk to that person first because they know what's going on that team and I say hey uh this xss came in and it was for this uh this page can you figure out when when that happened how long has that been active they they resolve all of those situations now if you're going to put out security Champions is that it's going to be a thing you want to implement make sure you're giving them value so for our for

the previous place I worked um our security Champions would have uh we'd all have a monthly meeting where we'd get together and chat about what have been happening in either the news or internally in the company and then we would also uh sorry we talk about the news and stuff and then also every quarter we would actually go and do training and we would usually ask them what they wanted to be trained in so what topics have you found difficult you know what things you were maybe you're looking at wax maybe you wanted to really improve container security maybe you want to understand SAS a bit better maybe you want to you know whatever topics they came to us

with we would arrange training for and it was only for the security Champions because you know hopefully they disseminate their knowledge to their teams but that was their advantage or that was their additional benefit for being part of this monthly meeting of security champions please do Post mortems um something I push at every company I go into because you'll be surprised no one does them anything that happens note it down and people like to not do this because they want to pretend it never happened but you're losing so much of the knowledge and information resource if you fail to do postmortems you're losing so much team camaraderie if you fail to acknowledge how we can fail and how we

can pick ourselves back up after that if everyone feels comfortable sharing their failures then failures get fixed people don't just let them slide under the rug now a key component that is being blameless you can mention team names you can never mention individual names and if you're ever taking notes you do not mention individuals because it is never a personal problem it's never a problem with a person it was a problem with a procedure whether that be the person failed to follow procedure well what controls were there to make sure they were following procedure so make them blameless make them record make them as open as possible that's often a challenging point and that's something I had to fight with with

various incidents we've had where you know this one ik I agree that maybe only security Champions at least security Champions should be able to see every incident because they need to understand the security posture that they're working Within but I can agree that some of them can't go out further than that ideally anyone on any team can go and view you know whatever post-mortems have occurred and this is something that I really wanted to do but I've yet to find a company to sign off on this but this is an idea I had and I think it's got a lot of value in it as someone who loves being an engineer more than I love

managing people who aren't my reports which is you know security often tells people what to do without having the ability to force them to do it security team need change too so if you can get in people who can do the work and you could rotate them through the engineering teams well what does that get you you've got a three-month router let's say an engine a security expert is going into that team they're helping develop the security knowledge you're in their team maybe they help Implement changes in that team that need to happen maybe the team's been off putting off implementing a whack because they're worried and now they can go ahead and do that

or alternatively the value you're getting is that you are hearing on the ground what is happening within that team you can really understand the priorities of that team you can understand hey this team seems to be falling behind in the the security training we've been giving them you find out that team is being hammered by the sea levels because it's the latest Market that they're trying to break into or you know we've suddenly got to implement five new mechanisms because of something and the security team was unaware of the other pressures that team was part of so I think having security Engineers rotate around and work part-time in security so they're still you know developing for

The Wider company but also helping each individual team it's again communication spreading knowledge spreading great ideas so to finish you know what I want you to do is to try and understand Engineers a bit better I want you to help engage people become champions of security within their teams get security Champions they'll really help spread the load it's not just you jumping into every team and security should be embedded in teams ideally that's like ideally I say put people security teams and they wrote around but security Champions is a step towards that already you've got security sitting in on every meeting in a way every prioritization and make sure to pass everyone's inputs uh any questions

uh we've got one on the back

[Applause] okay I'm gonna have to move away

[Music] okay all right so question is um everything kind of piles up when does becoming a security Champion not become additional work um unfortunately it does uh but that's why I say you've got to give additional benefits to those people and ideally what you're looking at is as a front-end Dev I I came into things looking for all of those issues right but when I join a new team what I'm going to do is I'm going to figure out who on this team cares more about this than me so I don't have to care about it anymore so what's new cared a lot about accessibility because it seemed like no one else knew what that was so I became

the accessibility person but I joined another team once where there was a QA tester who was absolutely spot on with our stuff you know every screen reader he knew about it is like we need to do this this and this and I didn't feel like I had to project that anymore so I could step back from that and then that led me like I have more space to be the security Champion so it is going to be more work to be a security champion ideally you look at how can we spread loads within teams and that becomes more of a Team Dynamics problem how can the team take on this responsibility um or you know how can we address this

as a team but you know maybe individuals are taking responsibility hopefully that gives you some ideas anything else cool [Applause]