Chaos in User Land — When the Feature is the Vulnerability

hey all right so we're getting things set up here we're just going to continue the broadcast for those of you hanging out with us awesome thank you very very much we've got a little bit of just technical get everything up and running here for profile and then i'll drop off the stream um any questions as they come in um i will bring them over into the private chat if you want to or i can interrupt you it's really up to you how do you want your i don't care you can you can interrupt the way i i it's better this way all right excellent interactive is always better man all right i will drop myself off the

stream though so that they're not seeing my ugly mug and they can see you and and and make sure that uh they can see your presentation once you get it all connected up here all right so all right all that's good uh i can hit the share button got my slides uploaded all right so do the share i will add it to the stream all right how do i switch slides i'll just hit the forward back button i suppose right yeah i'm guessing yeah look at that that's easy amazing all right so we're actually right on the we got one more minute and then we're gonna be able to get on there so you know if you want to grab yourself a

coffee anyone who's sitting in the chat and needs to buy a break now's your time to go get it we are going to try to start promptly um but give you a couple minutes here just to go and and get yourself all set up i think if i have any more coffee you'll uh you'll see me physically vibrate so [Laughter] i do one of these things where i've uh i'm scheduling uh the uh episode 500 of the down security rabbit hole podcast and we're doing it live so i got rob hanson and i are snake and i are playing uh text tag back and forth and he's like hey you haven't sent me the meeting advice for it yet and i send it

to him he goes dude you said it for 5 a.m like sorry time zone math i'm scheduling it for east coast i'm on the west coast i don't even know what day it is i don't know well that's where coffee helps a little bit bourbon does the rest that's right all right here so i'm just going to clear out some things on myself guys recording this right yeah it's all recording we're going to cut and chop this all up it'll be a lot cleaner the this banter won't be on the the stream on uh on the youtube that we'll put it on later but everyone who's here right now they're they're they're seeing and hearing us so don't say anything bad uh

my video there you go your video is awesome you look looking good you're sounding good um your presentation looks good so i think we're gonna be all set to go here uh i am watching in two different screens because i got you here in the back end so i can chat with you and and and the stream um but i'm also on the front end live so i can see the people we're a little delayed on the front end so that way i can at least get questions and and get them to you um but like i said what i will be doing is i'll be dropping off once we're ready to rock here i'm still here but i'm just not uh

we had a little hiccup in the first one there where the broadcast died from just a moment and then yeah i saw that so i have no idea what happened but um i'm sure the gremlins and the wire will figure it all out so okay with that in play i think we're ready to rock and roll if you are yes sir i'm not even going to introduce you people know who you are if not please don't introduce yourself because hey who doesn't know the white rabbit and who's not listening to the podcast come on um i don't know wow that's awesome thank you have fun and i'm here if you need me but otherwise i'm dropping off and uh all

right go for it all right uh good i think it's still morning good morning on the west coast in beautiful vancouver how you guys doing uh this is raph uh some of you may know me by the twitter handle the white rabbits i just plug uh who am i well i've been around for way way too long some of you guys haven't seen me prevent present there uh well not recently but a couple years ago i still have my cool socks the pink and blacks from uh from presenting up there um i'm coming up on episode 500 of donna security rabbit hole podcast in exactly seven days uh and so uh hopefully you guys will be

on the live stream for that uh go find that on the linkedin page look up down the security rabbit hole podcast i'll be there this talk is called chaos in user land when the feature is the vulnerability um i have spent a lot of years in various parts and disciplines within apsec i claim to be a master of none of them but this one comes from the apsec land i've recently had a chance to venture back into this world primarily because there is this like uh magical layer eight of the uh of the osi model a few people talk about and that's uh leadership and budget so let's dive right in apparently my arrow key doesn't work so i have to use my all

right i'll do this in three parts first one is what's the problem second one is how do they get there third is now what now what right so uh feel free please uh uh ask questions in uh in the channel i'm sure they can interrupt me have no issues with that um and so what is the problem what are bad features otherwise known as vulnerabilities well i think the first question really that we have to start with the premise of is what exactly is a feature and there's it can be one of many things uh features are generally speaking uh something that is required right so it it's something new that wants to be there's two sources of them as far as i

can tell that are generically speaking across the um the universe and the first one is customer requirements for those of you that build software or or product uh for the customer space customer will want something they say i wish it could do this or that and somebody says hey they're paying for this let's go ahead and build it the second option is an idea or an innovation so you've got a a bunch of people sitting around a room generally these are engineers they go wouldn't it be cool if and suddenly the if thing happens this is generally the more dangerous one because wouldn't it be cool if uh typically results in fun mayhem as you'll see in a little bit but

so let's talk about this the second premise is what exactly is a vulnerability well you guys are in postsec you know what that is but a little bit of reflection a vulnerability really is a it comes down to a couple of things it's a flaw in air or an error that causes weakness in the system that's that you can exploit potentially right to do bad things or if you bear with me things that you probably shouldn't have been able to do in the first place and that's where this talk and that's where this conversation gets kind of fun so what exactly is the difference between a feature and a vulnerability well they you'd think they were pretty

obvious except sometimes that's not so much the case can something be both and sadly the answer to that is yes more often times than you guys will probably want to admit uh and in the comments in the chat windows here if you've ever run into one of these uh just you know i don't know wave or say something uh that that lets me know but i'm pretty sure every one of us at some point in our careers has encountered something that say hey that's really cool but uh that's awful at the same time so i will give you a couple of examples and you're welcome something and uh so a couple of examples uh you'll recognize some of these

uh and uh there it would be really fun if you would uh as i give the generic version if you have your hands on keyboard ready type out what it is so the first one remember when you could upload css unfettered to a webpage to make cool things anybody remember what that was called anybody there you go remember tom on myspace yeah that was awesome you know what the result of that was you guys remember the samuel worm from our friend sammy cam car that uh yes that was a uh that was a good time sadly uh once that happened people sort of went wait i could do this kind of thing on all over the web and

hilarious mayhem ensued what about javascripted pdfs you think that was a customer feature or you think there was some a bunch of uh developers sitting around and going you know be really cool if um i got to tell you i wish i was in it had a a magical machine that i get into um that would take me to that point in time because there are some words i'd like to have as a security practitioner uh what about the one-click buy does anybody remember this one this is a big deal close to almost a decade ago now anybody remember so the one-click buy it was the famous thing uh chris shifflet i think was the

discoverer of this in amazon and like a year goes by and they're like it's no big deal but you could literally buy a bunch of hidden data in a form have somebody click a button and buy things for you and have it shipped to your house all with no intervention it was brilliant until it wasn't uh website file uploads um yeah these are these are a fantastic idea random upload random code to a website random files to a website no big deal there right every website ever that that asks you for uh to identify yourself and ask have you upload a profile picture of yourself can you upload scripts can you upload very very very large multi-terabyte uh

gif files i don't know try to find out so all these crazy thing is all these at some point were a fantastic idea somebody said you know what it'd be really cool uh on this boring social media page if you allow people to personalize it you know i should let people personalize it let's let's add let them do a cascading style sheets inserts because it's cool it allows you to create flashing you know uh marquees it allows you do all kinds of things and what's the worst that could happen right what's the worst that could happen so these were all good ideas but something along the way went wrong so so horribly horribly wrong um

terribly wrong and it's it's strange because you if you start to think about how we got like how we go from really good idea to really bad outcome uh it's not a it's not a bad it's not a terribly long stretch of of uh chasm to cross and so how did some of this manifest okay uh how did we build invulnerabilities completely by accident and so this is the i most people would say well this is simple right i mean it's quite easy duh it's the developer's fault i mean what kind of insert derogatory phrase person would do something like this and the answer is all of them all of you all of us who have done these

things right we have thought uh a wonderful feature you know um we've all well maybe not all of us uh at some point in in uh in life thought hey i could uh put my key under the mat while i'm going away for the day and a friend of mine can come over and easily uh you know get in uh meanwhile the stranger that walked by that watched you do that now suddenly has a great place way into your place right so blaming developers is fun and easy uh but it if you've never seen this graphic i keep this around for all these uh all these types of talks is i'll give you a second

to kind of pitch through it um i i like tyler puts in hey let's integrate this browser with os components to make it easier to do stuff yeah awesome idea super powerful somebody just uh i think i just saw something about um python being integrated into uh the web browser to allow you to script python in with os commands what's the worst that could happen i mean that sounds like a fantastic idea but if you've gotten a chance to read this this slide right it's it's really interesting in how you think about this because if you've never played that game where you sit back to back with somebody you you have your own pad and pencil uh

and you are asked to sketch something out by a third party and then you turn around and you swap drawings and you go how the heck did you get there the other person goes that's weird why would you draw that that's how we got there okay it's not quite that simple it's not as simple as blame because if you think about creative misuse which is basically the job title of anybody that's in this industry right we are we do creative misuse we look at how something is meant to function and then we go yeah so what happens if you and insert fun thing here creative misuse is a really interesting way to get from really cool feature to oh my god we blew

up the internet in like seven seconds case in point so on one hand we have really good intent on the other hand we have really bad outcome and they say the road to hell is paved with good intentions otherwise known as really interesting features okay and if you think about some of the really bad things that have gone on that were complete accidents like things that are put in log4j uh these things that were put into the browser things that were put into applications um where somebody said this is a really good idea and yeah it's probably a really good idea but it's also a terrible terrible vulnerability it's gonna allow bad things to happen and

both of those can be true at the same time so you guys know if you know what's going on right now with netflix uh they're having this issue where they are uh there's thousands of people sharing sharing profiles and potentially tens of thousands and hundreds of thousands if you believe them so netflix pro netflix profiles it used to be you log in netflix and it was you know you you watched and it kept track of you and all that and they went you know what if there's like multiple people living in the house um jackson i was promised no one would mention log4j sorry wrong talk uh netflix had these profiles uh in that uh you could you know like your kids

could have their own profile so they would recommend things they like your significant other you which was awesome until people went hey that's cool i can give like seven of my friends uh profiles and my password and we can all watch what we want it'll keep track of all our things so the feature is multiple profiles what a fantastic idea a great innovation and it's by the way it has been copied uh on on just about like disney's done it amazon's done it paramount's done it you can tell how many streaming services i signed up for but all of them have done it at some point now um uh if now the outcome of that is happy

family of users and yay congratulations but also password sharing ergo uh netflix netflix has an issue because one person pays like 12 people can watch yeah uh that tends to that tends to be a revenue problem um so the developer says hey look this is working as intended right you guys wanted us to create profiles we created profiles they work did they work as as the spec sheet said and the answer is absolutely and then security people come along and go seriously this is a problem right because it does create not even security at that point now if you're talking next netflix example but revenue people come along but yes this creates an issue for us so

here we have two things that can be true at the same time it can both be sunny and raining at the same time you can have a great feature that's also hilariously exploitable and bad for the company at the same time um uh yes that's uh that would be great uh the world would be a better place if those really cool ideas were at least optional documented and always disabled by default tyler good luck with life uh if that is your philosophy um i would love that too it's not the parallel universe i live in but maybe it's at some point so let's think about uh how how we address this what is the root cause

right how in the world did we get there whose fault is it who do i blame where do i go so all right there's a couple of these uh the first one is requirements in isolation and that means that somebody uh went through and took some requirements and didn't talk to anybody earlier on in my in my career i'm not going to tell you when but it was a long time ago it was pre-2 000 i i was perfectly aware of several of these types of situations where a bunch of project people got together and said hey customer wants us to do this what do you guys think and yeah that sounds like a great idea we should do it

this this this way add this feature move along nobody in security was ever invited to those things arguably in 2022 still aren't but it was the we'll do security on this later right oh we'll have security give this a look later well the problem with that is is some things are fundamentally broken and you can't security later then so you know something you get to this level of catastrophic failure where you're like look you put yourself into this there's nothing i can do to get you out uh i can just just watch the watch the train wreck in slow motion uh as this kid is uh the pain he's feeling so think about flash uh if you guys

listen to the podcast way way back i had brett arkan on the show golly it's been a hot minute but he talked about when his team took over uh the uh adobe at the time flash and swf player was awesome uh it you could do so many cool things with it and and believe me people did i did an entire talk on people doing authentication uh within flash that was fun um but he's like look the code had been written the functions were in in the plugin and they're like okay now you go secure this he's like uh you're accepting unvalidated input as part of the app you're allowing this this and this and this he goes

unless you change that i can't do anything like no that's that's done you just go some you know do the security thing he's like all right so what i had to do was either basically we had to do a giant sandbox for this you know hot mess of code and and that's the situations y'all get into and it is not fun so once the requirement is built security can and can be completely or at least nearly unpossible or for those of you that have know the reference inconceivable so it is it is exciting that way number two how does this happen well development isolation so we've had requirements in isolation with nobody's input this is development

in isolation this is probably uh a little further down the road at the point where things still could be salvaged but probably aren't and so you know back in my uh back in my vendor days when i worked for hp we we had a fantastic unit that provided customers with functional testing software performance testing software and we even bundled security testing software well we had so we challenge people to ask does it function does it perform and is it secure they got two out of three right guess which one they didn't do so the reality is right development tends to get done developers worry about function and performance and uh it's really difficult as an aside as a security professional

come in and say we used to think about it this way well what are all the things it's not supposed to do right uh if you remember the way appsec used to work we'd get a scanner and we'd say okay i'm gonna scan it and it's gonna anything that it kicks out is bad like yeah but if we're right if a third party is writing this tell me all right like the the the developers and the project managers are telling me all the things that it should do here's the list tell me all the things that you're at the software is not supposed to do you're like basically anything except for these things in this list

and it turns out that's a hard thing right so these would become problems security testing done later and much much to my chagrin you could still do security testing later but not without the actual product spec not without what is it supposed to be doing what are the actual requirements uh does it does this app really require me to upload arbitrarily any file or did the customer say hey i want to upload pictures and could be could it be pictures of a specific type jpeg gif and it could could it be pictures of a specific size between two meg and 10 meg like what's the use case for updating four petabytes of of a gif file besides

hilarity right so having specs when you're doing security testing is super important if you've got nothing else at that point you should be able to do that so it you're basically asking your security team to you know go find all the things that this thing's not supposed to do and the answer is that's a pretty large space of stuff my favorite topic pattern-based security testing i am i'm hoping that most of us are through this uh dark forest and into the light but if we're not this is not uh this whole type of vulnerability class right these these abusive function this is not sql injection and cross-site scripting where you can develop patterns for it

write it into an app and say go this requires uh human creativity because scan tools won't find it and this is where we get that creative misuse again right we sit in that uh we sit in that room and go all right i've run the scanner uh it's kicked out some sql injections some cross-site scripting easy to fix we'll get the developers to do that now what are all these things that what are all the things that i could do with this that i'm not supposed to do and that is a really tough thing because it's a lot of space and generally speaking you're probably not allowed to just go randomly beat up applications and use cases

but we're agile that's great good luck agile just means you can do it faster but creative misuse is is both a a good thing and a bad thing in this in this discussion so um implementation ambiguity uh i i don't like this one number four here but what it means to me is i've asked for something ambiguous and you've implemented something ambiguous and the result is it does not really it does either not enough or way too much but at least it meets you know the base of what i wanted so let me show you hey anybody been on these calls well hey uh the firewall's blocking this app okay it's not working something's not working

it's got to be the firewall what's always the firewall let me let me break it to you and somebody says well okay fine how do i what do you need to make this thing work what ports what protocols what ip addresses what's the application and the person says i don't know just enable any and and yeah i mean and that's basically what our reaction is but um it's true um what's really interesting is ambiguous requirements uh tend to be people tend to err on the side of overly uh overly uh uh overly cautious uh they allow they build in way more than they should because you figure okay if somebody says going back to that sweet tree swing if

somebody says i want a bridge uh over this stream uh you may think that it you know you may want it to be uh you know enclosed you may want it to be uh you know well leveled and what really somebody's asking for is a two by four so they can walk across it right but if you over build odds are you can a charge more b it looks really cool and see somewhere in that over build you've met your customer requirement so that's why it gets there so do you guys remember this nightmare right when you know somebody you're on a call or something and doing support and somebody's well we just need to open all

the ports because it just has to work we'll figure this out how to lock it down later and the answer is no you won't nobody ever does it's never going to happen that way i'm sorry number five is technical limitations and uh some of these are real some of them are uh contrived and by that i mean or maybe even circumstantial so we need to upload photos i you know have been one of these conversations where um an app a project needed to upload photos technical schematics whatever into an application and the developers were like yeah okay i'll allow file uploads and in reviewing of the spec i thought to myself well the customer request says

uh photo uploads that it's app spec says file uploads those are not the same one encompasses the other and you think okay what is it that i could do if i could upload arbitrary files to a web server at any time like holy crap right hello malware so thinking about this the developer can't potentially differentiate file types okay so develop your developers either not good or the 18 year old or the 15 year old in russia that you've hired isn't quite up to the latest whatever on whatever framework you're using and so rather than photo uploads they do file uploads they don't check sizes they don't even check the header to make sure it actually is a jpeg file if it's named

jpeg good enough for me um so the reality is uh these can be technical limitations so developers enables uh any file upload and well you know you guys know how that goes right all right so hopefully uh let me give you a second to kind of flip through these comments uh yes yes static code analysis helps in some things but uh unfortunately that doesn't unfortunately solve that problem so let's talk about how we can reduce the and decrease the risks here because the reality is it's not going to go away uh blame does not fix this it doesn't matter how many project managers you get fired it doesn't matter how many developers uh get tongue lashed and and

yelled at and reprimanded it doesn't matter how many times you make the front page of the new york times uh for being uh you know overly crazy um it's going to happen again right so it will guaranteed happen again somebody is going to fall into one of those five categories that i just went through on the y and we're going to uh we're going to get to it's going to happen again so you've got three possibilities okay and i i think the three possibilities um i think they're very realistic and i'm going to give them to you in order i think you should do them all but if you can't uh start start at least as far back into

the requirements phase as you possibly can and if you can't then i'm i don't know what to tell you so number one at requirements time critical requirements review all right this doesn't require any particular expertise in any you know particular development language it doesn't even require security people it just requires somebody to do a critical review of the requirements you're being asked to do okay uh the customer says upload i'll upload all files can we restrict that somehow like is that really necessary uh am i do i really have to go you know pull in arbitrary file types ask these questions ask lots of questions and you know i tell people uh act like a you

know sometimes in these things act like a five-year-old does just keep saying why that needs to happen why because this why because this why go do you know what you're saying right now and eventually you'll let people get to the conclusion of if if i continue down this requirement path if i if i allow this to happen um bad things are going to happen look guys i know you want people to upload you know arbitrary files into this website that you're creating because you want them to be creative but maybe stop to think that this could create a wormable condition or your application or our application could become the source of a ransomware outbreak and distribution method for

somebody else is that really something you want can we do something that could limit this right ask do that what if analysis so what happens if hey have you thought again you guys thought about what if right and and get into that into that mindset of asking questions because if you don't i know who will and they probably don't work for you start thinking about misuse case this is where the i guess the creativity of the of this community really uh impresses me because i think that we get we are so creative by default sometimes it's a little scary uh because i've seen i've seen projects that i would otherwise think are fairly well locked down the requirements are pretty

good and somebody goes hey have you thought about whatever and my brain goes oh my god i would have never thought that i can't what kind of person would would do that and you go wow that's terrible i need to fix that so uh it is it's interesting um it's really interesting how some of the misuse cases uh apply and appear uh in in in in these issues so down scope broad requirements if something says i need all ports open on on our firewall all ports open uh on all these hosts yeah no you don't like tell me what you really want to do like the spice girl song tell me what you want what you

really really want uh yeah i know it's a job it's a drawback but uh uh i think the uh i think trying to downscope what people want because everybody's going to tell you they want everything you go yeah but that's not possible what's the what's the least amount of fee function that will accomplish the requirement that i can secure that i can think about securely um evil user stories i like that chris that's a good idea abuse cases evil user stories that's a good idea all right number two is development and testing i think that if you're going to go have a little bit of fun have it during development and testing phases you're going to be able to

get a lot of really really interesting results if you allow people to um really get involved in development testing phases but then again we've been saying that for literally decades now so test requirements test the actual code itself go in and look at what it is go look at all the things that you that they think it does right so the way i write that i do this mentally is i have a white board and i i look at the requirements like what is what what did the customer or the the person writing the requirements intend and then i say what is the function and i say then i have on the right side of

the board like what is all the things that he could actually do that no this side has never thought about and that's a lot of fun because what you oftentimes find is like five requirements on this side and by the time you get to the other side of your board you're running out of space because and then you get to have take that take a picture of that send it to the uh what i would do is i'd write the good things in blue and the bad things in red and i would send it to the project managers and i go all right i did my analysis on your requirements here's what i think and oftentimes they

would look at and go oh cool it can do so many other why is all that red stuff there right and and you go well what do we do about that and that sparks conversation so testing code is a big big idea but testing it before it becomes good but even when you're looking at functions because when you're like there's some of these modules that get used they you know the developer will use it for one function within a module that has 40 other functions in it what are the other 40 do can we can we add them can we have fun with them can we do really really bad things with them the answer is probably yes

testing downstream functions so okay think about it this way you are integrating multiple applications and you you your app allows uh file uploads um they don't check for the header and so even though it says photos only but it's a you saw you create a dot j or dot jpeg file with a bunch of css in it why not because you can or whatever you want to stuff inside there python whatever and it goes downstream and that downstream you know one application passed to another pass to another password and somewhere downstream that app decides it's going to process that file it looks at it and says that's not a jpeg that's it that's a that's code i'm going to run that code

for you it didn't affect you but it affected something downstream so think about the downstream functions that happen and that's a really impre impressive and important uh way to look at it because it forces you to look at the entire ecosystem of what you're testing and what you're developing rather than a single function because just because that single function can't be exploited by the bad data you insert doesn't mean the 17 other things that take advantage of that data as a secondary uh consumer of that data that that bit that input doesn't mean that they can't be badly uh influenced and broken so think about that one security test functionality so uh security test the functionality

that's in these applications and what i mean by that is sure uh you know stuff uh sorry stuff uh a uh the wrong characters in there uh my uh my professor back in college uh when i when my first assignment in mips risk yes because this was a long time ago uh asked us to write a calculator in assembly and i was pretty impressed with myself i actually got it to run uh it was cool i could do five plus five ten plus ten twenty seven times you know eight and uh whatever it was and i i saw he asked for volunteers who got this code running and you know who's excited about it i'm so excited i i raise my

hand he pops it up on the projector and uh he says all right it runs he goes uh now let's try some functions he did three plus three six like yes he does nine times you know seven yes a plus q i'm like wait why would you it core dump i was like wait why would you do that he goes why not because he didn't check your inputs and i said well okay but but it does all the things you told me to if you put in numbers it works but if you put don't put in numbers it doesn't work like why would anybody do that and that class more than anything got me thinking about this industry

in the late 90s and middle late 90s because it got me thinking about all right but i did i filled the requirements but i didn't create limitations on those requirements and so people could stuff all kinds of things into my my calculator function and um yeah bad bad things happen and and uh and so that's a good area to think about really when you're talking about security testing functionality allow open-ended security testing so um yeah uh open-ended security testing is a lot of fun uh what i mean by that is don't don't put restrictions on your security testers uh when you're when you're testing a function an application a a kiosk whatever right whatever the thing

is generally it's code of some kind but don't limit people uh allow them to get creative allow them to creatively misuse or be the evil user and then come out and have them come back to you with all the crazy things they could do that you would your your developers and your project management team and your customer would go why would anybody do that oh my gosh the outcome is not good right so you know if you can if you can deposit uh or if you can withdraw a negative number from your checking account um and it allows you to do that like this is an old trick way way way way back we used to play these uh uh when we you

know we write we write code in school uh we'd write atm types of apps and uh if you could uh write one that would allow negative inputs to allow you to give yourself money why would anybody do that very simple okay i like money so open-ended security testing and allowing people to get creative is super important don't limit your testers which means this isn't going to be something that you know you can't give it to security on friday afternoon say hey it's going live on monday just go and give it a chance that's not how this works you have to be involved as much uh throughout the uh throughout the process yeah then i think record up all the

things is a would be a good shirt uh or just one segment core delt i think that would just be you know that would just be a great shirt to have uh because people would look at you funny except for those that are old as us and then they'd laugh so you know let people get creative let people go blow things up and i'm sorry but sometimes it's going to require the system to go up in flames because it's better that you find that than somebody else don't artificially limit your security testing don't say you know you can only use these inputs don't do anything bad which is how we get to well i've already

deployed this don't do anything bad that could harm the app and go ahead and securely test it that's nonsense that doesn't work all right so post deployment um there's things you can do for example um you know designing for failure uh you know this is this is something we started doing about 15 years ago not everybody's gotten that memo but i hear it's getting passed around quite a bit designing for failure is interesting because you say okay people are going to put all kinds of crazy things into this into this text field or try to upload all kinds of crazy files um what happens when when they get one past the development team what happens when they uh get one past

us this is an opportunity for uh basically being able to log all the things or as many things as you as you can find necessary and then look at the uh look at the the things that you should be you should see and look at the things that are happening and say do these relatively close to match up and this is how you get behavioral profiling on applications on humans on anything because if we know what it's supposed to do and it's not doing that something could be very very wrong right like with that uh fish kissing picture earlier so designing for failures implementing compensating controls is also another thing right what you want to do is limit the impact of poor

requirements as much as you can limit the impact of when something breaks you know this is why the concept of xero trust has gained so much traction and people have taken it so seriously because when when not if but when something catastrophically blows up in your environment how do you keep it from taking down the entire company right this is why cloud service providers um have uh have pushed this resiliency concept so if you know us east uh va uh one goes boom the whole world doesn't stop except that it sometimes does quite often in a big way but let's get past amazon um this stuff does happen right so how do you design for minimizing impact

increasing resiliency and when bad things misuse happens what do you do about it that's an important question it's an important topic to discuss log and analyze is what i'm getting at right log application functions log the application when you're doing uh use case testing profile the application profile the thing how much cpu is it using how many queries does it do on average per uh how many times how many times does it query the database per user per minute how many rows on average does it return i we had a long time ago had a really cool case where an application got profiled using the performance management suite of tools so they knew the nominal cpu they knew peak

times and low periods of the application they knew how many users it should have they knew how many how many queries uh how many connections each user opened how many queries they issued how many rows were on average returned and so when the security team saw a potential possible sql injection attack they looked back to the app team and the app team said well let's see one user has 25x the number of typical queries against the database it's returning 1000 x the row count and the cpu is 90 busier than it normally is yeah that's a problem probably right so being able to look at these things in multiple dimensions not in just our security dimension hugely important

and it allows you to monitor for misuse guys this is really tough uh and and i'm not going to say there's a magic unicorn out there that's going to do it there's been apps out there that have said you know we profile do behavioral profiling and understand how things go the reality is apps are complex environments are complex and sometimes sometimes thing your applications will do completely bonkers things uh just because that's the way they were designed and they were gonna do completely bonkers things um but try your best to monitor for misuse all right and i'll give you guys some of my parting thoughts here this is a common issue this is not something that you're just

facing i'm just facing it's happening everywhere all the time it happens to major companies really good companies like netflix and amazon it happens to tiny companies it happens in just about everybody bad features are everywhere and there is absolutely no magic fix okay that's the sad part there's not a magic fix but you can have fun trying um you're gonna need some sort of strategy uh and that that's a good thing right review your requirements with your teams get involved in the design as much as possible and employ that creativity that we're also so always excited about in testing ask lots of questions it's their human nature and every once in a while add three plus

q and see what happens if you get the result i got which was a psycball core dump and then find less terrible alternatives look if if you know you're um i i've got a request this is not a joke i have a requirement right now from a customer that i'm working with where they have an application that has i'm not kidding ftp open to the internet because some of their devices let's say have to upload data and they're very old and this is the only way they do it they're like well we have to allow ftp and i i about fell out of my chair when i when i said that when they said that

because i was like am i still in 2022 like what day is it what year is it what planet am i on that ftp is still a thing it is i promise it still happens um and so we had to come up with compensating controls less terrible alternatives all right if that's if that's got to happen cool uh can we limit where it comes from can we limit how big the files are can we limit get uh put only not get like what can we do here and so find less terrible alternatives that all of them might be terrible some of them have to be less terrible than others uh and that's it for me uh i will

happy to i've been kind of trying to read as i as i went along um fuzz or fault inject all the things yes chris that's a that's a great way to do it if you get the opportunity to thanks for listening guys um tune into the dawn of security every whole podcast any uh when you get a chance and uh this is where to find me and boy that's a white on white that's a good that's a good graphic there uh but that's how to find me um i'm on twitter uh go check out the podcast uh check out live streams where i'm at every day and uh that's my linkedin stuff thanks questions comments

dana awesome awesome awesome talk lots of great chat and thank you so much for answering a lot of the chatter as it was happening that always makes it even more fun when it's uh quite dynamic no questions have come in this is your chance you got them here anyone out there that wants to put it in the q a panel and uh we'll make sure that uh he answers it for you if you can great talk though yeah i love you about inflammatory management and looking for um looking for anomalies becomes easier if you understand what the app's telemetry is supposed to be like right makes the security job much easier too well but that's and that's the thing is

that um oftentimes and this is this is kind of the change that's happening in the industry i think you know devops by the way devsecops not a thing uh that devops has when security gets involved has helped us with is we get a peek at the application telemetry not just a security telemetry because sql injection or application attacks don't always present themselves as really nice rules for snort or whatever thing you're using to identify sometimes they they get to the point where one of the developers goes well that's weird that's not supposed to happen and whereas they would do that you'd go oh god i know what that is right but these are two silos of data two silos of

alerts uh that you're nev that very rarely cross paths and it's it's a challenge for us uh and that's where you know badness hides right is where it is in that intersection where uh in in the gray space we don't have access to i think i think it's interesting too that when security and and the app teams get together and they start understanding how the applications are supposed to function they can look for anomalies a little better that way but the flip side is it has security and and the app team can get together to start providing mechanisms for understanding misuse and looking for it so an example is you know you can do a lot with deception and

detecting for things like having you know urls in a robots.txt that you know are not valid that are easy to monitor to understand and get uh early warning of what potentially could be going wrong right it's hard for developers to think like attackers though but when they start understanding what those methodologies are they can start plumbing in things like when you're talking about you know sql injection and all that hey a good person's not going to be firing sql map at the system they're actually going to delay that and slow it down you're not going to catch it through your normal query patterns now i'm not saying it won't happen because there's always some idiot that thinks that they're the

hacker wanting to use sql map but but in the end the point of being able to understand but is it makes sense for them to be accessing those views or that this is where the app team has to be able to get with the with the security team to be able to tell them this is how our apps are supposed to function here's what we're supposed to be doing and if if the security team can help educate them on well here's what malfeasance might look like they can start plumbing that in to being able to understand and communicate what logs are important what telemetry is important what information yeah watch for right yeah and and look i i know it's gonna

give you guys some some of you guys ptsd but let me just bring a blog for jay for a second that is that is functionality legitimately somebody looked at and said this is we want this a group of people said yes let's add this into the code and they did they tested it to make sure that it worked and somehow we didn't realize holy crap look what you can do with this until like what it was in a year or a couple years later i've lost track of this now but um it's like like this was it was a great idea in the use case it was also a great idea in the misuse case but just nobody

looked at like hey what happens if you ha you can always argue for things like why don't we have egress filters on those servers as well like why should there be a jndi even a thing going outbound or inbound on a web server that's not needing it if it's something that's a requirement it should be part of an engineering change order part of the change management that you're opening important here is why and here's why this is described as an important behavioral change to how this app's going to work but very few people set up their servers to actually support eagers filtering the right way to block because they're just trying to make it work

right and that becomes part of the problem well and i yeah i mean look i i think this is this is this is just what happens when um we look at um we look at functionality we want to add and look this is the uh uh spectre uh the processor bug uh it was another perfect example of this where somebody a bunch of engineers sat around and said holy crap we can achieve an extra 20 25 performance improvement if we do this i guarantee you somebody said yeah but you know what somebody could figure this out and do x and they went yeah but what are the odds they were right arguably really low and then the what if statement came like

you know what i bet we can get a lot of we can get ahead of our competitor if we do this the risk is small let's go do it and then like 20 years later somebody went oh my gosh i can find a way to exploit this under these 17 correct conditions with my hand on the keyboard my gun to the admins head it's like okay great meanwhile intel's like well we got 20 years of market share out of this sweet is that a vulnerability was that the most brilliant like risk uh calculation ever i don't know uh i'm gonna i wouldn't bet with the intel folks frankly but it was a vulnerability yeah yeah it

was these are these yeah chris you're right these trade-offs are these these are trade-offs people make but sometimes but there's there's a difference between that kind of calculated trade-off and the yeah sure let's just allow people you know i've seen developers do this over and over and over again where the requirement is upload photo into your profile by the time it makes into the tech spec it says upload files into the application you're like those are not the same what happened between here and here right and it's because somebody that the person that gave the customer a request and the technical person did not see eye to eye they did not speak the same language it was a close enough good

enough no it wasn't no no it wasn't somebody has to review that and go yeah these two things not the same well that's the benefit of things like threat modeling because it gives you the ability to start put creating that security debt in the backlog so it's understood these are the things that we're exposing ourselves to and again it gets that alignment because you know most pms are being uh remunerated on expansion and growth and so at the end of the day they're not thinking about the ass they want usability over security at any day not that they're trying to be malfeasant they just don't know any better and so they'll spec it out as being i want to upload a profile

picture but by time that's turned into something the developer understands who's not thinking about security and that right um it's not that they're trying to be lazy or that they're just trying to put it into a user story that makes sense but the threat model should catch that because someone should be questioning that and saying hey wait a minute if we're uploading a file could they just not upload a web shell like hey what about that right like simple examples but you get the point yeah that would that web show example and i i that's that's a brilliant one because it something that should have never happened no and yet it's a brilliant example of functionality gone horribly

wrong like somewhere there was a recommend there was a requirement to upload something and then suddenly we're like yeah sure why not code no problem why not you're like uh wait what yeah there's there's so many examples of admin functionality um and covert exposes to a bunch of this where we didn't have the right controls and so suddenly employees need to work from home meant put a bunch of rdp's uh rdp open out to the world with nothing front-ending it and allow it from anywhere with no authentication uh before you hit rdp and you're like what the hell happened there yeah and those machines that are that we're using at home that typically aren't corporate managed which you know

your sons you know they're playing games and the next thing you know it becomes the pivot point into the organization right listen the ceo uh takes the laptop home uh because his kid has to go to school on that same laptop maybe not the ceo maybe the admin maybe the engineer maybe the who knows with the jetted or whatever but that lab that corporate laptop maybe it is a corporate laptop that went home but suddenly now their kid has to go to school from home and they don't have another device and suddenly they're using that device to browse facebook play games and go to school and that device has then got corporate secrets on it good luck protecting that i don't

care who you are yeah uh you're going to you're going to lose that battle every time if you don't compensating controls logging and misuse identification and i mean that's it that's it cool well we five minutes left people if you got any questions please ask them in the chat window or in the q a panel this is your last chance if not there's his links there make sure you go check out the podcast awesome coming up on 500 episodes dana there's too many there's just too many lemony we're on the 11th year i can't belie i cannot believe i got to 11 years uh september will be the 11 year anniversary of the show and i'm just

sitting here thinking how the hell did i get here where did 10 years go [Laughter] well kudos to you i couldn't do that oh look at that we got five minutes left i can't remember what was the the la 20 17 2018 when i was up there we all ended up having sushi afterwards yeah that was yeah 2017 i think it was that was the first year we had the nice socks so yeah the the red and pink yeah nice nice well thanks to you guys that listen that's awesome all right i think this about uh ends it out then if there's no more questions um we will be having lunch um for an hour so 12 30 to 1 30 pacific

for those that aren't in the west coast um i think we're going to keep the recording here running so you don't have to do anything you can just drop off when you want to and you can come back check out the sessions on the website if you haven't already seen them um with that in play you feel free to sit and chat on in the stage or go back to the main event chat if you want to um but we're out of here thank you so much for an awesome talk thanks you guys great being here

and we're still live but you're welcome to chat man like thanks you did awesome it's always fun it's always fun i'm getting back to it i've got two this week here in l.a tomorrow uh on the beach in santa monica which is uh no offense but better than vancouver at this point um you guys got snow still or what snow no we don't have snow just a little rain hey josh good good seeing you in here yeah i'll uh i i think i'm going to be in vegas uh details are still a little shoddy but uh we'll see um the the uh rsa black cat uh train is gonna be real interesting so anyway who are you yeah guys if you uh if you

uh get a chance go listen sign in to listen to that podcast um that's 500 it's going to be awesome yes josh i've been to vancouver uh it's cold i remember the last time so the last time i was in vancouver i was there for um uh palo alto's ignite and i can't remember who i got on an airplane with but i got to sit shotgun and we went over the bay and out we did a cruise out i have some of the best video and photos i've ever seen it's been awesome nothing quite like buzzing the mountaintop where you could i swear if i stuck my hand out the window and leaned down i could have hit the snow

it's not cold it's awesome tomato tomato i like 70 degrees

all right guys i'm gonna drop off thanks for having me dana cheers thanks everybody later

you