Cyber Security.
17.12.20
Jack Misiura, our Application Security Consultant, has detected eight zero-day vulnerabilities in recent weeks and he’s got a whole lot more in the bag. A key member of The Missing Link’s Application Security team, his role encompasses detecting security vulnerabilities in applications and directing their remediation before they cause damage. He, and other members of the AppSec team, do this via threat modelling, secure code design, code review, and developer training. We spoke to him about his work in application security – what he loves, what makes him so successful and what the industry can do to reduce the number of zero-day vulnerabilities.
I have worked in software development and security for over 20 years and, during that time, I’ve worked with some of the world’s best. I’d put The Missing Link, with all their certifications and awards, right up there among them. Having worked with the best, and on almost every conceivable framework, I’m able to leverage the knowledge I have gained to think about web and software applications as a hacker does.
So, what’s the difference between the way a developer and a hacker thinks? That’s easy. Developers think about ‘making’ whereas hackers are solely focused on ‘breaking’ systems.
App developers spend all their time trying to build a system that is cool, highly functional, and easy to use within a set (and increasingly limited) timeframe and budget. Hackers look at ways to break those systems. And if they’re a criminal hacker of varying skill levels, they’ve got all the time in the world to poke around until they do.
Once they break into a system, they can of course, do massive damage. They can plant malware inside an app, then collect the data those users disclose. They may use that data to access more confidential information or steal funds, or they may sell the access to the dark web.
One of the problems that we have today is the diversity of apps and software programs people interact with, and the lack of control over how those apps /software programs have been developed.
For example, your company might have engaged a developer to build a website on WordPress – which is a good platform for quickly getting websites or applications up and running – but who knows who has developed the plugins they add to provide the functionality you need… and some of those plugins may have undiscovered vulnerabilities. Or you may be using a software program – via the cloud or a local copy – to run a critical part of your business, which has vulnerabilities that you’re unaware of. Most often, these vulnerabilities are inadvertent – the developer didn’t have the expertise to know otherwise. But sometimes, they’ve been built into the system on purpose by a malicious hacker acting as a developer, or sometimes hackers plant these as has happened with the FireEye hack, where hackers planted malware into SolarWinds products!
The only way you will find the vulnerability in your website, application or software program is to engage proper penetration testing.
That’s where application security services come in. I work with our pen testers and our red teamers to try to hack our clients’ websites or applications. How may you ask? I zero in on areas that, had I been the developer, I most likely would have made mistakes in – that’s usually how I find the vulnerabilities.
In the last month or so, I’ve managed to identify eight vulnerabilities, which have been added to the Common Vulnerabilities and Exposures (CVE) database – a global list of common identifiers that notifies developers of issues that need to be repaired and enables users of public apps to patch their own projects as required.
Finding CVEs gives you a weird feeling. On the one hand, hacking is fun. I get to pretend to be the bad guy on someone else’s server, issuing commands and discovering issues, which are ultimately repaired. Being able to protect a client from cyber threats in this way is incredibly rewarding. However, it’s a catch 22. If I find something, I have to give the client the bad news, which means someone is going to cop it down the line - whether it’s the developer or the manager that inadvertently allowed the vulnerability to get through undetected. Some of the vulnerabilities we find honestly keep me up at night.
But if I don’t find something, even though I am happy the client is secure, they will often walk away thinking they’ve wasted their money on the whole process.
Fortunately though, that’s not where my job ends. One of the cool things about The Missing Link is that once we’ve tested a system, we don’t just report back and wipe our hands. We invite the developer to sit down with us and we talk them through the findings and recommendations. I get a great rush from this part of the project as I know I’m not only protecting the client, I’m potentially protecting a whole lot of other users of the platform as well.
As an example, one of the more interesting and frightening vulnerabilities I identified was on a popular WordPress plugin, used by our client and, as it turned out, many others as well, allowing attackers to essentially never have to pay for orders. We contacted the developer, who was really grateful for the opportunity to repair the issue, confirmed it was fixed and waited before revealing the discovery to the world. The story was picked up by the prestigious “The Daily Swig” site.
Another aspect of our work, which is really important, is providing training that empowers developers to build more secure systems in the future. Fixing issues from penetration tests are costly and time-consuming; we want to make sure developers are free to do what they love – build awesome systems, but safely and securely!
We put a lot of effort into making our training programs fun so that people don’t get bored or see it as “just another corporate training event”. To as great an extent as possible, our best training sessions are face-to-face and interactive so that we can really demonstrate a hacker’s thought process when attempting to breach an app. Then we teach them how they can avoid the mistakes the hackers’ abuse, use the security tools available to ensure those mistakes are caught early and to be more productive in the development process as well. The developers walk away with excellent skills and knowledge they can put into action straight away. That’s the difference that The Missing Link offers.
If you liked this article, you may also like:
The Missing Link conquers another CTF competition
Author
Rudy Mitra
Marketing Specialist