I attended a cybersecurity workshop recently, so I wanted to share my notes.
There are two things you can do to test a system:
- QA testing: test with good inputs
- penetration testing: test with bad inputs
It's a good idea to introduce pentesting in the release cycle, although this practice is not very spread.
The rules of the pentester:
- you can not modify what you are penetrating
- you can not access what you are penetrating (i.e. if you get passwords, etc.)
Example of pentesting mindset: How do you connect 9 dots with just 3 lines? You have to think out of the box!
A pentester ends up forgetting how to use software like a normal person, thinks out of the box, and is not limited by what the app can do.
The WiFi Pineapple
The WiFi pineapple is a device to intercept your laptop or phone connections. You may use a VPN to protect yourself from the "pineapple", but it could still place itself in the middle and act as your VPN (the certificates may not match though). Two-factor authentication can also help protect your laptop from this attack.
The three most common attacks
Cross-site scripting (XSS)
It basically consists of injecting JS in the frontend.
- Example software: BurpSuite, Fiddler, BeEF. BeEF sits between you and the server (don't use against commercial apps like Facebook, etc., or they will get "legal-angry")
- Ways to use it:
- Fuzzing: sets of bad data, crazy nonsense, throw everything you can at the bot.
- Manual: sending you links inside your own app
Inject SQL in the app's backend. You can also perform automated exploitations. You can encode inputs in the frontend, but SQL injection still makes it to the backend.
- Example software: sqlmap is a free tool that helps you do that.
- Ways to use it: Try this out: add a single quote at the end of an input and try writing some SQL after it, see what you get!
- Solution to SQL injection: Use prepared statements and parameterized queries.
Inject code in the server/system's OS.
- Example software: metasploit is a free tool that helps you do that.
- Ways to use it: For example, the call to
system()in the C language is done as root, so somebody can access your backend and OS that way.
- Solution to command injection: Parameterize OS commands and arguments. For example, use the
ProcessBuilderlibrary in Java.
Introducing security testing in your pipeline
A static code analyzer detects vulnerabilities like SQL injection or libraries with known vulnerabilities.
Ways to apply it:
- cloud vs in house (somebody vs your resources and maintenace)
- centralised vs federalized (teams themselves but inconsistencies)
Do this testing at the beginning of the deployment cycle, not at the end, because it's more costly.
Jenkins CI is an example of how to have a release cycle that adds one step in the middle for this:
- code quality
- API and 3rd party
Today we serve several devices, several OS, and several apps.
- Platform controls: OS and hardware. Manufacturers, avoid jail break, etc.
- App store: Secure and certified apps.
- Compliance: International standard and regulatory controls, for example, only accepting passwords that are more than 8 characters long, etc.
- Sandboxing and containerisation: You create a boundary for the app, nothing gets in or out. Separate what happens on the system and the app. If something goes wrong, the sandbox shuts down and a new one is launched and new certs generated