BSides Leeds 2019: Surprise panel (yay!)- Open Source Supply Chain - A Critical View from Red & Blue

hi everybody my name is Aaron Lynch my handles linz I'll I'm we're here today to talk a little bit about a problem that was elucidated over the last year specifically about open source software all of the projects that end up going out tend to utilize the good the good practices of componentized software many of them produced by you know the community as well as you know some existing code from different sources yeah one one last name where we're not McFly unfortunately his train was late and then he misses flight so we're throwing this slot with the discussion software I'm the two scientists at an application security company so my team and I do a lot of research about the

composition of software and how to keep it secure wherever it games so that's sort of my perspective on this I'll let the fellow panelists introduce themselves and but just to kind of give their perspective on this and then we'll talk through some of the issues and challenges that we've seen on the way to talk hi say it my name is Tasha nerds I am a senior coaster engineer effects group which is a European and by management and e-commerce group of sites today and my boom pick my part of huffman great since others and I work with quite a small security team for quite a large business across Europe where I help with various and I guess

conversations with us and our engineering teams to help them build security and that involves threat modeling and tree architecture reviews a whole range of stuff quite often just education as well and that's me I'm Mark Carney in addition to being the organizers of this austere gathering I'm for mayor purpose too that one limited also for Maneri researcher a security research labs in Berlin are now a full-time PhD students at the University of Leeds my specialization is hardware hacking so when it comes down to supply chain issues there's a lot to be said when it comes to the security devices and harbours and the way that we sometimes just don't unload it will come to challenge the levels of using the SDKs

so my experience comes from a more offensive side as a postal traffic new team side but obviously I've done a lot of remediation advisory work and all that kind of thing for current clients and companies as well as producing public disclosures are and public releases a great thank you now so I intend this to be a fairly informal discussion I've somebody sort of in the middle of a rant or something please try not to interrupt however if we come to a logical breaking point and you think it would be a good time for a question I'm happy to recognize you and we'll go from there everybody good with that great um so you know I know we said we're gonna

start with with with - but mark I actually sort of want to start from the red team sign for the perspective so when you come across a piece of software or piece of infrastructure that has no open-source components in it just just talk for a minute about the sorts of things that you look for is a pen tester or has somebody that's looking to you know accessible construction so when it comes down to it once you've identified some open source things now we have in many ways improves the odds of pleasant and so the first thing I would do when I move everybody on were little so concept of closing right I think most people

will be but to give you an overview you can look at me in the eye you have to raise your hand awful didn't point at the person yes very worried about so I weave fussing maybe seven or eight years ago was you know kind of a niche thing but now it's teased everywhere everyone that I know certainly research of any kind is okay with how you do fuzzing and how you into that would mean software and a lot of bugs can be covered off by having a decent living engine are American fuzzy larvae FL is a particularly one undertaken Egret engine so if I know there's a little sauce component one of the things I can do is

find that component point my own instrumentation and then starts actually fuzzing that components and then seeing if it actually implies that conical interdependently so when it comes to looking at supply chain issues from a pen testing point of view if I intend to buy something early enough I will then use that information whatever the process you go through to identify it's it's a you know a piece of software it's it's out there like a million web app maybe some sort of a guide how would you go about identifying the open-source components apart so um you sometimes you can't obviously sometimes you just you have you kind of guessed but other times you have good clues there's often the

cruising headers in will fingerprint student compared to so far the mice a lot of library of fingerprints and different services and things like so even though you know it says it's Apache one point six he actually knows what about you know so he he and I have done some work on trying to bring things together than that point of view other than that it comes down to either intuition or trying to work out looking at the websites underway up okay see what a my favorite minor Jake you're one of my favorite tricks about figuring out what open-source components are part of the piece of software is that many knowing the licensure of open source component is actually a big deal here

because under a certain licenses the user of that software is often required to publish that to comply with a nice and similar and so you can actually end up looking at the documentation of the software and figure out all the time you live long yeah so so let's let's here's a little bit this as you know is a company that obviously uses a lot of these in the products now can talk about sort of your process with open-source software and how you select components and vetting that you did say with with any group it's looking to use open source software key parties is education and creating the right culture where engineering teams can ask questions

about the tools they're using and really understand what they're for and but also we receive the right level of support from security and operations teams to understand what they should be looking for and what I guess what the opportunities there are we've been using open source software and I'm a great advocate of going with open source I think that if you use it you should contribute to it but ultimately why should we the investing some of these really big companies and great tools when actually this communities run some really great projects and I think that it generates a lot of collaboration with people you might not collaborate with that you're a great great advocate for

it but there's a few things that I've seen a lot of across my career so far with open source one is misspelling and like Oliver a colleague who purposely wrote malicious pregnant - my race specifically for drinkers I'm actually in the description this is malicious don't use it and he created it for topic he did it dev second last year and he did it about two weeks before him was like I or them you know it might get up and down ice and it'll be a great tool and condemnatory brothers really did it 10,000 downloads later and ten days we took it up like because he was like actual research or whatever they're doing I mean I think all it did was just

pull any parameters you passed Jenkins because we know that a lot of people pass potentials and Gorge encounters and it'll be a secret access easily seems together a lot and it wasn't as bad as it could've been but it was good enough and for me it demonstrated that quite often we are we're in teams ourselves as truly experts where our street people were ever made my level of whatever level we may be or our engineers are also into news that push deliver quickly and really fast and off we're looking for tools that can help facilitate that we don't always have the right support to be able to understand what we're using so having teams that are shooting that

give great I guess educational resources and training and bite size and quick chunks of things to look for and make sure your spelling differences right make sure you know where you're getting it from so let's not be pulling them from some random bit URL and I get it from this source so the training is absolutely an important thing in education is really important do you do anything the are you flows anything automated any sort of verification steps that that you take as you put out software to make sure that it has integrity yes there's some great tools out the SS static analysis and testing and specifically for you're looking at your source code and if some open source

static analysis tools out there as well that will look at your dependencies one of the things that it looks at which a lot people don't always fix you manually it's the dependence of trees so the dependencies of your dependencies and we might think that something is solid but it's also potentially putting in hundreds of other packages in some cases that put abilities or I have never been a teaser so there's some static tools out there it will help to give a level of assurance to what is it using in your code some of those will show how to identify and future issue so if you keep using those as part of your pipeline you'll be able to keep on top of issues

that come up in the future we know that in 2016 we saw the summer footage for WordPress some of you might be familiar and I think there is my favorite thing when that was immensely about using WordPress especially a question is putting up the NIST CV database and just type in my bestest videos and I think there's like 1,800 or CV just not me if you want us to talk a little bit more about what CBDs are so you and these are these are known from abilities that have been published for a specific library or tool and it's also a great way to check your if you don't have access to such analysis tool you just

type in a library into the nest database it's just just google it it's really accessible even I think that the current government short that and shut down you can still get to it as the representative American yeah it is still it is still up if not there's the mitre databases well how do you assess them Christian for me is so how do you assess your option because I because there's a whole issue in machine hardware one of the research projects that I did I was involved in as our labs was the Baptizer project which is started by a blow over it's how integrated got the output took down our integration into scripts which people so the idea of that was to find a

way of assessing how well and from vendors in particular are dealing with patches from the upstream provider to do people review for those of you don't know about Android because it's kind of a good example this happens all over Hama Google don't make the Android necessary that you have on the thumb they make the AOSP the Android Open Source Project all right era speeding has passed to chip-ins a polka who create closed source usually open source drivers to make that was compensator and baseband chip solace you use one for the duties were and then that thing is passed down to phone manufacturers so you want another layer built in a master HTC has their HTC

Samsung Samsung had that immersion Alesi there's their batteries if you saw the recent news story about Samsung in the phones where you couldn't delete facebook without using ADB that exactly exactly you know and then Samsung won't produce firms that are maybe time to the telco the telco will then have yet more apps from where whatever to make it work on their network with some other features so they've got four lens and we found this had to be really difficult to assess the upstream because it's you just a straight line all that port is much easier because it's like Apple make the hardware and where the software is or Apple that's all in houses all there

whereas the Android with more disciplines much more dispersed and that is kind of the master you live until you look at the upstream tree so I'm wondering what what criteria do you have for assessing it like at what point do you say yeah that's good or what point do you have and so good question so fragmentation is that is a real problem in security right services this problem in Android that you're alluding to it where you've just started to describe either to let me see it in industry a lot where we have network architecture is a good example of this that what I wear and all the various layers especially when you've got voice infrastructure plays around and there's

too much this one is for the corporate lap having a great support contract in place easily buying some of these people to keep in touch with you and let you know when there are patches doesn't legally bind them to release patches which is where with a meltdown inspector specifically we actually saw that where they told us they were vulnerable and publicly so scary did some tweets and actually are related some didn't so they weren't and then they were again and but thatís I think they didn't actually release patches very really long time so when is having great Karma's open with your fighters and knowing what hardware you're using and actually sometimes that can be really difficult for companies

and so having that dialogue open those you are engineering teams your hybrid teams whatever that might be is a good part the other bit and I'm going to be a bit controversial that's true conference yet you talk about at what point am I like who hurt no I think there's another point which is at what point do I consider what my risk appetite is so depending on what that Hydra is used for of what the tool is suffer is what company I'm at there might be a point where I say you know what I can get 70% comfortable that I know what's happening and I know that the company Dewey's patches that they take a really long time in and but

actually the toys owning yes and the value it gives me is this high and I'm not regulated so actually I'm gonna accept that risk and I think sometimes in strain x LM being controversial is you know something this 100 sets of curious probably look usable you know we love 100 oh yeah um sometimes you have to be really cognizant and realistic about the risk appetite and lots of big things right and I think sometimes is easy for us to ignore that that honest that I WordPress is really hard to get haters and why is that though is that because of that ecosystem because of the agencies or is that more hard I think for me it's a

usability perspective which is a usable secured with doesn't exist you have secure WordPress or usable written and does things for show me too and I think that any great company or group or organization open source or not want to have something that's usable and for me that then introduces a tool it is incredibly unsecured so much the original question of how do I make it happen when is it's just great communication paths and the type of providers so II's know if they have no so like I at least know what their level is and pipe that means it when you're looking at purchasing library so I think I'd where is is passion in them a lot

surprise pie programs out a lot because it can be a bit boring but I'm me is really understanding what their technical capabilities they have a stop when they aware of series or 0 days when these happen and the other parts of risk appetite like knowing it what they can accept it before I get pushed yeah so that that that's a really good answer for things that you know are in your software there's been a trend through the way a scale also get a bunch of good plus like how yeah the skill one to WordPress in Microsoft Windows is a five but that's about the components that you know about right and from from an organizational perspective

one aspect that you often see especially when developers under pressure or doing outsourcing is components make their way in unannounced where you know there's this there's oh I could employ this or you know pull around the library out of out of the compendium how do you do many processes that identify those sorts of anomalies so I felt like you know what I would want to say which is likely to be lying up to back front Monday and so and there's this thing that I love to do which is breaking things there's this thing that I'm allowed to do now which is sometimes making things so they're almost like theoretically breaking things so for someone that

doesn't know how about anyone that doesn't know what front modeling is is a framework or process I won't refer you to ones that are understand an environment whether that's theoretical it's an idea it's an opportunity or it's something it's actually in production and then kind of work through a load of different frameworks to understand what can go wrong and then think about what can I do about things can go wrong and then the panel say check validate I write tests did I do a good job and I follow a particular framework which stride there's no doubt there but I run through that one thing and an example might be so robots group purchased company in Amsterdam early this year

unfortunately before joint so I'm mr. John Telegraph and but part of that company are looking to kind of migrate some business processes for then also combine some business process which is really exciting and the part of that is exactly a commitment we're absorbing a company that previously had no knowledge as that weren't part of our street culture or security environment and actually set so there's some things and they've got document it really well but there's most things as in as it is with any company that aren't documented and that's pervaded all the time so threat modeling is a process I run through with some engineer's some of them operations I think project managers scrum masters

whoever it might be and I get them in a room together for anywhere between like 15 minutes two hours hang on how robust something is Google and notice what I do sometimes provide Pizza says oh we had it down is always there in technique it's just a way to kind of have an open conversation and I use framework and tours when people answer through minded to come up with fret vectors but it's it's a way for people to air out possible threat vectors or talk about previous incidents and they're going like when I think of all the other things that could have caused the same incident other vectors and so for me that's been a really

strong tool and then on the other side you know there's a pen tester and how does that threat modeling process come into your you so um felt lonely for me is I don't do it the way that you do it because my threat modeling is much more allow that people can I see the pen test what's compaction sometimes like certain I I never get the complete view because I have a scope I'm working to a particular statement of work it might deviate from that I can go to jail you think it could be the miss you sucks so you know there's I do suppose feel a little frustrated with that because unlike this thing here there's a thing

here outage it but by and large when I find something I'm assessing it and I'm looking at the way in which I can I'm always on will help you what are you trusting that you should there's also been the your threats come from some attack surface which is my the attack so as I sees the scope and then I look at that I go okay what malicious acts can I commit that seem to have legs I've seen to be able to work and I works trying in a little concert so I'm always trying to produce something that is useful to you guys at least in terms of like because I decided being a pen tester to be able to

save like I found this thing I it looks like an exercise but then I'll try and say okay can I actually get okay that can actually get any and when it comes down to identify if it's those components for example then I will look at again I will look at scenes I will fire I have a tour must line up see I'm a bit version number just down there I'm just gives me love and then they also drop cross references and you can download yes boom b-b-boom I'll give up my attend a chatbot which he sits on a slack well I just asked it for CD and if it mine says it was returned the exploit

isn't yeah so because I can't always like access things but I can usually get my way to when it slams so if I could do that I have a group up buzzes my little librarian you know so you know like I I can release five people interested but I am very self-conscious about my shirt so my question so well you know working the Pinterest and Industry on consoles and I'm going to just slip on the non-ethical side of things because that's Jerry's where we come from so from a non ethical side you looking for are staying within es o w7 in scope I want to slide outside the scope we jumpin all right don't blame me for this but I will look

at your develops processes and I will stop folding in through so we've all heard of the LinkedIn episode you're leaning over the next places we were we're really just going to talk about a case study on you for the LinkedIn episode about a little something Tim what languages they efficient in what processes what tools that usual everything then I'll follow them on structure but now let's be honest most days on a solution sermon because they go suck a photo ever [ __ ] clue what's going on a finance solution copy/paste is now a new code so if I follow them and I'm asking questions of all some others code on stuck over quote because you can it will copy and paste it put it

into your code and then when they download the legs jQuery is not the Apple version is my version while I'm sleeping well off scope is what the same with our intent as well we use they are but there are guys outside those walls that are not that cool yeah how everything is so process is I'm able to answer that stride I have reduced stride on an offensive level we do your stride in the effective around the world I understand how you threaten model against normal types of survival how'd you fit moderate length that about coming in one well I so can you talk about really side tunnel based attacks and so one of the tools

that I've used before is using different attacker profiles and Adam show separate the contract modeling mister design centered approach mentioned this as well I'm going to kind of get to where you're going out and be taking on a bit of a journey Sydney and I mean it talks about I use like a two by two mentor for back-office really for my type of profiles and I'm not missing the main things because they're super that when I edit my site a bit rude but I effectively work through kind of different great attackers and we start and I've got model really simple blue team aspects we going through strategy spending on the team's comfort level or experience and might do this with the

team or separately and then work through different attack attacker break so we might start with your script Kitty someone that's just going to try stuff a lot of the time it's reconnaissance based attacks or pretty mobile scripts sequel injection and stuff like that it's useful to do because ultimately that's how tool talk was hacked and but we start to throw it polished ride on that specific attacker mindset it's a great way to teacher engineers I go through I have poor and abrupt profiles that I follow so then I'll go for you're my next stage up effectively is a pen tester that goes there's a bit rope sort of someone that has more formal training or more formal

structure and then follows the same available exploits but more publicly available exploits so still kind of white hat tools but for a bad and these often follow we use our pencils in sessions to kind of say what would they do but when they do they kind of fell off the scope a little bit and that happens and my next level up is happiness for money so they tend to be more on crime or organized crime and then your next level up is nation today so it depends what I'm looking I talked about my risk appetite earlier off and I might have pry my risk appetite some type of attack of profiles I use it's not always easy to do in every threat

model because most offer engineers' when really think about those different types of attacks a great stock great street operation center will have people or cyber threat intelligence teams or have people that specialize in this type of thing in this and information publicly available and pretty sure they're my own attack groups have tools as well and I'm the sample profile attackers so stuff like that I use great pen testing companies and groups will also start to follow it guidance and those type of attack vectors and bounty programs are a really good way to kind of help with that kind of thing I know you're still giving to scope that often your bounty musicians don't always follow the script

anyway yeah I'm really hard to emmett and we have a bug bounty program out there and we pay altitudes what about if you understand your question what about you know that's really good on a predictive site right where you're trying to kind of predict the capabilities how about you know in terms of mitigation or detection of these sorts of attacks what sorts of tools to use and sort of processes these say I'll talk about what can known it you guys are I ever done my job if I have to push somebody to an NDA so there's some great open source tools out there that do things like log aggregation and then log interrogation and the thing I'm going to

go kind of back to even more really one thing I talk to it kind of pretty much everywhere I've worked so far is visibility is really cheap and a lot of people invest money in these and incredibly sensing Aurora's tools already happens in here who knows one can credibly well as an example but you need to make sure you're capturing those logs first and especially when we look at distributed architectures where we have multi filed environments or hybrid environments and collecting them from every sources to drop off the map and s3 buckets are a good example people dance in scraps you love to mystery but it's all time your Lancer functions whatever it like being

Google Cloud has some really weird rules about how you catch the last tricks it's pretty hard and so visibility is something I would go back to first making sure I'm catching loss from every environment and then love aggregation is really important to me so I'm making sure that Bristol I have a true sense of my logs and I can have a source of truth that I trust and in stride we come back to repudiation and it always makes me think of a legal term which is that which is decided is to stand I'm gonna throw at that with my lungs so they need to be precedent set and so having a good longer get sore so I'm not really

telling you what tools I use but my process is capture everything centralized make sure I've got a source of truth and then interrogate and then I can build baselines then I can start to look at what I need to text I can work with publicly available information the National Cyber Security Alliance give a lot of guidance some things that you should be looking for a lot of things will share stuff social services show data ecommerce groups share date so the e prime forum is a really great place to get information the initiation look it's a baseline and then you can write lots of text and learn things I loved in in threat modeling is write in BDD test or

test off the back of the practically file so we can validate certain use promoter for loop I'm sorry that absent behavior driven development and so we write tests these are human readable text a - a human or not like software engineer reader bullies are forgive me project manager business leader readable code and so you write test so a good example is child from subdomain hijackings a lot of that last year across the whole industry where people were having today's taken over and no great we're not gonna reward and and in a threat model we've rolled it out but I don't want to just forget about that because we roll it out so we wrote a

test to validate that we're continuously not vulnerable so we know engineers push code all the time and so we might ask the reason of human reader boys I want our business leaders our product owners our project managers understand what we're not vulnerable to I want them to my test tube so can I take my something that I found I think my whole was also you live here really friend of mine yeah my brother found the thing which was we all externally remind together shell on the server has an encryption you know they had Allen looking at him like this looks a bit like like psycho baloney what's going on they them it was an encryption it wasn't option yeah that's

when I searched for that happens people yeah yeah well we won't meet when you search for options I think that's you say that there was a symbol inside this yard and in the deal yeah and let me find there's a stack overflow article how to implement a BS in this language and then when we looked at it they actually preserved the keys while it literally copied and pasted and flipping including the key like so bothered if that's it kinky messing it up like that but also like they just it was a public hearing in the morning is this that like it's there currently like how do you approach that kind of poem this is a

time of extreme emotional bit of like it's not even that there's malicious thank you of loquacious you see in my mouth that's five years it was like gosh and there are test fit developers can run lately so it's that video chat and they're all so let me just regular expression check so it'll be a super access keys follow a step warmer you can write a regular expression and it searches for that and and you can have a a taller script that you were locally anytime you push food anywhere just seconds the gear and you can even going to Talladega your github or your work github not to the wrong one because he can do that to

you all the time and local tests are just as important as your pipeline test your pen test also check you get history as well oh my gosh so that's the lease today way yeah exactly that there's been a few departments pilot to the git history and then I have to sort of know someone going that's a no this was so this is a UK home but this is one of those guys eyes can we think was probably quickly it's also like I know how about spit out their their business or something i in fact came across myself a couple of weeks ago where yeah oh no you know so he posted something and get help that they shouldn't have

and you know if you don't know you can actually roll back bike Nick even through the websites you don't have to even interact with the command line level now you can go commit my commits you find the previous states of things yeah so somebody did publish their source couldn't get them and then decided times you may be aware that as as you are thing is though is that when you do to the website you know like CSI cyber and they look for the red code like it literally the bath code it is a reset the Queen code is the cou true but this actually is really relevant open-source software because even if you update or you know remove that part from

your publicly available code a lot of times those losers yeah all right so I think you're a that was a great question thank you anybody else have any questions while we're sort of influence these assessments and people's eyes going black and secondly after you get people to what great question among oh yeah I'm it the first one is when I do if a module and I really push for the owner patience to be a part of the treble and like really push for it and the reason I do that and I don't let them take their laptop to the rim unless they're the one that's right in Deraa tickets they're things that we find because I want them

to understand and comprehend of the day the reason I push for the owner to come to the club in fashion is there is nothing like hearing your own engineers say how honest hear something is no use the street coming along and say in like that's very can let's break it and but hear one of their own developers give that message speaks volumes it can be really difficult to get them in the room and I once had quite a struggle I want to do a segment on something that was quite large and the team where they've had a lot focused on them so they they effectively little really seen super-abilities take be exploited and now they didn't really want anyone else

coming in and making fun of them or making them feel bad because threat modeling can feel a little bit like you're punching someone's baby they've worked on something really hard and you just kind of deep trap out of it and it's not like that yet exercising a muscle you're building it up you're making it stronger and more alert and more resilient and I keep very persuasive to get people in a room with me but ultimately what I I'm a bit sneaky so the way I do it is I I talk to a couple of people in the engineering and I kind of say hey how cool Italy we got in there we had this session and you

guys on training and I kind of cream this Chinese whispers thing startups a puppy love this I'll then pretend in with the tech lead for half an hour and I'll say okay this is what I want to do I think it would be a really great idea but go touch your developers and see what they think and then I'll talk to the product owner as well or whoever owns the wrist for that application and I'll say I can challenge your team I think this is really valuable but I want you to come and I want you to be a part of it if you come into session and instead of not having to respond to

emails or resettlements today we're just going to try and cover up as much as we can in this one session and then you know where you sound and the easiest way for me to ever frame it is being again really honest about that respect type thing my role at the moment isn't to tell them yes or no it's to give them all the information so that they make an informed decision and ultimately severely violently so that they can make an informed decision and feel like they have the rights to work remain I I struggle with things like risk documents and risk assessments I think once because I had to write one from a person to genuinely 1800 thirds long because

that was the way that that particular project works that they wanted everything's documents it but I think anyone ever read it so that's why I feel like threat models are much easier Mozilla released some an open-source graphic risk assessment form which is actually not that bad and it starts to address some of those kind of risk questions but mature risk programs are so varied so fragmented and you have to find what works for your company and at the moment I'm finding that that kind of kinesthetic that movement that threat modeling in a room together seems to be the thing that works for me I imagine and I've got colleagues that come from BP I imagine that they would feel more

consular deduction in there they can scan so I think that there's no one right answer to that I'd be curious if something's really telling when you started which is it's one thing to hear my ancestor its lip maintained from departments I don't mind Amir went tweet from a few days ago video line people which what happens a little bit viable info section to see which was yeah you security guys you are just dual and gloom on all you do is give as a cat right that is all you do and it kind of been a lot of people so sit up and go actually yeah so they will not know what I'm talking about that's the VLC tree yeah the PLC to

share okay so yeah that was a different promise HTTP bus station yes they had their own litigations and things and whatnot but like I think it was very telling that you said that it it comes from Pentos do you find that the pentoses are just like setting fires everywhere by the fans are more welcomed actually you know our industry is always we've been built ground we keep negative as well as you know sources and fix it that's what you really have fun and I mean I've been doing this seven years and it's always been I'm going to give you some fun news I'm going to feel great about it but I'm really used to change now that's why tonight it is not

like ten years ago Wow give you the pot news we will work with you to make it better now well the market is don't it still up this too will give you the same [ __ ] by the time you could really at all yeah I will tell you that one of the techniques I particularly used to wake up a couple people in this in this area is that I actually like to demonstrate a win to begin this Saturday meeting and I'll give you an example on so in a previous generation of what we were doing a threat modeling we identified a ticket we've mitigated that ticket and it got push the production and the nice

thing about it is is that part of that ticket we actually have the one-line repro that was sort of like a very clear thing where I type this in and get the shell back and I have the ability to just demonstrate it he look this works well I actually started that meeting in you know kind of going back to your question I started the meeting for the next Rev of that update was showing hey look this used to not this used to work and could have been really devastating and I actually just put a terminal up on-screen pasted on command into this hand and and then and then the guy whom actually got a text from our monitoring

system saying you know this was a high-priority thing an attack it happened from inside the buildings order to think so so that that force feedback of showing a win can be a very effective way just be like listen we're all trying to pull towards the same goal here you know okay this is actually working in an app people get engaged it's certainly the sprint demo for anybody that's scribed to agile methodology I think about that is like the beginning of like a sprint down this is show progress and show doesn't come up there's actually a notice that there's been a slight moving Baptistina wondering you read about this I think you should be in that I find

that certainly sometimes that's have been doing are to fit into a sprint to be able to do two things while build a relationship with the team because they're also curious but that's why I'm that and you know their business going to be attached was fixing an exercise you know what was applied by political potentially and it gives them access to be in a more kind of personal way but also by doing that it's not just a pen test yeah well a pen test every six months it's a hand test that is not really fantastic it's it's continuing the security of serfs most exactly it becomes a support network and then you get emails like we're gonna do this does

this code black or white other this like the bottom page any be spoken then email pharmacies at all of our exercises prepare test for how good it feels feeling because email exactly people that you built there's been news printers though I've sat with dev teams forging teams and looking good right I've done this they're also around me I explain what is what risk is how it worked till inflated faith I'm gonna wait a year and they've got a gay group all in bed saying you are [ __ ] you know because no one wants to see that anymore they want to be able to work with yes say alright we've done this can you test

it yeah I still get it Robin changed it and long yeah bit easy be doing this white this DM should be doing this approach I mean there's pen testers we know how we've broken it we need to tell them that not just go rebound this is being show up because it's just my help in anymore and I really do believe we all get wait another us Fabio we're gonna ship for these teams more people to use more and help them how much that just turned the pots i sat on me a Middlebrook copy all week smart in the network walking away and then they get a nasty email on CEO saying you pocket by well if you'll

allow me a sinner this sort of lengthy comment I think from my experience the difference that you're highlighting here about relationships versus reports necessarily is the difference between security scanning and pen testing yeah if you copy and paste the report it comes out of your scanner and you know that that's the bad news that I think you're talking about is that I've seen you know bullet lists and that is about as effective as as you've been describing but once you actually start to integrate your own idea of front modelling into that process as a confessor and be able to communicate not just the fact that ability exists but this is how it's a story this is how it

can be exploited and these are the assets of the enterprises that are actually my friend of lucky my favorite indicator for my school the security assessment scanning assessment things but you find that you tell if a sentence is like a consultant does not support ipv6 you know I think that's kind of disability I think just Compass Point Blank yeah but you don't well how do you deal with this is what can you find was press what how do you think it is just investable that you talks about this kind of slight change in pentester culture and when I first started in industry I started up an architect so not in the security team I'm so

interested in security and their company that I was working for I had a pen tester in and I didn't know because I saw someone sat quietly with this kind of cool like three machines with them and some puffy is not kind of acquitted and anyway they were gonna see it and then I remember asking the friend industry team like he said it's one of other so I kind of went it just sat near them it was like hi I'm a grad I'd like to know what you do and they want to be really cool and really recipient and kind of took me through what they were doing but only because I kind of I kind

of pushed myself into their environment and was like show me everything I looked there and and to me that was my first exposure to pen testers I knew about other stories and I liked doing my degree with more forensic security and specific Rafi was something that was really interesting to me but this first time I met pence after it was so interesting and I learned so much just by sitting in the nest and questions and plug-in them and probably put their report back by a few days what I've noticed in a real change over the last probably five or six years is it they have gone from being kind of contractors or some songs that come in sitting upon

us there on the network and do their work to be an investor teas for me and when you do pay for external support for pentesting how that success criteria is that the engineers understand know the vulnerability and often that manifests itself in is like a wasp top 10 training or like really simple how to hack web applications through training and I think that's a really important piece I think that you can't just you took up engine is actually understanding what cross-site scripting is so fun for overflows or a steep addition whatever it is you can you can't just give them like mitigate this this is at least you have to teach them how to create an

attack one of the most effective things that I actually read for my company is I did a very simplified CTF with really awesome prizes for the MU years and no not not the complicated stuff but actually just something builds confidence in the fact that these attacks are really accessible and and very visceral I'm like I think that's my biggest piece of advice is that the more you can make it real to the people that you are serving in the security capacity yeah-ah the better results you're they have so we don't spook one where we repentance they make sure they made web-based game so food grows played games and we've been assessment without six months we've seen insight issues of

course different you know areas of what they wanted touched it but we just love this this isn't helping brutal six wolves were pen test is just not getting across so instead of doing the next pen test what we run the two-day web app packing cause we taught them all of the stuff that we're binding we taught them absolute itself today I met they have constant scrutiny gestural injection of a pyro file along counsel after that when we went back to the dentist who imparted mobile and they've done that no I've gotta shave that and it was something myself understanding that security principle and it does always go back to their sense of humor there's no aptitude securely are they

just copy-paste there is a chain so a friend of mine has a great story about someone giving a sitting next to him on the pen test and so like I might put your day I mean my I was like yeah sure sit down so sits down my opens a busy now to get scoping document I'm always doing is double clicking on outlook double clicking on a link this guy gives sort of the lights would dim mirror like you change the hoodie would about the hockey commences but like you know I think there's there's educating people I've done the similar thing where we run into an impasse so it's like sorry guys like I you know you block scripts other

one the scripts of that to works you plot that just about three we can keep doing this or you come in rather than people the pen test come in will do either some training or do some demonstrations and hunt outs where they can almost interactive so it's a bit of a shadow copy of your production environments which has this fund ability and I checked it but these things in his how it works isn't it doing a night in the process almost they've got that says that there's a couple of slides that's usually I've got pizza then there's like some bunch last serve so that it becomes a kind of a like this if I got like an

event in house which makes it slightly special I've been giving it a place really mean don't have to be a fantastic to do this either so I would not consider myself a fan texture or a bread Timur and I like to think I know how to break in a sack but like I am NOT this level but when it comes to kind of be stopped modeling in the blue team and turn against attack I think this stuff's really interesting demos I talked about the conference subdomain educating me realize we weren't from the war a lot people asked what it was and I thought it'd be a good opportunity to talk about DNS know I'm really sick you like

about DNS to learning about the inner side days but it was a good opportunity demo it and for me it was you can opportunity to kind of up my skill level in that kind of presentation and put it together like a hat and put it our engineers learned a lot from it and I think they learned a lot from it coming parameter that security if you're in monitoring and whether you're stuck those types of areas being able to demonstrate to someone hey this is what I see when this happens or even better this is what I don't see because no one's capturing loans that speaks volumes to minute even any a mystery or in being able to demo and teach people

kind of what it looks like when you're protected is really powerful alright any other questions yeah the ten questioners do you think the ability of a decent developer negates the requiring and requirement or Ventus okay yes all right jumped in um I think it depends on your risk appetite and also destined regulatory pieces if some compliance pieces might require a pen tests or some form of yeah PGX great and I'm gonna take a stronger stance and say no primarily because I have a lot of experience with data and some analytic data that tells me the same eyes on the same code over a period of time will give you a blind spot um so I think

fresh eyes from outside is a very important concept I also I agree also be expanding the sentence I think that there should be more materials available so that you get more security or plan to benefits that are accessible so that we don't find the low-hanging fruit like next year this call I'm hoping to hop on paper fake a desk or objection is it disclosed discovered in 1998 with these well American toys Christmas Eve it's just a in 1998 in fire hoses right like so it's 21 next year I'm gonna get a cake eating the key he's 20 Walters what you do right like seriously we've had a slow injection and it's a trivial probability because the mitigation was in the

original paper the moment I can not be able to use MSR 67 I'm very pleased not Amazon to know why okay the orange is eternally blue any other questions okay let's as a summary just remind you know I'll give you a moment so you can put this together from the red team and the blue team perspective one piece of advice would take away that you want to make sure everybody has about this threat process as well as remind everybody social media following everything so again I'm lens I'll my takeaway that I'd like everybody to think about is really just building rapport between the different parts of the organization literally coming down to the social ability to just go have a

pizza go out here or somebody and talk about what their experiences will I suffer a lot of those things my point of view on map logical the other thing that I would say if I could this was put into every company's an is don't be afraid of me security I think if you take a fishing boat there's nothing worse and my point of view where I have a thing I want to help you I want to disclose it responsibly and I can't get an answer you know like here's a thing you companies had good ways and these are excellent ways of doing it to be able to take care of the shape of it things automatically stop so

I think that's what I'm going to say am - attached a nice antor debt and be a contributor so if you're a three person contribution on Street projects open source projects whether that's raise issues or pies do it find projects that you know your teams use or that you're interested in you might not feel confident or comfortable contrary to their source code raise issues spot things run static analysis against it help those out help it seems out and then in contrast encourage your software engineers to contribute to OS projects so that open web applications through project there's a slacker invite you to you want where we discuss all the things or the dreams and hopes you have

role in various projects because I'm wikis terribly update and there are so many things that we'd love to do but I'm so conscious that it's from a security perspective and these are not tools just this poutines easy tools for engineers and we need conscience from Street and from engineering team so I would encourage you to grow and contribute to these projects right well thank you for listening to our Randall and we're going to be around there as the capital you know [Music]