Hacking Secure Coding Into Education

Hello everybody. Good afternoon and welcome to Bside's Las Vegas ground floor. Uh so this talk is hacking secure ed secure coding into education by our speakers today or Sahar and Yuriv Ta. Uh yep. So, um, before we begin, a few quick announcements. Uh, we'd like to thank our sponsors, especially our diamond sponsors, Adobe and Aikido, and our gold sponsors, Profit and Run Zero. It's their support along with our other sponsors, donors, and volunteers that make this event possible. Next, these talks are being streamed live. And as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to be silent. >> Forgot the camera. >> If you have a question, we will provide

the audience microphone so that YouTube can also hear you. This is the audience microphone I'm holding in my hand right now. Uh, as a reminder, the bides LV photo policy prohibits taking any pictures without explicit permission. These talks are all being recorded and will be available on YouTube in the future and I would request some uh if you guys could move to the front just so that we can have those who are coming in to be seated in the back. With that, let's get started. Please welcome your speakers. So, hi everyone and welcome to hacking circuit coding into education. We're very happy to be here. My name is Osar. I was a developer for many years. 10 years ago, I switched my

career path into cyber security. Um, I do not I also enjoy penetration testing right now and also do some consulting and secure coding workshop in the governmental section and also in the private section. My drug of choice is Snowy Mountain and this is Vice Smith uh summit in Switzerland. Hi everyone, my name is Yariv. I was a developer for many years uh 40 years and I also uh lectured in universities, mentored in boot camps and uh about five years ago I became an absc researcher and my drug of choice is roller coasters which is why I'm upside down. >> Not only not only because of that [laughter] >> so oh education why do we care?

>> Why do we care? Why do we care? 2025 and COD is still insecure. The same vulnerabilities appear again and again and again. Yiv, are we still talking about SQL injection? >> Yes. So, apparently we are even though it was first discussed 27 years ago in 1998. Um, still in 2023, we had a major SQL injection related breach, the move it breach, which every of you remembers >> with $9 billion loss. >> Yes. Uh, so much so that 2024 Uncle Sam said they will no longer forgive SQL injection flaws. Uh, but or I don't think it's much better with other vulnerabilities. G, is it? >> No. The same goes for XSS, puff traversal, um, insecure file upload and more and

more. And now we have the AI as well. So, and more. I said AI [laughter] for the first time and the last time maybe. So, we had a huge ecosystem. We have so many tools. We have SAS and DAS and SEA and we have threat modeling and we have all these tools and methodologies usually happens after the code is already produced by developers except from threat modeling maybe maybe sometimes. So y tell us or hurry tell us why do we keep failing? Well, if you'll Thank you. Uh, my son learned in high school internet programming. That's what they call it. And >> ability programming. >> Internet programming. And they needed to do a user login, check the username and

the password. Here's how they taught them to do it. Okay, it's a bit hard to see, but who sees the vulnerabilities? >> How many vulnerabilities? help us out. >> At least two. At least two. >> At least two. You're almost there. Who sees? Well, anyone, right? >> Okay. Yeah, you can do SQL injection on both the name and the password because they're not san validated or sanitized. >> What more? >> Well, here's a here's a nice one. They use like. Anybody knows what like does? It's like a wild it it uses wild cards. So basically if I I pass for the password the percent sign that's a catch all. So no need to for SQL injection

even. And the third one is what did they forget to to show that you have to do with passwords. >> Hashing. Yeah. >> Someone said it over there. They no password hashing. So three vulnerabilities in a single slide. And this is how we teach. So >> not us. >> Next slide. This is >> true. Not us. This is how they teach. Thank you. >> So if this is how how our students are taught, how our programmers are taught, how can we expect code to be secure? I mean it's it would be ludicrous, right? So we decided and Rachel here remember we shift all the way to the left to the beginning of time before developers

become developers. [snorts] So, >> so 2022 we went to ABSE global in for of OASP and we said coding education must change and we gave this lecture and we were sure that universities will learn the errors of their ways and start teaching secure code and high schools will teach their students to do parameterized queries and not >> concatenating strings and nothing happened. So we did it ourselves. Oh, remind me how did we uh manage to get to reach high schools? >> Yeah. So a good friend of mine is a computer science teacher in high school. So we reach out to him and we asked him give us your materials. He shared his materials with like three or 400

teachers all over the country. and we asked him to see the materials and we make some comments about the material. We said we asked him to change this and to change that and we had a lot of discussions about that and it took a lot of time and nothing has been done. So he said like okay come to my high school give us a workshop we we are not going to change the materials right now it's a lot of work but come to my school teach my students we went uh high school students we we gave a workshop it was very good they like it uh it spread the word for us uh talk about the workshop with other student

with other teachers all over all all over the country we also went to a computer science gathering training at the summer and we we spoke to them and they helped us to spread the word about secure from scratch and we started to to go all to to travel all over the country to uh to share our knowledge. Yeah. >> But this wasn't enough. Somehow we found ourselves teaching in universities. Um well again back to you. >> Yeah. So if you wonder uh if linking is a good tool, so we are the proof that it actually is. So someone some uh one professor from one of the university universities in our country address others me and asked me if we can teach

their students secure coding and he's so he knew to to to send me a message because of my LinkedIn post. So yeah, we said of course I say yes and then I called your email. [laughter] >> Yeah, we had nothing ready. Okay. >> Not even a syllabus. >> It's a full semester like 13 uh 13 uh uh lessons of three four hours each. >> Four hours each. Yes. >> Yeah. I think >> and this is like four weeks before the semester is about to begin. [laughter] >> So we sent a syllabus. >> It was very nervous. >> Yeah. I I after every every time I gave the lecture to the students there, I came home and I I didn't even take the

the the rest of the day off, I was like, let's start the next week, otherwise I'm going to [laughter] I'm going to have nothing. So, I wouldn't suggest, okay, this is how we did it. Don't go and do it yourselves this way, but we pretty much wrote the entire semester during the the semester itself. >> Yeah. And then >> and then after a while >> number four. >> Yeah, [laughter] I'm looking for it because I forget how to say it in English. Um, so after a while someone told the national cyber diretory in our country, someone told us about us. So they called me and say why do you want us to give your name to all the universities around

the country, some colleges? Yes, of course. are you available for all of them? Yes, of course. We're going to go everywhere. [laughter] So, yeah. And then we found ourselves like each one of us h in a separate academic institution um sharing the same knowledge, the same course for everyone. Yeah. >> Yeah. which uh kind of gave us the idea to scale up by using YouTube and we uh filmed some uh reels to make it easier for us to go to that many universities. >> Yeah. >> Which brings us to the next item everyone else. So um yeah, our >> now we come back after San Francisco. We went to San Francisco. We went to spread

the word all all we went to spread from scratch all over the world. Then we come back to the country and now we come we come back to the states uh with you know we we really want to help everyone >> and since we have YouTubes so everyone can watch them everyone can learn it's a full well it's going to be a full course because we're redoing the YouTubes uh with better visuals um and of course we want to spread it so we also give workshops worldwide including in defcon and Uh, of course we are talking >> third time, >> second time the workshop, right? Third time. Third time. Wow. >> Wow. And uh we also we're also talking

about it here in Visa Las Vegas. >> So that's another thing. >> Um and uh of course you want to know how do we build workshops that developers like >> because we all know those workshops that developers just see them and what and they're like it this is a punishment. and I would rather go back to work and we don't like that. >> Yeah. So, what do we do? The secret is that most of the developers they don't like to know everything about security for sure. They don't want to know all these special magic uh terminology that we use S XSS, CSRF, SSRF, rce. I'm getting very excited when I hear RC. Like I'm very

happy. I I want to to be able to get RC in every predeteration testing I do. But for for developers, what are you talking about? Just leave us alone and let us build. We want to build. So when we create workshop, we focus on coding. We don't just, you know, tell them this is a vulnerability, this is how we fix it. No, we give them some tasks and we know to put the trap in in the task like we we tell them develop this and that and then we know that they will they will do it in the wrong way like >> 11 11 out of 11 out of 12 developers uh fall in our traps. So, we know we know

that they're gonna do it wrongly. And then after they, you know, they tried the test the um the lab by their own, then we know, okay, now let's hack to your um let's hack to your uh solution. And some developers, they don't like the hacking step. So, so it's fine. We leave them. Okay, you just need to develop. If you want to try the hacking phase, it's fine. Otherwise, we'll show you how we hack into your system. So, not everyone, the one who does like it, enjoy the other ones, okay, just go ahead. Uh, so we prepared a skeleton and they build into the skeleton. Um, we give some actional advice. We also took all the

information. We have a lot of information. There is OS top 10 that is mainly for security professionals. just it's more like what not to do than what to do. And there is also other projects that um uh deal deal with uh security guidelines, but it's a lot of five minutes. Yeah, I cannot see. Well, >> we're good. >> Yeah. So, um so we condense all this information uh to prevent and we show you. So, >> it's on the next slide. >> Yeah, it's the next slide. >> So, like one more. Ah, more. >> There we go. >> Ver. >> It's an acronym and um it's it's a good acronym. How do I know? Because I use it

myself. I when I write servers. >> No, it's good because you created it. [laughter] >> I admit I I we both we co-created it, but um I actually use it myself. Okay. It's not something that's academic or it will probably work. I It's inspired by solid. if you know solid from object-oriented programming. So the idea again was let's have an acronym that helps people uh program uh securely and we're not going to go over it don't worry there's a YouTube on it so you can just go and and look at it and even after that it requires training to to really get into it. >> So we have a lot to offer. What do we have?

Well, >> what do we have? >> Okay, so first of all, oh, sorry. First of all, this is my my uh minor project in OASP, OASP trust. It's not something big. It's I just uh a project that replaces uh right now just the path library in Python and in Java. And the idea is if you use this, it's kind of like the prioritize query version for paths. Once you use this, you can never have a path traversal. Never. It makes it impossible. Just like parameterized queries makes SQL injection impossible. The same goes this does it for paths. So you can go and take a look uh and use it. That would make my day. But it's

really just one small minor uh pet project of mine. The bigger ones are >> Yeah. So this is our repository and it's an open source and we uh we put there everything like every workshop that we give in high school or in the university or even when uh for the private sectors when private customers they ask us a workshop we develop the workshop they pay the money for the workshop but then we share it for with everyone like and and they you know they're totally fine with it. This is how they sponsor uh uh the uh the materials that we share with the community. So it's fine. Um yeah, so everything is there. Please feel free to use it uh to give some

maybe um What is that? >> Oh, that's me. No, no, go back. That's the YouTube. >> Oh, but it doesn't work. >> Yeah, of course. >> It's supposed to >> to run and show the YouTubes. Try moving one back and one forward and one forward. Oh, there. Okay. So, this is just a sample of our YouTubes uh and the evolution. Okay. It was really bad in the beginning, just slides, but got better. This is the our newer version. Um I'm saying showing you the iteration for two reasons. One, if you're doing a project, don't despair if it if it doesn't look nice the first or second time. you'll have to iterate. And two, the English versions are being transformed

and still some being a lot of them are being recorded. So don't be despair that there's not a lot of out there in English right now. It's it's going to be there and uh we have Hebrew versions which we will put translations subtitles into English. Um just give us a couple of days. Actually it's our philosophy as much as we agreed to fail in the first time the YouTube were bad also you know my very first you YouTube um about secure from scratch were really bad and then we we agreed to fail as much as we encourage our students to fail and then learn something out of it. >> Um so this is a call for action.

[laughter] Please spread the word about secure from scratch. Send us your feedback. We are very we really need we need your feedback. Um if you want to provide work through it's also uh be very good and um >> arrange a workshop. >> Yeah. If you want to develop a workshop and share with us, we put it in the repository uh with and we share it with the community. >> Yeah. or take the workshop from our uh GitHub and do it in your workplace or of course you can do the course. >> Yeah, the Java course it's like a full semester course in Java secure coding in Java >> and >> summary 2025 and code is still insecure.

The same vulnerabilities appear again and again. We want to shift all the way to the left to the beginning of time before developers become developers. Even now it's more important because we saw developers what they do they use AI. AI use between 40 to 50 AI create 40 and between 40 to 50% of the time vulnerable code. So we want our students to learn how to code securely and or are to ask the agents to to provide secure code [snorts] and I say AI in the second time. So please help us help yourself help your friends >> and the >> and what >> vila demo. >> Okay demo. Ah we have >> so we actually have more time than we

thought. >> Really? So I'm just going to show you uh a short a small demo. >> Yeah. >> Um usually there's some preamble to this explaining things but this is like how we do it in high school for example. There's no network, no web. We just say it's imagine a computer that your teachers put in the hall room and they put a questionnaire there and you you can you come to this computer, you you put in your name. So I'll put in my name. >> Yeah, it's super simple. You don't have to know any framework or a web developer like just a very simple console >> and you get the daily uh question which today is the what is the capital of

Assyria? Who who knows where this is from? >> Really no Montipy one Montipython fan. Okay. So I'm going to answer uh give the wrong answer here and okay so imagine many students come and do this and then the teachers the end of the day they come and they say that they are the teacher and they get a list of who was right and who was wrong and let's do one that's right is going to be All right. And again, the teacher. All right. And now the big question. The teacher said they're going to do this for three months with many, many questions. And of course, I can Google the the answers, but I'm lazy. I want to

>> There's no network. >> I want the teachers, >> no network. >> I have my phone. I want the teachers to think I am right even when I am wrong. So I want a method that I can pass these three months. So I the teachers always think that I'm right. And the question is what can you put here? So you hack the system and when the teachers look at your name they see that you are right no matter what. >> What? >> Ah nice one. Okay, let's try that. And oh, illegal characters, >> but that's easy to uh I'll just use Yeah, I think it's because >> I think you ran you ran the >> Yeah, I'm I'm one of the more advanced

>> one fixed version, but it's still vulnerable. >> Yeah, it was supposed to be vulnerable. See, this is why demos never work. But, uh let's assume that the column this is actually a fixed version. Well, one attempt to fix. And the problem with your suggestions though is that it doesn't work. See wrong, right? It doesn't work. It doesn't make me look right. >> It's a good idea. >> Yeah. The students also suggest this this one. But also there is another disadvantage because some of the people their second name is right. >> Yeah. >> So, uh you cannot block their last name. you have some issues with. >> So, we're not gonna solve this. You can

go and do it >> in the YouTubes as a walkthrough. So, we're not going to solve this. But you see, this is a very simple scenario because it's for high school. >> Yeah. >> And and yet there's an element here of h what can be done? There's a there's an intentional element that's supposed to be at least an intentional element of mischief and uh and uh rivalry like how can we cheat the system? And after they do that and they understand hacking, we go with them to okay, how do we protect it? And of course, they offer all kinds of blocking methods. We show them why that doesn't work. And uh >> yeah, >> that's basically it, right? And now

questions. >> Go back to the >> Oh, go back. >> Yeah. Thank you so much. >> We have time. Five minutes for questions or no time? No time. All right. Yeah. So, thank you so much for coming here today. >> Yeah.