Whiskey Tango Foxtrot

The Art of Building an AppSec Program That Developers Love

Sun, 18 Feb 2024 10:00:00 +0000

Creating a robust AppSec program is no easy feat. It requires a deep understanding of both the development process and security principles. But what does it take to build an AppSec program that not only secures applications but also wins the hearts of developers???

Let’s explore some strategies:

Understanding the Developer’s Mindset

Developers are often under immense pressure to deliver new features, fix bugs, and meet product deadlines.

Security, while important, can sometimes feel like a hindrance to their primary goals.

To engage developers in security practices, it’s essential to present the “why” behind security measures. For example, explaining the risks associated with not updating a vulnerable library can be more effective than simply instructing them to update it. Security should not just be about following orders; it should be about understanding and mitigating risks.

Creating a Partnership with Developers

A successful AppSec program is not a one-way street. It’s about creating a partnership where both security and development teams work together towards a common goal.

This means involving developers in security discussions, understanding their challenges, and finding solutions that work for both sides. For example, allocating a portion of the development sprint for security tasks can help integrate security into the development lifecycle without overwhelming developers with additional work.

Security Champions: The Key to Sustained Engagement

One effective way to maintain a strong security posture within the development team is through a Security Champions program.

By appointing and empowering security-minded individuals within development teams, organisations can ensure that security considerations are woven into the fabric of the development process.

However, the success of such a program depends on keeping it engaging and relevant. This can be achieved by treating these champions as equals in security discussions and giving them the autonomy to bring up concerns and suggestions.

Advocating for Both Security and Development

An AppSec leader should not only advocate for security within the development teams but also represent the needs and concerns of developers within the security team.

This two-way advocacy ensures that decisions are balanced and take into account the practicalities of implementing security measures. For example, if developers are struggling with a particular security tool, it’s the AppSec leader’s role to find a solution that makes the developers’ jobs easier while still maintaining security standards.

Building Relationships Across the Organization

Building relationships across different functions within the organization is crucial for an AppSec leader. This involves not only working closely with developers and product managers but also engaging with senior leadership to ensure security is integrated into the business strategy. Effective communication and the ability to translate technical jargon into business risks are essential skills for any AppSec professional.

The future of application security hinges on Collaboration, Empathy, and a deep understanding of both security and development. By listening to developers, advocating for their needs, and integrating security into the development process, AppSec programs can become a seamless part of software development.

Remember the advice: “We have two ears and one mouth, so we should listen twice as much as we speak.”

This philosophy can guide AppSec leaders to create programs that are not only effective but also embraced by those who implement them.

Stay tuned for more insights and discussions on the future of application security. And remember, the key to a successful AppSec program lies in collaboration, not dictation.

Thanks for reading this post! We hope you found it helpful. If you have any comments or questions, please let me know in the comments below. Until next time… 👋🏽

Host a bug bounty program under $500!

Tue, 26 Sep 2023 10:00:00 +0000

Backstory

Security for our customers is our top priority.

As a startup, we must continually seek ways to be resourceful by investing wisely in our business while safeguarding the information of our users. By being resourceful, we can reinvest possible savings into other initiatives that would improve the experience of our users and fuel the growth of the business.

It is clear that bug bounties can be a valuable source of information about potential security issues in our system and provide us with the opportunity to close the gaps that might leave our users vulnerable to attack.

In 2018, we launched a bug bounty program. we’ve done our research, figured out what we want to offer, and gotten all of our ducks in a row. But now comes the hard part: actually running the program!

Previously, we received reports from users about possible problems with accounts or other parts of the site through a dedicated email address. We faced the following challenges with this approach:

Keeping track of the reports;
There are major parts of the report missing, such as the class, CVSS, PoC, etc.
Trigger mails on changes in the state of the report such as triage, ask payment details etc.

Struggle

We looked for some alternatives and there are some really good products out there to host bug bounty program. The main issue we found is that most of the platforms out there charge exuberant entry fees just to get onboarded ~$50k.

We also checked few open source solutions but it didn’t help our purpose, to keep it simple but effective, custom workflows was a major requirement that we were looking for.

Many of the existing integration solutions out there are missing the flexibility to customise the forms look and feel, handling the workflow a difficult process. we’d checked integration solutions such as Zapier with Google Forms, custom Slack notifications with Jira Service tickets etc…

We decided to go with JotForm for a few reasons:

First, the forms can be customised. This means that you can create forms that match the aesthetic of your site and brand, which is extremely important for creating a seamless experience.
Second, JotForm integrates with most of the automation and alert solutions out in market today. This makes it easy to send alerts to users when they submit reports.
Thirdly, JotForm doesn’t cost too much—$500 per year for their bronze plan and they also have free plan i.e. is pretty reasonable considering all of the features you get access to, including branding, custom workflows, mail customisation with templates and payment integration via PayPal.
Lastly, JotForm has a dashboard where you can see trends and the analytics about received issue, labelling, and assigning the reports to the security analyst.

Setup

We use GitHub Pages to host a static page that includes details such as the

Description
Scope
Eligibility
FAQs
Hall of Fame
Rewards
Criteria for Acceptance
Form for users to report bugs to us.

You can find it at: https://security.glints.com or feel free to look at code here:

Github pages is straightforward to setup. The next step is to configure JotForm, head over to https://www.jotform.com/ to create an account and enable two-factor authentication.

You can design and add the form fields as per your requirements. We like the Bugcrowd report structure and use it in report form. You can clone or import it in your account, this template is public and available at https://www.jotform.com/form-templates/ur/bug-bounty-submission, don’t forget to edit the options for Assets and Platform in your newly created form to match with your defined bug bounty scope. Once the form is ready, head over to the settings tab for further configuration for mail and workflow.

Next, Under Form Settings tab, Set form status to Enable. After reports are sent, we need to send two emails through autoresponders. In one mail we acknowledge that we have received the report by sending an email to the reporter’s address(reporter@xyz.com) and in another mail we send a message containing all the details of the report to our email(security@org.com).

Go to Emails tab and click on Add Email. Let’s configure the acknowledgment mail by creating an Autoresponder Email. You will need to make changes such as Subject, Content, Sender Name, Reply-to Address, Recipient Address.

Similarly create another email Notification Email for sending the report to security team, also don’t miss to make changes as per your requirement.

It is also recommended to set a Thank You page once the form is submitted.

Let’s move to the workflow section, which is the gist of this post. This will allow us to manage bug bounty reports in a similar way to how HackerOne and Bugcrowd allows.

As of 2023, Jotform does not have a workflow export feature. However, you may create your own workflow using the tools on the jotform site. The process is fairly straightforward and involves dragging and dropping elements into place until you achieve the desired result. The heavy lifting has been done for you; all you need to do is follow along with this guide and you should be good to go!

To create the workflow and attach it with out submission form, go to https://www.jotform.com/myapprovals and click on Create Approval

for example check the one shown below, customise it as your current requirement.

Also don’t forget to make the changes in the template for each action along with the Recipient Email, let’s say if the report is Not Applicable or Out of Scope, the email template would look like this:

Hi {firstName}
 
Thank you for participating in our <company name> Bug Bounty Program.
 
We have reviewed your bug report and would like to inform you that this bug is out of scope of our bug bounty program.
 
We request you to kindly refer to our bug bounty page at Scope for updated information on scope and details of our bug bounty program.
 
If you are able to abuse this functionality in order to gain access to sensitive data, or impact the system's integrity, please reply with some detailed reproduction steps and we will be happy to reconsider your report.
 
We appreciate your help in keeping Glints and our customers safe and secure.
 
Regards,
<company name> Security Team

on the similar lines for other action, such as:
- Request to validate fix
- Triage
- Request Payment details etc.

Create the email template accordingly in the approval workflow.

Once the form and approval flow is ready, attach it with the form that you’ve cloned earlier.

When bug bounty hunter sends a report using this form, all the details will be displayed in the dashboard called Inbox. You can assign the form to individual members of your team and also label it. Filtering and mass operation on issues is also possible.

Thanks for reading this post! We hope you found it helpful. If you have any comments or questions, please let me know in the comments below. Until next time…

Learning and Breaking GraphQL

Mon, 23 Jan 2023 10:00:00 +0000

tldr;

Apollo's Odyssey GraphQL Assessment had a security vulnerability that allowed anyone to view the correct answer before submitting the final report.

Learning

I developed a interest in learning more about GraphQL in the past couple of years, for the simple reason that it is still quite a new technology for some of the application developers, and due to its flexibility to adapt to customer needs, it’s a technology that is experiencing a significant growth in popularity.

Even though I have done quite a bit of bug bounty work and pentesting around GraphQL, I have not been well versed in the development using GraphQL. My first step was to browse through their official documentation and tutorials. You can find a number of worthwhile resources on their site, including a blog series covering everything from the basics to advanced concepts like custom scalars and directives.

Later, I was presented with a fantastic book. It was straightforward and gave me a better understanding of GraphQL. I was eager to get my hands dirty and came across the Apollo Odyssey Learning Platform, it offers hands-on GraphQL tutorials.

I completed it in a couple of weeks and the course provided me with everything that I needed to know about how GraphQL works behind-the-scenes as well as how it can be exploited by attackers who want access to your data or want to disrupt your services by sending bad requests through your API endpoint(s).

Apollo Odyessy also provides a certification if you score seventy or above marks in the final assessment. Due to my familiarity with GraphQL, it was a breeze.

Breaking

Let’s now get to the hacking part. After getting familiar with how GraphQL works at a high level, I decided that it was time for me to start breaking something! So naturally my first instinct was “to look for companies that uses GraphQL extensively” and I was looking for a target. However what would be a better target than Apollo’s own website? haha.

As I explored and intercepted the traffic on the Exam page using the Burp suite, I noticed that when someone selected any option for the given question, a request was sent immediately. As part of the response to these requests, there is an interesting parameter called “correct” whose value will reveal whether the current answer is correct or not. The fact that anyone can run this request multiple times before submitting the final report makes it possible for the correct option to be iterated simply by iterating it again.

Request body

{
  "operationName": "SetOdysseyResponse",
  "variables": {
    "userId": "gh.██████████████████████████████",
    "response": {
      "attemptId": "fa0d9916█████████████████████6",
      "questionId": "mcq-res-calls-1",
      "values": []
    }
  },
  mutation SetOdysseyResponse($response: OdysseyResponseInput!, $userId: ID!) {
  user(id: $userId) {
    response: setOdysseyResponse(response: $response) {
      ...ResponseFragment
      __typename
    }
    __typename
  }
}

fragment ResponseFragment on OdysseyResponse {
  id
  questionId
  correct
  values {
    id
    value
    __typename
  }
  __typename
}

Response

{
  "data": {
    "user": {
      "response": {
        "id": "22748",
        "questionId": "mcq-res-calls-1",
        "correct": true,
        "values": [],
        "__typename": "OdysseyResponse"
      },
      "__typename": "UserMutation"
    }
  }
}

Issues

correct should not be reflected to mutation response.
It is also possible to nest all the options and get the correct answers easily

It is worth mentioning that if these parameters are not restricted, someone with a knowledge of the schema could request the values of them to receive more information.

Using this method, anyone can easily pass this assessment with a score of 100/100 after going through all the questions.

I immediately reported this to the Apollo through twitter and their support forum. They were quite prompt in response and acknowledged it as a valid issue.

While fixing it from their end did take some time, they did a great job.

My next few posts will also explain how to leverage tools in SAST and DAST to continuously check graphQL security in an organization.

~ avi

Security of Google Groups

Mon, 16 Jan 2023 10:00:00 +0000

Here we go again!

I’m back with another series of discussion topics. This time it’s Google Workspace.

Alphabet has a variety of applications for organisations that help you work with your teams and clients, but one of the most powerful is Google Workspace.

There are a ton of applications that allow you to access your emails, calendars and contacts from anywhere with an internet connection. It also makes it easy for you to share files with other members of your team or company.

But there’s a problem. Let me explain to you why: when you navigate to “https://groups.google.com/a/{org_domain}/g/{group_name}” and able to view all the conversations that are happening inside the organisation. That’s because of a common misconfiguration while setting the sharing options.

Many companies mistakenly think that “public on the internet” means that their communications are available only within the organization; they don’t realize that anyone can see them if they know where to look, which is not a problem with a few lines of automation.

Based on the HTTP Status Code if:

The group will return 403 if it exists and is private.
The group will return 200 if it exists and is public.
302 will be returned if the group does not exist.

I ran a one-liner on the top 1 million sites with common DL/Group names such as:

support
help
people
security etc. and found 100s of instances.

Digging deeper into the conversation reveals more obscure and difficult-to-find Google groups with internal information.

cat 1m.txt | while read line; do  result=`curl -s -o /dev/null -w "%{http_code}\n" https://groups.google.com/a/$line/g/support`; if [ $result -eq "200" ]; then echo "\n$line\n## HIT ###";fi; done

If your conversations are publicly accessible, all someone needs to do is guess at the URL for your group within your organization and then they have access to all of your confidential information!

So what do you do? To protect yourself and your company, make sure you’ve selected “Private” under “Accessing groups from outside the organization.”

Until next time …

Avi 👋

YaY!! CISSP Certified

Wed, 14 Dec 2022 10:00:00 +0000

Following my CISSP certification, I have a few opinions to share.

Newcomers - don’t wait, opt for it!

In fact, it should be one of the first certificates pursued after a couple of years of experience. I regret not doing it earlier.

I think it is not as complicated as it has been advertised to be, but it depends on the individual. I have only read a few books and I believe you will be ready to start.

During the course of reading these books, I have abandoned my idea that these are textbooks that I would need to complete in order to become a certified CISSP. Instead, I am enjoying it as a regular book. This has opened new avenues for me and enabled me to be a better analytical thinker.

This means that, for example, if the module discusses the kind of processes that are done during BCP or asset management, I focus on the exact required entities and the steps that have to be considered rather than sharing ideas from flash cards and all that stuff.

Thanks CC, it helped.

There is currently a promotion running for the 1st million candidates who can attempt the Certified in Cybersecurity℠ - CC examination and receive one year of free training materials from ISC2. The CC certification is a unique entry level certification provided by ISC2, which is one of a kind in the industry. Through this opportunity, I had the opportunity to give an exam at the center and to brush up on my basics.

I had booked my exam 1 month in advance and spent nights reading these two books only:

Until next time … 👋

Security Roadmap, Strategies and Challenges

Sat, 06 Aug 2022 10:00:00 +0000

It’s hard to develop a cybersecurity roadmap since several elements need to be considered, such as compliance and risk posture, policy framework, detection and response capabilities, resilience and recovery after a breach.

Hi Everyone 👋 , in this part-series I’m gonna to be sharing about developing a security roadmap, that usually comes after asking some relevant questions. Also, I’ll talk about what good security looks like, because it’s hard to make a good roadmap if you don’t really know what you’re aiming for. I’ll talk about where to start and how to get there.

Let’s discuss what executives typically ask…

Are we Compliant?

You can be compliant, but that doesn’t mean you’re secure, but you can get there and there’s a lot in compliance requirements and standards etc. that’ll help you out. In the end, it won’t make a lot of difference unless you live and breathe it.

Are we Secure?

In the same token, you can be compliant and still be secure, and we see that quite a bit of the time, when people have very good security practices and operations in their organization, but they’re bad at documenting stuff, so from a compliance standpoint, they won’t be compliant but still secure.

How much progress did we make in making us more secure?

How did we do compared to last year? That’s a tough one since the landscape in which we worked last year was different. As you know, the attacks that we saw last year might have been a few, but now we may see attacks that are vastly different from what we saw in the past. Information Security is a dynamic discipline, which means that everything changes and everything stays the same, so all the processes, procedures, and things we do from an operational perspective don’t really change that much over time. However, attacks, how we respond to them, do change every day, so it’s a bit of both.

In the last 12 months if you didn’t change your security effort, you were doing a great job dealing with the types of attacks you were seeing, but if you’re still doing the same thing, then there’s a fair chance that the attacks have outpaced you.

What would we do in case of a breach?

This is a great question because they’re trying to figure out if you’re prepared for an attack since their awareness has been raised. Whenever there’s an incident, we see people like you asking this question.

When executives ask all these questions above, there’s actually a subtext to the questions that they’re actually asking.

When they ask for “Are we compliant?” they’re really asking…

In order to achieve or exceed our goals, what standards must we meet?
Have we met them yet?
How are we doing? Do we continue to meet with them?

On the similar footsteps “Are you secure?”

What are the current risks and how well do we understand them?
Are we aware of our key assets?
What are we doing to protect those key assets?

That’s the question really being asked!!

“How much progress did we make in making us more secure?”

Over the past year, what has changed?
What are we doing to meet these new challenges?
What are the areas where we need to improve?

“What would we do in case of a breach?”

How have we handled incidents that have actually occurred?
What did we learn and how are we adapting?
Were there any changes we made to ensure we met the challenge?

In essence, that’s what the executive is asking when he’s asking any one of these four questions, but if you ask them on their own they can be difficult to understand, but if you combine them, they give you a clearer picture of where the organization fits into the security structure.

What does good security look like?

Good security needs to be proactive

In a lot of companies, security teams are purely reactive, they react to new features and projects request for assessment. We’ve all probably run into the situation where someone comes up to your desk just before the weekend and says “hey, this project needs to go live in a few hours, can you please approve it? 😰”. Our security team needs to change from a reactive to a proactive one.

Security should not be Obstructive.

Often, in-your-face security generates obstacles to the business, so our role as security team is to ensure that the business is able to do what it needs to do in a secure manner. Nobody has ever thanked a security team for saying “No” constantly. Obviously there are times when saying No is the right thing to do because there are plenty of things from a security perspective that are bad ideas, but ideally you’ll have a security team that can actually contribute to the success of the organization.

Security Coverage is one of the main pillars.

The right coverage needs to happen,with tools and solutions that are in place, we let it run and then in many organizations it is just there for the rest of the year. We come across systems that after it’s been implemented it’s never been touched, well it does what it’s supposed to do but they do need kind of a little bit of love.

Implement technology/controls correctly

If your organization is at the point where you have firewalls and anti-viruses - for instance, if you have firewalls, then your next purchase won’t be one that grabs everything and analyzes it all - there is probably a technology use between the two that you will want to consider.

Minimize the Risk

There is a need for us to understand what the risks are. We need to understand what we will be able to do about these risks in order to minimize them as much as possible.

Cost Effectiveness

Security solutions must be cost-effective. If it is going to cost 2-3 times as much as the annual revenue of the company, it is probably not going to be of much use to the company.

Responding to current threats

Having an understanding of what’s going on in the world right now will give your security team a competitive edge towards proactiveness.

Repeatable process

You must be able to repeat whatever you do. If you discover an XSS, you may be able to find the same issue anywhere with the help of tools and scripts sooner, so you can focus on more interesting things rather than sweating over finding the same issue on different instances a week later.

Detailed documentation

Documentation is important and we all kind of stink at it a little bit. but it’s okay to start small and then build slowly.

What does it take to get good security?

In an organization, four main functions must take place:

Make sure you’re taking some sort of Risk and Compliance/Governance to help identify what you need to protect. To do this, you need to know your assets, your risks, your controls, your metrics, your policies, etc., all documented in a rinse, lather, repeat manner.
There is typically some sort of Security Architecture and Design component within an organization, this is a team that liaises with the business more closely to understand what the requirements are, what the impacts are, how I will protect it and how will I know it’s being done well. We can’t emphasize enough how important it is to get into a project earlier. Instead of finding out at the end that someone has put a database somewhere in the internet and you’re connecting to it over HTTP. Or, code has been downloaded from a Russian website and embedded into your core application, it would be nice to find out at the beginning rather than at the end.
The Security Administration function is all about adding users, giving them access, taking it away, and doing some reviews. In order to succeed in security administration, you typically need to have some defined processes, regular review, and maintenance procedures.
Security operations role is to detect,respond and identify any threats. The goal here is to gain visibility on network servers and endpoints, and make sure that the tools that cover what you’re supposed to cover are configured appropriately. Respond to threats, manage them, and analyze them.

Skills and services for all of these requirements are not necessarily confined to your organization, and it’s fine to get someone else to assist you. You don’t necessarily have to run a security business but some of these functions must be performed and they must be handled by someone, which you can outsource easily.

Where are we in terms of security maturity?

There’s different ways of doing it and it’s obviously a very high level and to be honest the more immature you are the easier this process..

Non-Existence: we have a Firewall we have AntiVirus if that’s the answer to the question of what are you doing for information security then you’re probably going to be in that non-existent. However, that makes life easy because your roadmap can take in whatever direction you want to be with minimal friction from the stakeholders.
Immature: In general, you will have a Security Administration function and you may have some policies, or you might not have any policies at all but people just know what to do. People seem to know what to do quite naturally when it comes to this. You might have some technical controls beyond your firewall or your antivirus in place within the organization, you might do some threat management, we’re still a fairly immature organization, there’s no real strategy.
Doing our best: In this case, the Security Admin function is pretty good, and you can add/remove users, modify policies, or even develop a little bit of a risk and compliance or security operations tool, these technical controls with some customization. In contrast to the default tools you bought on day one, these have actually had some thought and configuration assigned to them.
Getting there: Everyone is aware of the Security Administration’s policies. As part of security operations, you’re getting some visibility into the network, you’re having some logs and cloudtrail set up, and you’re reviewing those logs. Your risk and compliance function is taking place throughout the year, and you’re analyzing where you sit for the most significant risks. Getting involved in projects means you know it may not be at the end, maybe you’re in the middle, but the objective is to get there as soon as possible.
Mature: You start adding to get established and you’ve got things documented. Security operations are improved on your visibility. The policies are in place and they’re regularly being reviewed. The technical controls are in place.
Very Mature Organization: You’re doing everything you were doing before, but now that you have metrics, you can determine whether or not things are working as they should. Your security architecture is documented. You have invested resources in automating some administrative or operational tasks. You’re reducing the time it takes you to respond to incidents and noticing them more often. Perhaps you are evaluating the advanced tools deployed within your organization now that the policies are in place.

The next post - “part ii” of this series will discuss ways to improve security and the roadmap.

🙏

References:

Free Email Provider List

Mon, 06 Sep 2021 00:00:00 +0000

Using this API endpoint

https://avicoder.me/api/mailproviders.json

, a user can retrieve a list of free email providers. The information here is not exhaustive and is based on the gist people have provided.

Daily updates are made to it.

Thank you

Root AVD and Install Magisk

Thu, 02 Sep 2021 00:00:00 +0000

Mostly I have done the android app penetration testing on GenyMotion. The problem is that a few apps aren’t working properly lately because of architectural requirements and incompatibility.

Android Virtual Devices (AVD) can be a good alternative, but the images do not support rooting.

So let’s root the AVD to overcome this limitation. The following guide is what I used to setup env on Mac machines.

Start by downloading the SDK or installing Android Studio.

Next, we will create a virtual device. You can choose which System Image you want to download. After booting the device, open the terminal and clone the rootAVD script.

Change the system image (android-xx) accordingly and run:

 ./rootAVD.sh ~/Library/Android/sdk/system-images/android-30/google_apis/x86/ramdisk.img

./rootAVD.sh InstallApps

Wait for it to finish.

Your phone is now rooted.

adb shell                                                                                                                                                                                                                        
generic_x86_arm:/ $ su root
generic_x86_arm:/ # whoami
root

In order to intercept traffic and get Frida installed, you need to install a few Magisk modules. Here are some options:

With this setup, you can begin conducting your security assessment.

Thank you and see you next time

Dual TZ - Fitbit

Tue, 20 Apr 2021 10:00:00 +0000

Fist bump folks,

I don’t have much here about to talk about this Fitbit clock-face.

One of my friend wanted to have an elegant clock-face for her Fitbit sense with support of dual clock so I made one on weekends. It is compatible with Sense and Versa 3 and built on Fitbit SDK 5.0

You can try it on your Fitbit Sense by installing it from here

It has these features and more will be added depending on the demand, open a issue for any more enhancements and bugs.

Added two GMT timezone on the clock face
Great for travellers
4 stats right on the screen
- Steps
- BPM
- KCal
- Distance

Thanks

Hackerone inscope urls

Tue, 19 Nov 2019 10:00:00 +0000

This is the compilation of all the in scope urls found in the public bugbounty program on hackerone.

Updated daily!

⤋ Download JSON file