Evil User Stories - Improve Your Application Security

Our 6th talk for the TestBash Home conference is “Evil User Stories - Improve Your Application Security” with the very talented @anneoikarinen.

I love the idea of getting into the mindset of someone trying to access your application with malicious intent. We’ve all heard the phrase “no user would do that” but what about a hacker :smiling_imp:

We’ll be adding all unanswered questions from the talk here so if we didn’t get to your question, don’t worry, we will find you an answer :grin:

If you’ve got a question you’d like to ask in advance, why not ask it now?

Resources from the chat

https://testssl.sh/

Unanswered Questions

  • Sam: Is this security focus applied only to user facing features? what kind of non-user facing functions is this applied to?
  • Carolyn Newham: Where can we learn more about Threat Modelling?
  • Chris Hili: What can be implemented to avoid DDoS attacks?
  • Natalia Wall: Many companies in my experience do not trust the “usual testers” to get involved in the process of testing for security. They rather order pen-tests or similar - outsource simply. How do you suggest that this could be tackled? How can we get testers into this kind of discussions?
  • Anne-Marie Charrett: Since COVID-19 I’ve noticed a lot of additional spam - has there been any research on how confinement has impacted an increase in security hacking?
  • Emna Ayadi: How to decide which automated security test to keep/delete if it’s time consuming and always passed?
  • Darren Keig: Do you believe that there is a tipping point that means an application requires dedicated security testing? Or is it something that should be explicitly considered from the beginning?
  • Sharon O’Boyle: Are there any particular tools you recommend for helping with security testing that could be more easily incorporated into our regular testing?
  • Darren Keig: Do you think that there are certain criteria that an application must meet before it becomes a good candidate for dedicated security testing? Or should all applications be treated as equal candidates?
  • Bogdan: How would you approach security on backend telecom applications since they are already behind some quite a few layers of security already?
  • Elyes: Do you think that Social Engineering can break any good security system?
  • Ezra: Isnt having validations on both front- and backend creating issues when we are updating apis and GUIs
  • shabbir: Have you used Kali Linux and tools that comes with it?
  • Darren Keig: Do you think there are any types of application that would not benefit from security testing (or benefit to a far lesser extent)?
5 Likes

Podcasts that I’d recommended in the chat:

  • Darknet Diaries
  • Hackable?
  • Breach
  • Hacked
  • Hacker’s Dialogues
  • Malicious Life
2 Likes

On Threat Modelling - there is a great book by Adam Schostack which is an excellent start.

I also run workshops and talks on the topic, like Anne. I’ve also used TestSphere, using the security quality aspects as a focus.

1 Like

Additionally:

Silver Bullet Podcast
Smashing Security

1 Like

Question: Is this security focus applied only to user facing features? what kind of non-user facing functions is this applied to?

Answer:
Firstly, ”users” should cover all users of the system, not just end-users. So admins, internal users, robot users, machine-to-machine users, everyone. All interfaces, API’s, data storages, and network connections should be in scope when assessing security. You can approach it by thinking the three aspects of security: confidentiality, integrity, and availability. In short, confidentiality means keeping things secret and sharing them will only those that are allowed to see. Integrity means that there are only authorized changes (compare to revision control). Availability means that you can access the data or system whenever you need to and it’s not too slow or anything.

Regarding confidentiality and integrity, there can be other ways than the user-facing features to view or modify data. For example, an admin could be able to check or modify data from the database directly. Or if you are storing data in plain text files, someone else who has access to the computer can see that data. If you are not encrypting traffic, someone who is in the same network than some of the users, could see that information. These are not directly related to the end-user features.

Backups are usually something that happen in the background and are out of user focus. Backups are important for security, because if you have disk failure, somebody makes a mistake or if ransomware encrypts all your disks, backups allow you to restore the system. On the other hand, if you are taking backups of personal data or other confidential information, you should encrypt the data and take care of privacy: for example, there can be restrictions on how long you can store the data, you need to be able to track who can see it, and so on.

Logs are another security feature you should have, so you can later on check what has happened. For example, if you have too little logs, you won’t be able to investigate why a data breach happened. On the other hand, logging too much can be problematic if the logs contain personal data or confidential information, and you need to protect who can see these logs or limit what’s written in the logs.

2 Likes

Question: Where can we learn more about Threat Modelling?

Answer:
There’s a very good and thorough book called Threat Modelling: Designing for Security by Adam Shostack. Dan already mentioned it!

You can also find many blog posts on the subject and free training video on Shostack’s website: https://adam.shostack.org/blog/2020/03/free-threat-modeling-training/

Other resources:
Adam Shostack’s YouTube talk, Threat Modelling in 2019, https://www.youtube.com/watch?v=ZoxHIpzaZ6U

1 Like

And to answer the rest of the unanswered questions…

Question: What can be implemented to avoid DDoS attacks?

Answer:
There are different ways of doing a (distributed) denial of service attack, so also the mitigations differ. Basically, the attacks are based either on volume (traffic load), abusing the network protocol, or on the application layer.

Volume-based attacks attempt to send so much traffic towards you that your bandwidth is taken. To some extent, you can prepare by making sure that you have enough bandwithd for your estimated user base but if somebody really wants to overload your network, this won’t help. You can have a gateway device to apply rate limiting and request throttling so that it’s not easy to send ”too much” traffic. IP whitelisting (allowing only certain IP addresses through) or IP blacklisting (denying traffic from certain IP’s) can be used but you need to remember that IP addresses are easy to fake and by blacklisting IP ranges you could also block legitimate traffic. Cloud service providers and internet service providers usually offer DoS protection services where they filter DDoS traffic on upstream.

Certain network protocols, such UPnP, SSNP, even DNS, can be used for denial of service because of their amplification effect: you can send one request from a faking the victim’s IP address and the server will reply by sending multiple packets to the victim IP. You can use the same methods as in volume-based attacks for protection, but most importantly you should review that you don’t have insecure configuration in place, such as an open DNS resolver, that would allow this behaviour. You should always also stop services that you don’t need. For example, UPnP is typically on by default but you might not need it. You can also configure your network and host firewalls to stop spoofed packets.

The denial of service attack could also abuse something on the application itself. For example, some operation might always take a lot of time or it’s implemented in a way that allocates loads of memory, etc. You can use queues, batch operations, caches, server clusters to distribute the load, and scalability mechanisms on cloud service to tackle those issues. It’s also good to patch the server sofware, libraries and operating systems you are using because a denial of service weakness might be known vulnerability in that component.

Question: Many companies in my experience do not trust the “usual testers” to get involved in the process of testing for security. They rather order pen-tests or similar - outsource simply. How do you suggest that this could be tackled? How can we get testers into this kind of discussions?

Answer:
Sometimes companies are even expected to hire a 3rd party to do penetraration testing or an audit because then they can show it was an impartial party. And some attacks the penetration testers simulate can be complicated, so it can be a matter of skills. However, the ”usual testers” should also be a part of security testing, because then you are able to find potential security or privacy problems earlier and it can be easier and probably less costly to fix the issues.

An outsourced security tester typically only has a certain amount of time allocated to test your application and report the findings. If the application contains a lot of basic security vulnerabilities, all the time the outsourced tester has, will be spent on reporting those findings that are easy to spot and easy to abuse by a lot of cybercriminals. But if a ”usual tester” has already tested and found some of these issues, and they have been fixed too, the 3rd party penetration tester can spend their time on finding more complicated attacks – so your money is better spent in a sense that more complex attack scenarios have been covered. Besides, the outsourced security tester is probably also happier because they got to do more intestesting stuff :slight_smile:

Question:Since COVID-19 I’ve noticed a lot of additional spam - has there been any research on how confinement has impacted an increase in security hacking?
Answer:

According to recent threat intel reports by Microsoft and FireEye, the overall amount of cyber attacks has not increased significantly in the last months. However, cybercriminals are always using current themes in spam and phishing emails to capture people’s attention. Now there are lots of COVID-19 related news and people are clicking those, so naturally criminals are trying get advantage of this. I haven’t heard of that the amount data breaches would have increased either but the news might come slightly later.

As for the good kind of hacking, testing the security of applications or systems and reporting the findings to the owner in a responsible way, I don’t know… but maybe if people have extra time, learning ethical hacking is a good way to spend it :slight_smile:

Question: How to decide which automated security test to keep/delete if it’s time consuming and always passed?

Answer:
If the test case tests something that is a valid threat (=something negative happening) for the application, I think you should keep it even if it passes always. If the risk related to threat (i.e. considering how probable or easy it is for this thing to happen and what’s the impact) is small, you could maybe run the test less often.

Question: Are there any particular tools you recommend for helping with security testing that could be more easily incorporated into our regular testing?

Answer:

I’m not sure what you mean by regular testing (I guess it depends on the tester and the application…) but I would start from some of these:

testssl.sh: Testing SSL/TLS encryption and certificate-related settings of a server.

OWASP Dependency Check: Detect known vulnerabilities from the libraries and other components that you application uses

OWASP ZAP or Burp Suite: Do your normal web or mobile app testing with ZAP/Burp set as a proxy so it wil record the traffic and both passively and actively detect and test vulnerabilities. There’s a bit of a learning curve to using these tools and there can be false positive findings, so you need to verify some of them manually, you can’t rely on automation only. Still, it can help to detect misconfiguration issues and easily exploitable weaknesses even if you weren’t a super skilled hacker.

Question: Do you believe that there is a tipping point that means an application requires dedicated security testing? Or is it something that should be explicitly considered from the beginning?

Answer:

If the application handles or contains sensitive data that needs to be protected, or it performs critical functions, such as high-value transactions, or controls an industrial process, etc., it should have some level of security testing done. Please also check another question and answer around this subject below Typically, you should be able to tell what kind of data will be handled and what’s the criticality level of the application pretty early when you are defining the purpose and features of the application.

When you are adding new features to an application, you should pause and brainstorm (for example with evil user stories) that is this feature somehow going to add new security threats and are the existing tests covering them, or should you modify them or create new security tests.

In addition to security testing, it’s good to try to address security during design and development, for example with threat modeling, so that you can come up with preventive measures or change the features in a way that they are less risky. Otherwise, security testing may reveal flaws that are hard to fix because you would need to change the design somehow.

Question : Do you think that there are certain criteria that an application must meet before it becomes a good candidate for dedicated security testing? Or should all applications be treated as equal candidates?

Answer:

Most applications should have some level of security testing done, depending on what kind of data it handles or how critical it is. If misusing the application somehow or preventing from using it does not inflict any risks (other than maybe mild annoyance) or repuational damage, maybe it doesn’t need security testing. Usually the question is rather, what kind of security is needed. I think the OWASP Application Security Verification Standard (ASVS) has good definitions of three levels of security requirements (and meeting those requirements should be tester or otherwise checked) for different kinds of applications. The levels are defined in this document on page 9: https://owasp.org/www-pdf-archive/OWASP_Application_Security_Verification_Standard_4.0-en.pdf

As a sidenote, you cannot check all security things by testing, so for example code security reviews and threat modeling are also means of verifying the security of an application.

Question: How would you approach security on backend telecom applications since they are already behind some quite a few layers of security already?

Answer:

There’s no 100% security, so it could be possible that the earlier layers of security are broken. That’s why there should always be some security measures at the deepest layer as well. It also depends on what the application is and what can you do with it. If breaking the security of it means eavesdropping communications, altering or faking messages or shutting down communications, threat modeling and security testing are recommended and can actually be mandatory. Depending on the case, it could be OK to tackle some the threats with the outer layers of security.

Also, it’s good to remember that typically administrators of a system can do pretty much anything, so you will probably want to protect the applications from insider threats, like malicious admins, or if somebody forces or blackmails them to do something. At least there should be detective measures: creating logs, monitoring user behaviour, network traffic, or system performance so you will detect if something suspicious is going on or if the availability of system begins to decrease.

Question: Do you think that Social Engineering can break any good security system?

Answer:

If you are very good at social engineering and are able to trick, for example, and administrator to do something, you might be able to bypass security measures that attempt to prevent things. But that’s why critical systems usually have multiple layers of security and security measures that attempt to detect and alert, if something unexpected or unauthorized is happening. An administator of the system can usually do pretty much anything, but some systems require that another admin accepts the operation – now you would need to social engineer two admins. And even if you succeeded in this, there should be a log entry stating what happened and the logs would be stored somewhere that the admins could not delete them. You could configure that always when a log event like that is detected, it creates an alert and a 24/7 monitoring desk could call inform the required people that now a security incident has happened. So, a good security system leaves a trace even if there was a breach.

Question: Isnt having validations on both front- and backend creating issues when we are updating apis and GUIs

If you change the format of valid data, then you need to update both and sure, it might need some coordination and create issues. But the same thing happens with any changes, not just security features.

Question: Have you used Kali Linux and tools that comes with it?

Answers:

Yes, I’ve used Kali a lot and there really good tools in it – probably more than you will typically need! Installing Kali is an easy way to get a package of useful tools. You can for example install it as a virtual machine to your computer or in some of the workstations in your testing environment. This way you won’t accidentally send testing traffic to your company network. And if your company laptop has some restrictions about the tools you need to install, you might circumwent the problem this way.

Here are a couple of tools from Kali that can be useful for security testing:

OWASP ZAP – For testing web applications and mobile applications manually, has automation to test typical things. Easier to integrate to CI/CD pipeline than Burp Suite (Pro).

Burp Suite – similar functionality to OWASP ZAP. The free version is limited, the Professional version is a lot better. Typically finds more true positives and less false positives than ZAP. The Enterprise version has CI/CD integration features.

  • Nmap – port scanning tool
  • Sqlmap – SQL injection testing
  • hping3 – crafting network protocol packets
  • SSLyze – testing SSL/TLS configuration
  • FunkLoad – web application performance testing
  • SlowHTTPTest – simulates certain application layer denial of service attacks

Question: Do you think there are any types of application that would not benefit from security testing (or benefit to a far lesser extent)?

Answer:

If the application is entirely for your own use, or somebody breaking it or misusing it would be only mildly annoying, or it does not handle anything sensitive or critical, security testing might not be useful. If you build a game that you share only with your friends and it has a small security flaw, maybe that’s not too bad. But if you publish it app stores under your company’s brand and somebody makes a fake app that looks like the same game, except that it steals users’ credentials and your company gets bad publicity, it’s different – maybe you would have benefitted from secrity testing. It depends on the risks.

2 Likes