Over 10 years ago, a one day security conference was organized at my university. I wanted to participate, but there were limited places, so they created a registration page which, they said, would open next day at 12 o'clock sharp. I really wanted to participate and especially as they advertised a free T-shirt for the first 20 registrations. Being a pretty good developer at that time, I took a look at the site, found a vulnerability and managed to register myself before the registration opened officially. The next day, I show up to the conference entrance, I say my name, the guy checks me out on the list, I take a quick snoop and I see myself on top of the list, next to my name it says registration time 11:58. I smile :) He says "ahhh... you're the one... how did you do that??" I ask: do I get a T-shirt ? He says no, you get something better and later he awards me publicly a book: Writing secure code by Michael Howard si David LeBlanc. I started wondering why he is giving me the book, he needs that book more than me! He needs to learn how to write secure code! not me!
Now, if you translate this incident in a more critical environment like an online company which allows customers to create accounts, deposit money in their account and do stuff with their money, for example play games, or place bets, the T-shirt and the book are replaced with something else. Instead of a T-shirt, the attacker aims to get thousands of pounds and instead of a book he gets years in jail.
Take this guy for example Alistair Peckover, 20 years old. In 2009 he was sentenced to 26 weeks in prison, suspended after stealing 39K, in 2010 he was sentenced to 20 months in jail after he bought a Porsche and gold bullion worth of 30K. This time he changed his name. And again, in 2012, he gets 3 years in jail after stealing 46k. His judge says "I believe that I will see you again in the future due to your gambling addiction and the temptation to use your computer skills to cheat, which will be hard to resist due to your character."
Computer skills to cheat caught my attention. It seems like the judge believes this guy is some kind of computer genius or expert. He was living with his parents, no school, no job, having all the time in the world available to him, he was researching 24 hours a day all the gambling sites on the internet to find games written by developers that haven't read the above book. He was finding vulnerabilities in games and exploiting them for real money. After a lot of practice, he was an expert in his field, just like I was a pretty good developer after writing code full time for 2-3 years at the time. I knew how a website works and knew how to manipulate it to do what I needed.
So, why do these bad things happen? Well, like everything else, because of many reasons, to name a few, firstly, because people are greedy and want to steal money and secondly, because software is written by developers which are humans and it is natural for humans to make mistakes. Only robots and computers don't make mistakes, except when they are faulty or overheated or programmed by humans, you know what I mean. These security vulnerabilities are nothing more than coding mistakes. Developers didn't learn much about security vulnerabilities in school and product owners are not very familiar with them, either, so they ask the developers to implement the happy flow only as quickly as possible. If they deliver the software before the deadline, then they get a bonus! Getting to know about these vulnerabilities is not difficult; anyone can do it, if they have the time.
We, Appsec people, are fortunate people who have found someone to pay us to spend the time researching these fascinating software vulnerabilities. I say fascinating because many people see them as something magical, something that only geniuses can see, but in fact all you need is time and focus. We identify problems, we advise developers how to fix them and we train developers to avoid them the next time.
To accomplish this, we have implemented several steps, some people call it SSDL:
We work close with the architects and contribute to the design of a new product, before it is being implemented.
We try to stay close to the developers and have visibility of their development sprints so that when they identify security sensitive user stories, they can consult us on how to implement correctly.
We also perform a security assessment of all code changes before it's going into production. This consists of reviewing implemented user stories, reviewing source code and performing a penetration test for those new features that have been implemented in the current sprint.
In the office in Romania, we have around 16 development teams and we are 2 application security guys. That is a lot of work. So, we asked for help. Who do you think we asked for help? We asked the developers. And we said: you guys know your code the best, you know how your application works, you know what every line of code does, because you wrote it. We have a deal for you, we will teach you which the security vulnerabilities are and how you can avoid them from the beginning, when you write the code. So, now we have a virtual team of security champions made up of at least one developer from each scrum team, some testers and representatives from other teams like devops and IT. We have regular internal security conferences where we have technical presentations, workshops, sometimes we have people from outside. Sec champions are very effective because this way we have at least one person in each development team who is thinking about the security implications. We teach him to be a hacker, to use the tools to test his own product and to write code that is more difficult to hack. It is a win-win situation for everybody, the individual, as he enhances his ninja skills, the company and the security team.
So, now we can go to the beach and relax, as the developers are doing a good job and hackers can't do bad stuff. The only problem is that from time to time we get a call from HR informing us that another developer has been promoted to management and they hired 5 junior developers to replace him. And we have to take the first flight back and train them to write secure code.