With the way technology is going, security is no longer a passive concern for any company. New vulnerabilities pop up daily, huge corporate hacks are so commonplace they seem almost boring, and our personal privacy is at an all time low. There has never been a bigger need for anyone in the IT industry to beef up their security practises, and as a company focused on security, Isosec knows this better than most.
That is why we chose to attend OWASP’s AppSec (application security) EU conference in London this July. OWASP (or the Open Web Applications Security Project) is a non-profit organisation dedicated to improving the security both of the web, and of the people who use it. Started back in 2001, OWASP have spent 17 years committed to this goal, and in 2004 decided to take it one step further, by hosting an annual conference, where like minded security-focused professionals could come together to share ideas, network, and collaborate.
The conference aspect of the event is split across two days, with various seminars on a variety of security-focused areas of IT, and individual trails (built specifically for developers, hackers, CITOs etc.) which categorise the seminars and allow for a more focused approach to the event. Rather than follow one of those however, I chose to attend a broad range of talks on all manner of different areas, keen to get exposure to as many varying topics as possible.
During the first day of the conference I learnt about various new attack vectors that need to be addressed, as well as a number of much older ones that by and large still haven’t been. As is often the case in the IT industry, highlighting the problem (and to some extent, even fixing it) is just a small part of the solution. Getting the solution adopted across the industry with enough conformity that it is no longer an issue however, is the real challenge.
Particularly interesting on the first day was a presentation by the open-source security training platform “Remediate The Flag” or RTF. They’ve created a free to use, and free to build upon platform that enables comprehensive staff training on virtually any security issue or concept, with a heavy focus on analytical outputs that allow managers to ensure their staff are trained and qualified on what might otherwise be potentially disastrous security flaws. The whole process runs in virtual machines – a must for most security related exercises – and presenter Andrea was keen to point out that there are no multiple choice exercises, no free-text inputs, and no big text blocks to read. It’s all about an interactive, hands-on experience, and that came across as a fantastic way of doing things.
Another first day talk that stood out was around a malicious contacts exploit presented by Laureline David and Jeremy Matos. Their exploit, which involved distributing a game that asked for access to your contacts under the guise of allowing you to play the game socially (which most would agree is a perfectly legitimate use-case), would then amend or duplicate an existing contact with a new number, and would check the existing contact for flags to indicate that they were contactable through WhatsApp, Signal or any of the other popular messaging applications. Once this was known, the attacker could then contact you directly, using a contact record you trusted, and could send you a malicious link (which, for applications that support end-to-end encryption, cannot be detected or warned of before delivery, due to the lack of server-side visibility). Scary stuff, especially given that numerous application vendors have so far responded to the exploit with a fairly typical “that’s not our problem” rebuttal.
Speaking of scary stuff, this was of course a security conference, and so there were a number of almost cliche finds. The WiFI, while (surprisingly) existent, was not publicised, webcam covers were handed out for free on one stand, and I spotted numerous people using some very, very old smartphones, which at a tech-focused event like this is almost always an indicator that they’re re-purposing an older handset as a “burner phone” – something they can discard after the event, should it have become compromised. Whilst this wasn’t exactly a black-hat conference, there was still a lot of suspicion in the air.
That said, the atmosphere was very much a collaborative one. The great thing about white-hat-hackers, pen-testers and just about every other security professional who considers themselves on the “good” team, is that everyone wants to help each other out. It has the feel of an open-source project; everyone has the same goal, and everyone’s happy to help everyone else reach it. Don’t get me wrong there’s still competition (bug bounties and competing security companies have made sure of that), but it all feels very good natured.
Away from the conference, I was also fortunate enough to attend the OWASP evening reception, hosted at London’s wonderful Imperial War Museum. Wandering round the museum at night was an interesting enough experience as it was, but doing so with great food, a few drinks and good company certainly topped it off nicely. The museum itself was fantastic by itself of course, but then most people who have visited any London (or in fact, British by and large) museum will have guessed that already.
Day two, and we kick things off with another keynote. Mario Heiderich gives a fantastic talk where he hypothesized that the infamous XSS (cross-site-scripting exploits) already have perfectly good fixes, the problem is that we just aren’t using them, and goes on to suggest that we should perhaps be praising bug fixers, rather than bug finders. It’s an interesting duo of claims, and he does a good job of backing them both up over the course of his presentation. Now, overall the keynote lacks in fanfare and excitement compared to the last I attended – though that was a Google keynote, so it’s hardly a level playing field – but Mario made up for this with insightful, well thought out points that were perfectly put across.
Also on the second day was what turned out to be my personal conference highlight. Crammed into a room that was soon so full that there was a sizeable crowd stood at the back of the room due to a lack of chairs, Chris Romeo outlined his “AppSec program with a budget of $0”. Unsurprisingly, the title peaked both my and everyone else’s interest – not least given that half the premise of OWASP is to share such information for free – and he backed it up with some fantastic suggestions that I’m certain we’ll be taking forwards. Chris had clearly spent a lot of time picking and choosing components for his program, and even thought to rate each component’s longevity – we all know how problematic it can be to adopt something which then becomes end of life – which was a fantastic touch.
All in all, if there was one takeaway from AppSec EU 2018 (and there was a lot more than just one!), it would be this: “Security is everybody’s job, literally”. I put that in quotes because that was actually the title of a talk by Tanya Janca, a senior cloud developer advocate at Microsoft (who I desperately wanted to ask if she knew Christina Warren, one of my favourite tech podcasters who happens to have the same job at the same company – before remembering that Microsoft employs rather a lot of people), who did a wonderful job of re-iterating this all important point. As much as we need dedicated people who specialise in security, and purpose-built teams to do penetration testing and capture the flag exercises, so too do we need all development to come with a certain level of security baked in. Now more than ever, quality software, means secure software too.
And so closes out my experience of OWASP AppSec EU 2018. It was a fantastic conference, as is so often the case with these more community driven events, and really got both myself and every other guest I spoke to – including those who have lived and breathed application security for over a decade – thinking. Isosec has always been a security focused company – we like it so much we put it in the name – but even we aren’t naive enough to think we know it all. Events like these help bolster the standard of security around the IT world, and we’ll be taking a number of lessons learnt at the conference forward, and applying them to our own software just as soon as possible.