Last month I attended the OWASP Global AppSec conference in San Francisco. The OWASP conference focuses exclusively on application security, and that’s what I liked about it. The people I met there have the same job description as me: we support software development teams in securing the software development lifecycle and we help to deliver secure products for our customers. This gave me the opportunity to connect with like-minded people between the presentations. Not all companies are lucky enough to have their own application security (AppSec) team. For me it was also a great opportunity to meet Chris, my manager, who I don’t meet that often in person apart from Microsoft Teams. Wendy from our Security Engineer team at Sage was also with the conference organisers as she was volunteering there.
While I attended several talks throughout the day, I wanted to highlight two talks by two amazing people, both of whom have also published the content or their research as a blog post for you to read as well:
“[T]OTP are not as secure as you believe” a talk by Santiago Kantorowicz, Twilio AppSec
My most important point in this context is: Especially if you introduce rate limiting or any other protection mechanism, you should calculate the probability of an attacker successfully leveraging the mechanism. The researcher has shown that an attacker attacking 1,000 users in parallel only needs two months to have a 95% chance of guessing an One-Time-Password (OTP). This can be very dangerous for our customers. This is because with One-Time-Password (OTP) tokens, multiple tokens (10) are active at the same time and a user can make up to 5 attempts for each token. As has been shown, brute-forcing a token is a matter of hours for four-digit codes, weeks for six-digit codes and months for eight-digit codes. Especially if the product wants to reduce the number of digits for reasons of user-friendliness.
“Catching PyPI Malware in the Wild” a talk by Ellen Wang, Datadog Researcher
In this talk, she showed how they analysed malicious Python packages in the wild for malicious patterns in the official Python package registry (PyPI). From the lessons they learned from analysing these patterns, they created static code analysis rules to search for other packages with these known malicious signatures. To do this, they used Semgrep. Semgrep is a fast, open-source static analysis tool for finding bugs and enforcing code standards at the time of edit, commit and CI. Finally, they analysed the 5000 most downloaded packages in the Python Package Index (PyPI) registry. This was done to check the effectiveness of each rule they created, are the rules good enough and how often does a rule find false positives? The rules were very good and new malicious packages were indeed found in PyPI. They have released their Semgrep rules in a new CI tool that you can use in your CI pipeline to scan the Python packages in your project for the same malicious patterns: https://github.com/DataDog/guarddog
Supply Chain Security is an emerging security topic, especially after the SolarWinds atack a view years ago. We have already seen cases in npm packages where highly adapted packages have been maliciously hijacked, but attacks like typosquating or dependency confusion are also common aspects.
“Exploiting race conditions in web applications” a talk by Javan Rasokat, Sage Application Security 💚
I also did a talk on web application race conditions. It’s a very under-researched area with little awareness among developers and poor tooling. My goal was to demonstrate that automated tools generally cannot detect this vulnerability, and even the tooling previously available for penetration testers is not always sufficient. It’s important that we raise awareness and improve tooling. Read more.