18 May, 2015

You. Yes you. Read this!

by Ken Johnson

When I was in the Navy, we learned seemingly simple things like “Don’t wear jewelry on a ship,” “Keep your hands out of the hatches exposed to the outside of the ship,” and “Don’t wear contacts when a chemical attack has been detected.” We also spent more time on the safety behind using a weapon than the actual act of firing a weapon. In fact, we repeated our safety training before all major weapon qualification exercises. Why?

Because jewelry can lead to serious issues around magnets or high-powered ship equipment, hands in a hatch on a windy day can lead to (I’ve seen this) a loss of fingers, contacts can become seared to your eyes during a chemical attack, and well, people do unpredictable things in an adrenalized state while holding a weapon.

Now, clearly, a loss of life or limb is not necessarily the outcome of a successful application attack; but the fundamentals, the mundane rules we security folks give you during training, can save you, your organization, and its users from easily preventable problems that could be pretty damaging.

Why do I bring this up?

We here at nVisium provide training; it’s one of the services we do really often and really well. This training is based on info from assessments we’ve performed over the years, conversations with other industry experts, previous experiences working on blue (defensive) teams, as well as research into the root causes behind breaches. The topics we go over are meant to save folks from serious heartache. Having said that, we almost always spend time with developer teams on the fundamentals. Now, we also get into advanced topics, too, and we get down in the weeds during a two or three day training session. But when we ask for feedback, there are always one or two developers who say something to the effect of “Training was great, but I would have rather just stuck to the advanced topics.”

Here’s my problem with that statement: the people who say it are almost always the developers who we later find out introduced some serious bugs, ones that could have been avoided by following basic security guidelines. So if that person is YOU, yes YOU, you need to know and understand the importance of the fundamentals. We do our best to explain their value to developers; but needless to say, there are always those folks who, for one reason or another, are only interested in the 1337 h4xx0r topics and not in the less exciting but still essential ones.

Now, when I say fundamentals, I mean the built-in protections your framework provides and that aren’t always utilized but totally should be; everything under the OWASP Top 10, from weak password complexity to open redirection; techniques for whitelisting; language or framework-specific vulnerabilities that can be easily prevented; so on and so forth. Not super sexy, I get it, but we teach them for a reason.

Just to be clear, this article isn’t meant to be inflammatory or derogatory; rather, it’s an attempt to spread awareness of why we teach this stuff. Ultimately, what good security consultancies try to do during training is cover topics that have proven themselves to be effective countermeasures to real-world attackers’ exploit techniques. The advice we give can help you prevent common weaknesses from being successfully exploited (alone or chained together) in order to attack your organization or its users.

So the next time you hire a security consultancy to provide training, pay attention to that first day, take notes, ask questions, and remind newcomers of the basics as well as their importance. We’ll give you the tools and explain why the fundamentals are so fundamental, but it’s up to you to use them.