Software Security Attack Vectors @ OWASP London 8th September

Hey everyone! 🎉

On Thursday evening near Russell Square, London I attended a OWASP London security meetup. The event was hosted in Thoughtworks offices and beer, soft drinks and pizza was provided. They even had vegan pizza! I had two slices and to drink, a canned raspberry lemonade 🍕❣️

There were many sessions over the course of the evening. First Sam Stepanyan introduced OWASP, all the awesome community initiatives, member benefits and upcoming events. Did you know as a member you get free access to We Hack Purple, AppSec Phoenix, Security Journey and Secure Flag 🧠

Then Marco Mancini gave a lightening talk using Falco and Trivy to prioritise vulnerabilities that are exposed in kubernetes. Kubernetes can have many security problems such as vulnerable images on containers, malware in clusters and misconfiguration on clusters as well as a lot of other fun stuff 😅 Marco explained the two tools he used. Trivy, a comprehensive security scanner for containers and Falco, a kubernetes threat detection engine. Falco can get context on the system while trivy gets context on the vulnerabilities. Using Falco rules and a detection engineering mindset, he correlated both tools to identify packages that are internet exploitable the moment they appear in the website 🔍

After Sonya Moisset (my security hero ❣️) presented an incredibly informative session on how to mitigate risks in your open source software (OSS) projects - 'The Iceberg, your attack surface just got bigger'. She started by explaining what is open source and the current state before listing come common attacks (typosquatting, malicious packages, and compromised maintainers) - these attacks can affect the whole system 😱

She then introduced her iceberg. At the tip is the proprietary code that you / your developers write, this is usually ~10% of the codebase. Underneath are the open source libraries which are ~90% of the codebase. These dependencies also have dependencies, #didyouknow 80% of vulnerabilities are found in these indirect dependencies 🤯 Applications need to be deployed which is usually done via containers which adds to our complexity, introducing another layer to our security iceberg. Finally a little audience interaction, Sonya asked us what we thought the final layer was? I said 'Human error?'. It was Infrastructure as Code (Iac)! IaC is recommended best practise and awesome for provisioning environments but with great power comes great responsibility. #didyouknow the number one cloud vulnerability is misconfiguration? 🤦‍♀️ Sonya gave some recent examples including Playstation, Uber and FedEx

Then we went over to the GitHub marketplace where Sonya showed us many tools, including Continuous Integration (CI), Software Componsition Analysis (SCA), Secret Detection, Static Code Analysis (SAST), and workflows with vulnerability issues, kanban boards and how users can collaborate. For this usecase, I recommend GitLab! It includes comprehensive security, in depth planning functionality and provides an interface for collaboration for all DevOps stages from planning to production 😻

Finally Sonya left us with some OSS best practises (applying the least privilege principle, review your project controls, enable notifications/alerts and reviewing webhooks) and some recommendations (adopt a #devsecops approach, address open source vulnerabilities, be aware of your own assets and the importance of security training for developers). She ended with key takeaways including remembering not to push your keys 💥

Unfortunately I started getting a migraine and missed Steve Giguere session live exploiting vulnerabilities in GitHub actions workflows. He covered external attacks via malicious pull requests, threats such as external threats and malicious insiders, attack vectors including command injection, secret exfiltration and runner takeover and finally, prevention best practises and automation with open source. Speaking to friends in the audience afterwards, all feedback was glowing ✨️

If you weren't able to make the event and want to watch the recording, it's on YouTube! I watched Steve's session over the weekend and was amazed at how he self approved his own merge request and gained persistent root access to a runner all while concealing his own tracks 🕵️‍♀️

Looking forward to the next OWASP London event where I may be speaking 🤞 Check out my 'Coming up' page to see where I'm speaking at next or get in touch if you'd like me to speak at your company or event 🎙️ Thanks for reading ❣️

@devstefops 👩🏽‍💻🌴💗