Training Developers to Defend Against Software Attacks

Credit to Author: Trend Micro| Date: Thu, 07 Dec 2017 14:30:49 +0000

Security Bugs – “The Root of all Evil”

by Paul Ionescu, Security Architect 

Looking back at some of the famous security breaches of 2017 we find that they have been caused by software bugs.

The WannaCry attack which impacted computers in 150 countries for an estimated cost of $4 billion used a memory flaw in the Windows File Sharing protocol.

The Equifax breach which exposed the personal data of 143 million Americans, was conducted using a deserialization vulnerability in the Apache Struts library.

The challenge with security bugs is that they are many times not perceived as quality issues, since from the developer or tester point of view, the software is working. There is an unexpected behavior that is uncovered by an attacker, which leads to the vulnerability.

This characteristic of security bugs can cause some developers to even contest that security issues are defects. To better understand that perception an analogy could be made by thinking of developers as house builders and a software feature could be seen as a window added to the house. The window works well, opens and closes, it insulates the house from cold or heat. A thief breaks in through the window. It’s the thief’s fault, not the fault of the builder.

“Putting the Hacker Hat On”

Defending against software attacks requires developers to think about how the software can be abused. This is also known as Threat modeling.

Hackers are categorized based on colors of hats, black hats are the bad guys, white hats are the good guys.

In order to prevent attacks developers must be able to think like the hackers, “put the hacker hat on”. For this they require some basic knowledge:

  • What are the common software flaws?
  • How can the software be abused?
  • How can the software be defended?

What are “The Top Flaws”

There are two well-known lists outlining common software flaws and attack categories

The MITRE Top 25 also known as the SANS Top 25 is an inventory of Common Weaknesses (CWEs).

The OWASP Top 10 is a list of attack categories that impact web applications. The majority of MITRE Top 25 weaknesses and OWASP Top 10 categories intersect.

Training Through Gaming

It is likely that your development team will not get much out from a one hour session presenting the Top 25 software weaknesses. Some may even fall asleep during the meeting.

Training through gaming is proven to produce better results, it is engaging and fun, it develops practical skills and the competitive setting drives completion.

There is a common way to train security testers known as CTF (Capture the Flag).  At Trend Micro, we have employed a similar approach to train our developers in software security basics.

We have made the code of the training platform publicly available on GitHub under the Secure Coding Dojo project.

Secure Coding Training School

Because developers ultimately learn to defend from software attacks the training is inspired from martial arts. The training contains 21 challenges across 7 different levels from White Belt to Black Belt.

The training is based on the MITRE Top 25 + one of the newly added OWASP Top 10 attack categories, XML External Entity. You can review the complete training curriculum at this link.

Each challenge describes one or more security flaws in detail. The participant then has to leverage the security flaws to exploit a vulnerable application in order to pass the challenge. Finally, the participant learns about the software defenses (“code blocks”) that could have been used to prevent the attack.

The screenshot below shows the description for the SQL Injection challenge.

 

The screenshot below shows the exploit stage of the Buffer Overflow challenge, where participants must bypass a password verification program by writing arbitrary data to a memory buffer.

The screenshot below shows the “code block” section that describes how to defend against Cross-Site Scripting attacks.

The training portal can integrate with Slack, Google or can work with a local authentication where each participant registers an account. There’s information on how to install and deploy in the wiki section of the project.

We hope that the project can help train developers and raise awareness about secure coding practices in a world that is becoming increasingly driven by software.

http://feeds.trendmicro.com/TrendMicroSimplySecurity