Artur Balsam

1. Life after pentest
16.10.2019
Artur Balsam

2. About me
Artur Balsam (ABS)
‒ Application Security Engineer
‒ Pentester
‒ Code reviewer
- CI/CD/CS
- Communication evangelist

3. Agenda
1. Penetration Test Report and other Sources of Security
Threats
2. Process
2.0 Vulnerability is here
2.1 Is it real? Validation
2.2 Recalculation
2.3 Fixing time
2.4 Validation
3. Tips & Tricks
4. Bad, bad mitigations

4. Process - perfect world

5. Process - real world

6. Step 0

7. “Uh, Houston, we've had a problem”

8. “Uh, Houston, we've had a problem”

9. “Uh, Houston, we've had a problem”
Source of security vulnerability:
- Penetration Tests Reports

10. “Uh, Houston, we've had a problem”
Sources of security vulnerabilities:
- Penetration Tests Reports
- CI/CD Tools
- Threat Modelling
- Security Code Review
- Architecture review
- overheard on meetings
- by accident

11. Typical issue from report
Sensitive data sent in URL
Severity Level: Medium
CVSS v3
Score: 6.3
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Description:
(..) this issue was identified under following:
/admin/notifications?access_token=<removed>

12. Step 1

13. Validation

14. Validation
Sometimes - it should work like that!
Or business said that!
Validation

15. Validation
In our case: yes - access token is in the URL
Validation

16. Step 2

17. Recalculation

18. How to “objectively” parse CVSS v3 to Jira Bug
CVSS v3 Jira
Severity
Base score
range
Priority
None 0.0 P5
Low 0.1 - 3.9 P4
Medium 4.0 - 6.9 P3
High 7.0 - 8.9 P2
Critical 9.0 - 10.0 P1
Recalculation

19. Additional factors
Business / reputation Risk - increasing factor
Easiness of attack - mostly decreasing factor
Impact - mostly closing factor
Recalculation

20. Additional factors
Our case
1. Medium == P3
2. P3 + Business Factor == P3 1/3
3. P3 1/3 + Impact - Attack == P3 1/3
4. Jira Priority: P3
Recalculation

21. Step 3

22. Fixing time
Fixing

23. Bank of Security Issues
Fixing

24. Tips and tricks
Internal Security Teams:
• Store everything in Jira for future
• Educate developers
• Review MR’s for security related fixes
• Talk with business and developers
• CI/CD
• Not everything is “Critical"
Devs:
• Ask your Security Team
• Ask Pentesters
Pentesters:
• Ask about business requirements
• Not everything is “Critical”

25. Why?

26. Why?
People are creative

27. XSS “fixed” with
uppercase
1. XSS in the report
2. No questions to report
3. Fix with capitalize user input
4. Retest (XSS still here)
5. Proper fix

28. Remember my
credentials
1. During penetration test, "Remember me” does not work -
added to report
2. Feature added before retest
3. Username in local storage
4. Password in local storage

29. Broken auth just add
JWT
1. Broken authorisation mechanism in report
2. Fixed with added JWT
3. Multiple issues with JWT itself (.decode() only)

30. Meeting business
requirements in
‘potentially’ dangerous way
“(…) to provide sophisticated experience for customers, it is
required to provide functionality that gives end users simple
editing possibilities to comment section (bold, italic or
strikethrough required).”
1. Added WYSIWYG HTML text editor
2. Treated user input as safe
3. XSS

32. Q&A