2. About me
Artur Balsam (ABS)
‒ Application Security Engineer
‒ Pentester
‒ Code reviewer
- CI/CD/CS
- Communication evangelist
3. Agenda
1. Penetration Test Report and other Sources of Security
Threats
2. Process
2.0 Vulnerability is here
2.1 Is it real? Validation
2.2 Recalculation
2.3 Fixing time
2.4 Validation
3. Tips & Tricks
4. Bad, bad mitigations
9. “Uh, Houston, we've had a problem”
Source of security vulnerability:
- Penetration Tests Reports
10. “Uh, Houston, we've had a problem”
Sources of security vulnerabilities:
- Penetration Tests Reports
- CI/CD Tools
- Threat Modelling
- Security Code Review
- Architecture review
- overheard on meetings
- by accident
11. Typical issue from report
Sensitive data sent in URL
Severity Level: Medium
CVSS v3
Score: 6.3
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Description:
(..) this issue was identified under following:
/admin/notifications?access_token=<removed>
24. Tips and tricks
Internal Security Teams:
• Store everything in Jira for future
• Educate developers
• Review MR’s for security related fixes
• Talk with business and developers
• CI/CD
• Not everything is “Critical"
Devs:
• Ask your Security Team
• Ask Pentesters
Pentesters:
• Ask about business requirements
• Not everything is “Critical”
27. XSS “fixed” with
uppercase
1. XSS in the report
2. No questions to report
3. Fix with capitalize user input
4. Retest (XSS still here)
5. Proper fix
28. Remember my
credentials
1. During penetration test, "Remember me” does not work -
added to report
2. Feature added before retest
3. Username in local storage
4. Password in local storage
29. Broken auth just add
JWT
1. Broken authorisation mechanism in report
2. Fixed with added JWT
3. Multiple issues with JWT itself (.decode() only)
30. Meeting business
requirements in
‘potentially’ dangerous way
“(…) to provide sophisticated experience for customers, it is
required to provide functionality that gives end users simple
editing possibilities to comment section (bold, italic or
strikethrough required).”
1. Added WYSIWYG HTML text editor
2. Treated user input as safe
3. XSS