Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/23/2013
12:26 AM
50%
50%

Playing In The Sandbox Helps Developers Learn About Bugs

Using virtual environments, two start-up projects create different ways of showing -- not telling -- developers how and why to prevent bugs

For four months, massive denial-of-service attacks have caused problems for U.S. financial institutions. At the heart of those attacks are a host of servers running Web applications with known vulnerabilities.

While a server-based botnet inundating networks with tens of gigabits of data per second may highlight the danger of Web-application vulnerabilities, developers don't need to wait for their software to be compromised to see such attacks in action. A group of computer security specialists have created Hack.me, a virtual playground where developers can see the impact of various vulnerabilities on almost a score of open-source applications. The aim: to teach developers the danger of vulnerabilities.

"We realized that explaining and educating users about Web application security with theoretical arguments is not enough and has proved a failing approach for years," says Armando Romeo, founder of eLearnSecurity and the Hack.me project. "Countless books have been published on the subject, but we still have developers writing insecure code and management level completely ignoring threats related to Web applications."

Using Hack.me, a developer or security professional can attack a live instance of a vulnerable Web or mobile application to see the impact of different vulnerabilities. Or a developer can upload a version of his own code so that others can attack it in a safe and virtual environment.

"If you break something, you can always start fresh [by] resetting your sandbox," Romeo says. "All these operations literally take seconds compared to hours of server deployment and application configuration you had to go through before."

eLearnSecurity is not alone in trying to use sandboxed environments to teach developers to better secure their software. Startup Bugcrowd aims to give developers a place to offer up their applications to a crowd of freelance pen testers, who compete to find vulnerabilities in the application for a bounty.

"We are working with larger companies who know what bug bounties are but haven't yet been able to implement them, and with smaller companies who haven't had an app sec testing solution that fits their budget requirements until now," says Casey Ellis, founder and CEO of Bugcrowd.

The project has run a number of bounties so far, including one for $5,000 in total rewards that is currently ongoing. Based in Australia, the startup has already started soliciting additional projects. The project could provide an opportunity to developers who may not otherwise have the funding to hire a pen tester, Ellis says.

"Every bounty we've run so far has yielded a third-party 0-day," Ellis says. "That doesn't usually happen under the traditional model and goes to show that the testers are doing a fantastic job."

[Penetration testing is only the first step of self-inspection -- ask internal auditors to scrutinize IT practices beyond compliance to take risk management to the next level. See Go Hack Yourself.]

While the penetration-testing possibilities are intriguing, these types of projects can be invaluable in teaching developers the seriousness of eliminating vulnerabilities in their software, says Jerry Hoff, vice president of the static code analysis division for WhiteHat Security.

"Education is the first line of defense against vulnerabilities," Hoff says. "In a lot of organizations, most developers have no idea about how the technology can be used, or abused, by attackers."

Yet these types of projects should be part of an overall plan to teach developers the best way to code securely and minimize vulnerabilities, and not used as a single lesson with no context, he says. Rather than just scare developers, teach them how to use secure coding techniques to make their code harder to exploit, he says.

"It is a little like a magic trick, but it kind of puts developers in a paralyzed state of fear because of all the things you can do," Hoff says. "It is better to discuss security controls, and let them know why they have to do it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27254
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encrypti...
CVE-2021-27255
PUBLISHED: 2021-03-05
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the refresh_status.aspx endpoint. The issue results from a lack of...
CVE-2021-27256
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists wit...
CVE-2021-27257
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via...
CVE-2021-26705
PUBLISHED: 2021-03-05
An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the...