Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/23/2013
12:26 AM
50%
50%

Playing In The Sandbox Helps Developers Learn About Bugs

Using virtual environments, two start-up projects create different ways of showing -- not telling -- developers how and why to prevent bugs

For four months, massive denial-of-service attacks have caused problems for U.S. financial institutions. At the heart of those attacks are a host of servers running Web applications with known vulnerabilities.

While a server-based botnet inundating networks with tens of gigabits of data per second may highlight the danger of Web-application vulnerabilities, developers don't need to wait for their software to be compromised to see such attacks in action. A group of computer security specialists have created Hack.me, a virtual playground where developers can see the impact of various vulnerabilities on almost a score of open-source applications. The aim: to teach developers the danger of vulnerabilities.

"We realized that explaining and educating users about Web application security with theoretical arguments is not enough and has proved a failing approach for years," says Armando Romeo, founder of eLearnSecurity and the Hack.me project. "Countless books have been published on the subject, but we still have developers writing insecure code and management level completely ignoring threats related to Web applications."

Using Hack.me, a developer or security professional can attack a live instance of a vulnerable Web or mobile application to see the impact of different vulnerabilities. Or a developer can upload a version of his own code so that others can attack it in a safe and virtual environment.

"If you break something, you can always start fresh [by] resetting your sandbox," Romeo says. "All these operations literally take seconds compared to hours of server deployment and application configuration you had to go through before."

eLearnSecurity is not alone in trying to use sandboxed environments to teach developers to better secure their software. Startup Bugcrowd aims to give developers a place to offer up their applications to a crowd of freelance pen testers, who compete to find vulnerabilities in the application for a bounty.

"We are working with larger companies who know what bug bounties are but haven't yet been able to implement them, and with smaller companies who haven't had an app sec testing solution that fits their budget requirements until now," says Casey Ellis, founder and CEO of Bugcrowd.

The project has run a number of bounties so far, including one for $5,000 in total rewards that is currently ongoing. Based in Australia, the startup has already started soliciting additional projects. The project could provide an opportunity to developers who may not otherwise have the funding to hire a pen tester, Ellis says.

"Every bounty we've run so far has yielded a third-party 0-day," Ellis says. "That doesn't usually happen under the traditional model and goes to show that the testers are doing a fantastic job."

[Penetration testing is only the first step of self-inspection -- ask internal auditors to scrutinize IT practices beyond compliance to take risk management to the next level. See Go Hack Yourself.]

While the penetration-testing possibilities are intriguing, these types of projects can be invaluable in teaching developers the seriousness of eliminating vulnerabilities in their software, says Jerry Hoff, vice president of the static code analysis division for WhiteHat Security.

"Education is the first line of defense against vulnerabilities," Hoff says. "In a lot of organizations, most developers have no idea about how the technology can be used, or abused, by attackers."

Yet these types of projects should be part of an overall plan to teach developers the best way to code securely and minimize vulnerabilities, and not used as a single lesson with no context, he says. Rather than just scare developers, teach them how to use secure coding techniques to make their code harder to exploit, he says.

"It is a little like a magic trick, but it kind of puts developers in a paralyzed state of fear because of all the things you can do," Hoff says. "It is better to discuss security controls, and let them know why they have to do it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27400
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVE-2021-29653
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVE-2021-30476
PUBLISHED: 2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.