Just In Time (JIT) Training

Long live traditional security training models where a Developer has to schedule training, go sit in a classroom or take an on-demand course for a day or two, learn whole bunch of topics that may or may not be pertinent to that they do when they get back in to the office. As DevSecOps becomes main stream and teams adopt Continuous Delivery practices, it becomes imperative that Security Training is delivered to the Developer in byte sized modules right when they need it and in the tools they use to develop software!

Security Training for DevOps Developers

In order for the JIT security training to be effective for the Developer, I believe it has to meet the following criteria:

  1. Training module must be very focused and should not take more than 5 minutes to complete.
  2. Training must be interactive and offer opportunity for Developers to type in code
  3. Gamify training by offering points, badges etc. based on number of training modules completed, scores in tests and quizzes etc.
  4. Training needs to be accessible from the tool the Developer is coding in, for e.g., IDEs such as Eclipese, IntelliJ
  5. Training must be linked from a vulnerability reported by security testing tool making it easy for the Developer to find pertinent training module to fix the vulnerability

Products offering Security Training

Online learning platforms such as Pluralsight, Udemy, Lynda etc. are a big leap from where we were just a few years ago offering vast variety of training courses at affordable prices! But, these learning platforms are not optimized for DevOps Developer and they do not meet the criteria mentioned above. However, there are security vendors in this space that are offering on-demand training that seems to be much more aligned with DevOps and meet the criteria mentioned above.

Some of the vendors I looked at and that seem to have robust offering are listed below. Please do not take this as product endorsement, but some references for you to get started if you are interested in products in this space.

  1. Codebashing from Checkmarx
  2. eLearning from Veracode
  3. Secure Code Warrior

The products from Checkmarx and Veracode integrate their training modules with their SAST offerings and provide links to specific training modules with in the description of the vulnerability identified by their SAST tool. This makes it very effective for the Developer to get up to speed on the vulnerability and the fix they have to implement to re-mediate the vulnerability.

Free Learning Resources!

While commercial products are good for a large enterprise, the best Security learning I ever got is all free! Just in the past few years, you can find a plethora of security focused webinars offered by Security Vendors and Security Experts out there.

On a personal note, just a few years ago, in order to maintain my CISSP credential and meet the required CPE credits, I had to look for conferences or multiple day trainings offered by vendors. But, these days, I make it a point every week to listen to an hour of security focused webinars offered for free! There is no better way to keep up with CPE requirement and continuously learn about the happenings in the Security space. The resources out there are extensive, but some of the ones I go to the most are:

  1. AWS Security
  2. ISC2 Resources
  3. BrightTALK

Whether you are considering buying commercial products or taking advantage of free resources out there, I feel organizations have to focus on training the Developers and provide them opportunities to quickly learn and implement security in their code, while they are developing software and within the tools they are using for developing software!

Happy Learning!

CSRF Defense for REST API

What is CSRF?

CSRF stands for Cross Site Request Forgery. Let us say you are on your Bank Web Site, logged on and paying your bills. While the session is activity, your 5th Grader interrupts you with a Math question. Of course you need to google the answer as you have long forgotten 5th Grade Math Mr. Andy Ruport taught you. You end up on a site that is infected with Malware while you are still logged on to your Bank’s website. The malware on the site could issue a state changing operation such as Fund Transfer on your behalf to your Bank’s website. Since you are already logged on to your Bank Website, there is an active session cookie that get sent on the request to your Bank’s site. So, unbeknownst to you a Fund Transfer request to your Bank on your behalf. This in a nut shell is CSRF Attack.

Refer to the CSRF documentation on OWASP Website for additional information.

The defense for CSRF Attack in a traditional web application is to expect a  CSRF Token on every state changing request that the server validates with the token saved in the Session. Since APIs are supposed to be stateless, there is no CSRF Token that can be maintained across requests in REST API calls. Refer to the CSRF Prevention sheet sheet on OWASP website for additional details. CSRF Guard is a widely used library to implement CSRF Defense in traditional web applications.

The CSRF Defense in REST APIs is to expect a custom header such as X-XSRF-TOKEN by the API. By making the client set a custom header in the request, the attacker can not rely upon traditional CSRF Attach such as auto-submit of a HTML Form as the attacker can not set custom headers via that attack vector. If the attacker were to rely up on  sending an AJAX request using XMLHttpRequest (Level 2) than the CORS protection mechanism supported by all modern browsers would kick in and allow the REST API to accept or deny the request from the attacker controlled site.

This is a simple and elegant CSRF Defense that can be implemented for stateless REST APIs.

How to make effective presentations – A Survival Guide for Techies

Practical advice.. Like this very much !

AppSec For Devs

Lot of folks in the security field, would rather be in front of a computer instead of people. But, in order to grow professional and become a leader in any field, one needs to be comfortable talking, presenting, teaching in various settings and group sizes. I am not a natural public speaker. I envy people who jump in front of a group and speak eloquently and give effective presentations. But, I would like to get better at this skill. I teach course on Defensive Security for Developers and them on implementing & verifying security controls in their code to mitigate OWASP Top 10 vulnerabilities. I will blog about teaching techniques in another post. Recently, I had to get in front of the CTO, Managers and other Lead architects in the organization. This is a situation where if you do well, it will be a “no op”, you may get a…

View original post 503 more words

AppSec Blogs (Current & Future)

Please vote (by way of comments) for the topic that is of interest to you.

  1. Securing REST APIs/Micro Services
    1. Security vs Speed and Flexibility: A Conundrum
    2. Authentication
    3. Authorizations
    4. Input Validations & Output Encoding
    5. CSRF Defense
    6. Authorize Direct Object References
    7. Error handling/Information Disclosure
    8. API Gateway: Why you need it?
    9. CORS Demystified!
  2. Amazon Web Services
    1. How do you know if your AMIs are secure?
  3. Dynamic testing using a Proxy
    1. Burp
    2. Zap
  4. OWASP (Open Web Application Security Project)
    1. Newest OWASP Top 10 Release Candidate List is Out
    2. OWASP Mobile Top 10: A Critique
  5. DevSecOps: Shifting Security to the Left/Automating Security in DevOps Pipelines
    1. Static code analysis for security vulnerabilities
    2. Dynamic Application Security Testing (SAST) tools
    3. Interactive Application Security Testing (IAST) Tools
    4. Open Source Software (OSS) Vulnerability Scanning Tools
    5. Automated Security Test Cases
    6. Bamboo APIs – Love ’em
    7. Break Builds: Getting Devs to take action !
    8. Just In Time (JIT) Training
  6. Setting up Security Assurance Program
    1. Security Architecture
    2. Security Assessments
    3. Vulnerability Management
    4. Security Training
  7. Security Learning Resources
    1. Conferences
    2. Training
    3. Webinars/Webcasts
  8. Miscellaneous
    1. Do you know what your attacks are?
  9. Professional Success
    1. How to make effective presentations?  A Survival Guide for Techies