Security Weekly #463 – Interview with Ferruh Mavituna

this as a security weekly production this week on security weekly federal navet of the CEO of nets Parker joins us to talk about web application security in a number of different topics that will be very interesting so make sure you stay tuned for that Apollo Clark is coming on to do a technical segment on improving your cloud security specifically with Amazon AWS in our stories of the week who is the creator of Bitcoin it’s Craig right no maybe not and imagemagick vulnerabilities we’re going to talk about those as well as some open SSL CVEs that came out this week so stay tuned broadcasting live from g-unit studios in Rhode Island it’s the show where exploits run wild packets aren’t the only things getting sniped in the cocktails flow steady it’s Paul security weekly security weekly is brought to you by the SANS Institute the most trusted source for computer security training certification and research visit sands or to explore the full curriculum and latest training offers own apps is the leading provider of solutions to protect ERP systems from cyberattacks customers can secure their SAV in Oracle business critical platforms from espionage sabotage and financial fraud risks visit them on the web at own apps esscom Pony Express Checkout their line of penetration testing devices including the punk pad the poem phone in the poem Pro for enterprises there’s poem poems providing continuous visibility into wired Wi-Fi and Bluetooth spectrums across all physical locations including remote sites and branch offices for all those hard-to-reach places there’s Pony Express visit them on the web at Pony Express com and welcome to the show here’s your host a man wouldn’t be caught dead in this shirt Paul acid Orion welcome everyone to security weekly we’ve got a fabulous show for you of course mr. Larry Pesch is here in studio yes a couple of quick announcements I want to mention make sure you go to source Boston source Boston source conference com i should say security weekly listeners do get a discount if you subscribe to our insider mailing list you will get more information about that discount this year’s conference is going to be awesome the lineup of speakers that Rob Chainz put together is absolutely fabulous we will be there well I say we Keith will be there are fabulous executive producer will be there I actually I can’t go to Boston because my wife goes into labor and I get stuck in traffic mrs. Berg my child and then soon and then all three of your sons will grow up without a father yes it’s very bad it’s very bad but Keith’s gonna be there and we’re giving away free hack naked t-shirts all you have to do is like heat scan your badge you get a half naked shark that’s nice ascribe to our mailing list that’s a damn good deal the worse it cost you is one ridiculous email from John or myself and then you can unsubscribe heck I get ridiculous emails from you guys all the time for the past 10 years yeah you know what I’ve got a cadre of t-shirts at home that’s totally fine so make sure you go to source conference also cloud security world I think it’s cloud is it cloud security dump shoot I should know this it’s loud you know its cloud security world misty dot-com it’s another conference happening in Boston cloud security world misty calm go there Andrew hey will be speaking and many others that’s also another awesome conference if you’re in the Boston area you’ve got a series of awesome conferences coming your way so make sure that you sign up for those Apollo is going to be joining us shortly to do a text segment before that and before we talk about the Bitcoin Creator who is Craig right but then maybe not correct right in not valid in invalidated by Dan Kaminsky we should say we’re going to talk about all that in the image magic vulnerability and the openssl vulnerabilities and so much more so much more before that though I get a chain to sit down with ferromagnet una from Nets Parker and we talked about securing your PHP and WordPress installations and ways to scan them we talked about how you can automatically generate modsecurity rules from web application scanners we talked about a little bit about the software development lifecycle and testing java applications and we talked about some interesting facts around bug bounties so that interview is

coming up right now so stay tuned we’re going to come back with a fabulous text segment so right now here is Pharaoh mavet una from thats Parker beautiful hey there security weekly listeners on pasa Dorian and this is our feature interview for this evening with Pharaoh mavet una no stranger to the security weekly show Farah welcome to the show I fall thank you for having me again yes and we’ve chosen some kind of somewhat random topics to talk about but I think they’re all awesome topics that we’re going to cover today and I wanted to start with PHP in WordPress and it’s interesting we were just talking before the interview that this is kind of near and dear to my heart I kind of put it in there somewhat selfishly because it’s what we choose to use for our web technologies and I say that by disclosing like what we’re running is if our listeners couldn’t figure that out by a quick scan as much as we would do to hide it it’s very hard to hide the fact that you’re running wordpress and I think let’s talk about the business decision first you know we chose that as a platform because of a couple of reasons right it’s very extensible there’s a lot of functionality coupled with that their security issues but also I think you were saying federal is like 25 percent of the internet runs WordPress in some capacity so finding people to help us work on things is easier because it’s such a common platform so talk a little about the sum of those security challenges how they balance off on some of those business decisions I think scituate was it gets even more interesting now depending on how good you are at security sometimes using an off-the-shelf product can make your life easier for example let’s talk about wordpress wordpress at the end of the day yes it is there’s been so many issues with wordpress in the history so you know so many security problems being discovered so it’s not great but on the other hand so many had discovered so we hope to see less and less right that’s theory and it might be correct depending conn-young you know how much time you you are willing to invest into a web application for example if you’re a big company got so many resources that you’re happy to spend and you are good at City to all that kind of stuff then you can say you know I’m like a useful press or any of the shelf products just i can use i will make something small something see to you because i know how to do mm-hmm but the fact is how many companies actually do know how to secure web application and the chances are that place possibly will be more secure than what you can do yeah i’m not talking about you obviously you know coming from security the street you know you will be you will be able to find the right guys but even when you do that it will be expensive it will take time you you will need to go to so many things so and there’s a good respect if there is a big word presage it’s a problem the chance is up before you got hacked so many other people get taxed yeah you kind of notify it will really high profile no that’s it that’s an interesting point in I like that angle is if you run a technology that’s widely adopted and there’s a big vulnerability in it you’re gonna hear about it because so many people are getting compromised because everyone’s running it I only thought it was interesting to Farrah you know you said that a lot of larger companies and I’ve seen this say well I’m not going to use an off-the-shelf product I’m going to build my own web application and it’s going to be smaller and very specially purpose-built what I find ends up happening is due to one of two things really write that when they write that application as you alluded to it can be even less secure in WordPress depending on who builds it but also the business drivers forced that very special purpose web application to start to grow you know it like I want more functionality hey I want a blog on my website hey I want to accept contact forms I want to do lead tracking and then you know then let’s start running code it becomes more insecure and I’m trying to add these features where is the off-the-shelf thing more secure if you know you’re going to have a lot of business drivers or is it better to build something yourself or is there something entirely different that you should approach you should take I think there’s a from good paste point of it I think that’s a great example good press that can be anything it can be a bilocate can be commas it can be anything really so flexible at this point it’s more like a framework rather than even a gap application can just install and with millions of plugins and the chances are when you have WordPress you will go ahead and install lots of plugins as well so let’s compare that to a custom-built application in custom-built application you will definitely very less cold much less

complexity and that means less vulnerabilities neck said that the chances are as I said Yoko if you are not an expert and if you don’t have spent a lot of money into the secure development the testing and all the city development lifecycle if it’s not part of your development then WordPress will be more secure I mean that’s you know that’s what I would bet on but again you definitely been on the complexity side WordPress is super complex and we know complexities is a big problem in in any security hey you know it’s same from network it’s same for every other this thing and application is no difference more complex your web application is more vulnerable as you will have that’s maybe the most reliable métrage when we look at web applications and think about you know what’s the likelihood of having a vulnerability what about the platform choice I know that probably the top three are Java and probably PHP after that and am I missing any of the major ones actually a coupe think you know I think PHP and javascript is super popular now and surprisingly javascript is gaining a lot of traction in server sides so you know they’ve got so many platforms I don’t it’s it’s higher than PHP or asp document for that matter biting you know it’s close a classroom framework language whatever you call them for example you know after all you can develop it various different languages by end of today it will compile it to do you know same aisle code it’s it’s the very same same code what is compiled to plateau is super important we have seen this in the past to give you a very concrete example maybe talk about vulnerabilities we talked about to set of vulnerabilities in web applications if we’re at with the right now mum is as a developer you cannot do anything and you have no idea and you wouldn’t have guessed kind of vulnerabilities right right you’ve seen them in PHP v essendon so to give you an example in PHP we have our set of issues that can just be exploited you know as a developer you have no control over in we have seen similar issues such as there was an issue but we’ve stayed decoding regarding to padding Oracle attacks and which led to code execution pretty much in every single a speed up that application because of the Brotherhood was in the frameworks right you know it’s easy developer you couldn’t do anything about it this is I am going to kind of ignore this you know because it is something as a developer you cannot teach a developer to secure that you know it’s just a choice all we can do we can look at the track record of these frameworks these languages and to be fair PHP possibly is the first one but you know Java is it up networks in similar abilities in them as well but we’ll think we you know maybe we need to talk about what framework provides to the developer you know how teach you the framework is by default mm-hmm and again unfortunately maybe you know being one of the most popular languages PHP gain the most you know the worst offender oh absolutely and anyone give myself include any was written the PHP application is like oh my god it was so easy to just make it so insecure and then you go to to try and make it secure and it’s a lot of work and there’s not a lot of tools that to help you or check your library like it’s just it’s a nightmare it’s pretty much institute by default well everything you do isn’t it you and let’s think about certain set of vulnerabilities that only present themselves in in PHP and to give you an example the most common one remote file inclusion you don’t see remote while inclusion vulnerabilities in other languages it’s sorry oh-ho interest rates and you have it in PHP it’s the how PHP designed have it works which rappers how it works with external resources and you know the famous include function in even if you wanted to put any remote while inclusion wall ability you had to write plunge the amount of course now what about what about file upload is file upload fall into a similar category um arguably yes yes it is actually file off I’ve got a different set of problems based on the maybe more about the server rather than the framework for example in file uploads we have seen in PHP for example in file upload you write a function and you say okay bloke dot PHP okay that’s

that’s a logical thing to do but also PHP three extension works and executed SPH me right just top of my hat ah it is key though you know yes yeah it’s not much different is cup different similar bypasses like you can add an extension put a semicolon add another extension and then you will still buy plastic bled black list but it will get executed right but without if prevents remote file inclusion better than PHP that file upload vulnerability probably isn’t a big of a deal in as it is in PHP right cuz they go hand in hand oh oh we want fun i I’m not quite sure how much it affects because in remote while inclusion all you need to include a file form a different server so in PHP you can just say okay you know I’m gonna attack this perimeter with I think it up come / my shell that’s blah blah right download it and executed it’s done up but file upload may be at a small if you have a local file inclusion but you can easily bin SB but again it is you cannot convert a local file inclusion into a remote code execution vulnerability easily because again it won’t execute asp a speaker but in PHP as you said if you can upload an image file yeah and if you have a local file inclusion the chances are you will get code execution out of that not just able to read some source code but you will actually execute God’s sake I meant I meant local I met local file inclusion yet rabito yeah no that’s that’s very very interesting so what um what can we do that to secure all actually let’s talk first about what are the strategies for scanning PHP in WordPress type applications I get nervous if there’s any kind of credentials because i feel like the database is so fragile in that environment in fact just today I mean my database in my development vironment got corrupt right I spent like an hour or more recovering from that issue I’m not sure was cause I installed some of the security plugins or what the problem was but I feel like that’s a very fragile relationship so what can you do to more accurately scan WordPress not just in the database aspect but in general I think there are two aspects of securing an off-the-shelf product the first thing is you need to keep up with the patch right doesn’t matter static or dynamic analysis you know their vulnerabilities they will be logical vulnerabilities they will not able to identify it automatically so you don’t want any to keep up with the patches right if they fix something is like your Windows Update is is like your operating system updates you just do them and the second aspect of it what is in that on top of the default setter can go ahead and scan the default set apart chances are so many people already scanned the default setup smear it so much all the tools that you know you’re never used ah so if there was a vulnerability the chances are that vulnerability has been already identified and hopefully fixed but what you’re looking for is the custom code custom plugins and obscure plugins you really want to scan them you really want to understand what is in them and they can’t be anything unfortunately unlike let’s say our mobile phones and stuff most of the web application plugin environments don’t have proper sandboxes if that was the case then when you download the plugin you would say okay this plugin can access my database this plugin can access the file and you know I should be worried I should be really careful about you know I should be maybe source code review this oh whatever i need to do or stand is in on properly but we don’t have you know it’s very very if even if it’s that it’d be interesting for a based on what you said you know when i put in its interesting analogy when i put an app on my phone and it says hey when I’m installing this this application needs access to your contacts and needs access to your photos and images and things like that when you install the plug-in in WordPress it doesn’t ask you any of that and pretty much by default has access to everything correct that’s correct it has access to everything and it’s scary saline you know uh you’ve got these old database you got all your replication you mentioned you you know your your data is corrupted or your setup corrupted and maybe maybe it’s because of plugin even from that point of view you really you know we will really love to see that kind of sandboxing button to it very it’s very complex maybe not even possible in many cases right um what about CSS or cascading style sheets are there a lot of vulnerabilities in there I know like when we talk about a wordpress theme for example a lot of that is really just a bunch of CSS inside of the theme and I know they’re CSS injection vulnerabilities but what

are some of the ones that you check for for CSS form abilities I think CSS itself in modern web applications it’s relatively harmless but you can still get cross-site scripting code of that but the good thing is you won’t get local file inclusion remote file inclusion or code execution right not to say exercise is not important because you know we have seen for example Apache you know fun days you got hacked because of a cross-site scripting so you know cross-site scripting can be very disruptive having said that uh having a cross-site scripting through a theme CSS that’s very unlikely because the features they will be using they won’t be taking dynamic parameters therefore there is no textual face so someone need to go ahead and back to it you know that’s the attack surface that and that stands Fairley’s at the spot so it’s very unlikely attack surface and it’s fairly safe but one thing you don’t want to do you don’t want your users to control your CSS or customize it for someone else or to share you within your domain that can get tricky with not only cross site scripting attacks potential cross-site scripting issues there are data filtration issues like they can extract piece of content from the current user session or there are issues such as they can redraw the user interface in a way they can check out phishing attacks or also don’t stop on your domain so that’s something you don’t want but when it comes to themes yo general is safe I would say you know there’s not much risk in de as long as it’s not intentional back thought I see so some applications will accept user parameters and then based on those user parameters change the CSS of the website mmm that’s something you don’t want yeah that’s what I’m trying to get a use case to that that’s interesting and another thing about themes actually and net sparkle you know what we do is with net sparkle to prove and to improve the quality of the scanning we scan open source applications so far we’re scans about 500 applications this includes applications such as WordPress and to even wordpress plugins and stuff and you know we’re really is over I think one hundreds advisory so all all these are zero days it’s quite scary when you think about an automated scanner can go ahead and find 0 days in applications such as WordPress completely automatically hmm and and and my point being default one vulnerability in one of the default WordPress themes it was a dumb cross-site scripting right so even though you know your team might not have a PHP file that takes a parameter and execute it even the jealous could content of the theme which I think many of them to have some sort of JavaScript yes as so the that your escape is also quite dangerous and don’t cross site scripting such as the one that we formed um might affect you any no case because it was one of the default themes even if you weren’t using it you were vulnerable right cuz those stats you’re sitting in that dieter yeah those files are there even though you’re not using them and they’re still accessible and can be exploited that’s yes that’s maybe you know that should be part of the WordPress Harding right what is not necessary is like one of the Golden Rule social security if it’s not necessary just get rid of it right and if you’re not using that particular theme or a plug-in you might not be updating it because all I’m not using it but the code is all still sitting there one of the things when I look at securing web applications is I look towards modsecurity now we’ve already stated how complex environments such as WordPress can be and tuning mods security for your environment is I think a tremendous amount of work i know that Trustwave has like a commercial feed for that kind of thing where they’ve actually done a bunch of tuning but i still think it’s all going to be a lot of application dependent tuning you have to do with modsecurity in but you have a way to generate some modsecurity rules from nets Parker’s are correct that’s correct ah it’s more for recent features and the reason for that in web app you know web applications are complex you know we’ve been talking about it forever and one of the themes one of the patterns that we have seen you tell the user or the user you know runs a test and they on the vulnerability now what do they do they go ahead they talk with the developers developers we give up fee no particular source code they figure out how they need to fix it and this takes time then it goes through the QA depending on the agility how important situating that particular company all that this can easily take from a couple of days two to six months easy and and

we know that because if you look at the background report and if you look at some popular advisories you can support advisories with like a timeline of one and a half years so that means those guys just sit on that one ability for one and half year and in the meantime they were wrong right so what we said okay in the meantime they are wonderful so can we just patch it temporarily you know web application firewalls are good and there the analogy I use it’s like a doctor you know what we do from scanning point hopefully if we tell you what is wrong with you we give you a medicine that will so you know that will make you well and you won’t have this particular problem anymore and web application firewall is more like you are caffeine and it’s a cough medicine it doesn’t teach you it doesn’t solve the cause of the problem it just get rid of those symptoms right and that’s not necessarily better just like in real words you go ahead and use the cough medicine because all you need until you get better is a cough medicine mm-hmm so that’s what we do when we find the vulnerability now we generate a web application firewall rule for not security particularly at this point and then you can just import them into your rules and you’re done I said you know it’s great I mean say what you will about web application firewalls modsecurity is very closely obviously tie to Apache it’s a module in Apache which I think allows you to be very specific certainly with some of the rules it’s not an external web application firewall which I think also probably has some perform it’s benefits as well and like you said to be able to put that stopgap measure because you’re not going to be able I mean lets you scan your website and find eight critical vulnerabilities like you said for you got to go your developers and say okay when you’re going to fix these now they’re not gonna be able to fix all eight all at once right there’s a development life cycle that has to take place to fix those vulnerabilities so having some kind of stopgap measure my fear is though that people will become too dependent on that hey i’m never i’m not going to go to the doctor i’m just gonna keep taking cough medicine right until it gets so bad that I’m in the hospital kind of thing right or use this Web Application Firewall instead of actually fixing the problem so long that someone finds a bypass or the code never gets fixed so that’s the exact of Irving Pete you know in web application firewalls we know the history on that day got a very bad track record and I’ve seen so many by processes web application flowers and ironically majority of them fooled by one person who got stuck you know they’re doing fantastic and I got a web application firewall and they’re like okay how am I gonna bypass this and they just do it and bypasses and I got a similar story about that you know has a web application firewall kind of generic catch-all cross-site scripting protection mm-hmm so this being about eight years maybe a nine years actually yeah I think so about nine years ago I was doing fantastic and this is early time so very speed up net and the very same thing happened I’m trying to get a cross-site scripting virgin the application is vulnerable they don’t actually encode the output correctly but doesn’t let me to exploit it so I’m like okay can i bypass this and it takes like 30 minutes to bypass that and leaves in so many stories in web application firewalls exactly darkness so this is scary because these needs it’s not that hard to buy pasties where if you really want to and and then that’s maybe you know they are good from difference and depth purposes but they are not something you can just rely and say okay I’ve got a web application firewall I am secure that’s definitely not the case absolutely so let’s see the next story i have here was um the sdlc and dynamically testing java applications there was something specific that i wanted to mention this article as well this came out of the SANS Institute and yeah so being able to perform static analysis on source code before performing a deploying bill gives him a strong edge in creating secure applications however the article kind of goes on to talk about how developers need to understand security and I think today many may understand cross-site scripting sequel injection but now we’re getting some of the more advanced attacks and it’s a difficult thing I think to educate your developers so that there aren’t all these other weird vulnerabilities or easily exploitable vulnerabilities that don’t fall in like the cross-site scripting sequel injection category that’s that’s one of

the biggest problems you know what happens is a part of the pond view we always talk about educating card developers and that’s that’s bad you know they need to understand basic concept of web application security they need to understand they cannot trust input you know input is is bad they need to understand output encoding if they don’t understand this you cannot expect a secure system out of them it’s just not possible they were they will mess it up the second thing is they need to understand the situation features of the frameworks easily you know and they get we briefly talked about frame executors but I can be is a great example for example cross-ice request forgery is a huge issue mm-hmm but if your framework comes with it by default or if it’s just a boolean switch that you can enable like MVC and plenty of other frameworks now that’s great you don’t need to understand CA sera all you need to do is you know you know you need to enable that stuff and you good so is it something that you enable or something that you have to code specifically for that platform or is it very simply a switch it’s a switch in this particular case for example nice and a couple for the frameworks like they just met off a switch and that’s fantastic I think strategies for example like that am a nerd of mbc kind of frameworks particularly so that’s great that’s the right way to do security and that’s something you can teach your developer and they should really know this but what happens is all other kind of issues as you mentioned you know edge cases and the new stuff so right now we have two new things coming up one is Nev coochie changes right one is kuchi prefixes so there I think in these secure and host prefixes for certain attacks and the other one is same side cookies for you know extra protection for cross-site request forgery attacks so do we expect developers to keeping up to date with this every single change is it reasonable expectation do we expect them to understand every single edge case with javascript implementation so they are secure against really obscure cross-site scripting attacks do they need to understand how intent explore a particular javascript can be exploited in internet explorer in edge mode you know stuff like that I don’t think that’s reasonable or realistic you know so we can we can give them some basics and then the part of it needs to be handled in an automated manner and automation can train developers that’s another good thing about automation to give you know the very same example we are talked about named cookie features or even recent stuff relatively recent like usage of HST s which is a real right way to implement HTTPS in in web applications right so in an automated tool it will immediately tell the user look you have an application it’s over HTTPS but you’re not using que estés you really should do because these are all the advantages and this is how we implemented so you see now this developer since this report and he’s like okay this makes sense I understand what this is what this is for how can implement it Danny you know he or she goes a ton and implement that and that’s again depending on the framework can be complicated so very easy it might be a simple switch it might be a call though it might be a library you can just you know use yeah yeah go ahead as you can see I like that because we talked about training and I think we look at training is okay I’m gonna go train my developers ok I’m done training my developers you’re never really done training your developers but putting them in the process right they’re continually learning these new techniques for attacking and defending and constantly improving their applications because one of the things with web applications especially and it means let’s be honest mobile applications are essentially primarily web applications they’re always changing there’s always new features there’s always new new things going on and you have to continually apply security of that process not just like I trained my developers and security i’m done i met the regulatory compliance with your training we’re done right definitely so i think from the way i look at it you need to train your developers in the mind they need to get into that situation mindset they need to understand core basics of security something’s not necessary don’t put it into the code something is not necessary delete from your web server and everything I when we develop something do not trust the improved you know when you output something to another subsystem know your encoding stick with your libraries you know and other other best coding practices and secure coding practices like you need to have centralized code base and that kind of stuff but these won’t solve all these edge cases and this won’t solve the problem that they were not able to keep

up to date with every single new security issues or every single new security improvement feature edit your browser’s client site or server site or whatever that I think we’re automation is very useful because when they see more issues they will address them and if you have to try to put them on a process where each and every week or every other week you try to teach them security that’s that’s hella bad job I don’t even know if I don’t think any company actually doing that you know I met with so many development teams i met with so many development in with very good secure develop you know secure teams and everything that shot not scalable that skateable that’s just not realistic hmm yeah and it’s certainly a process as we were talking before the show you know you can’t just do one thing you gotta you gotta have a layered approach look you were alluding to with the wife as well I do want to talk about a specific vulnerability in imagemagick and this is not the first vowel nur ability that I’ve seen an image magic over my 10 plus years of covering security news this one seems a little scary to me i don’t know maybe you’ve got a different take on it Pharaoh but it’s basically a remote code execution bug in the image magic libraries which are used by a lot of websites and web applications mm-hmm I actually looked into it and you know looking to do you know what’s the problem what’s the exploit it there various bugs in it but the core of the problem is this image library is passing parameters to shell you know that’s the core of it which also you know it’s not escaping them correctly which you know let’s remote code execution now the real questions from web application point of view if you use this library in the indie you know back ends and passing parameters to this library do you do your job but chances are you won’t you know you won’t pass you won’t do certain kind of encoding or escaping because the chances are you don’t even know that the library imagemagick library is actually passing those parameters into shell right that’s not an expected behavior normal i know so i think a generally bad way to do it too I mean we think about what imagemagick does I understand why it goes to the command line because it was originally like a command-line tool right and uses a lot of the command line tools to manipulate images I wonder why it doesn’t do all that in the coach basis running in the web application actually I believe the read about it the explanation for that was because it supports various different formats and they don’t build all these floor mats they didn’t didn’t develop the support of all this format so they are using all these different set of tools to pass parameters and comments so they can do that I think that’s part of the problem and that’s why it’s designed that way but also it supports crazy stuff like you know a similar to PHP issue it can actually I grab a file from another protocol so it will actually make an HTTP request in the back end that’s obviously and then we’ll grab that file and do stuff on that file and if image format itself is quite tricky we have seen so many problems with image formats in the past you know I’m sure you remember the famous wmf vulnerability yeah we just yes yeah code execution of the feature right right yeah so I mean and the problem is when you try to again you know there’s an input right you are getting an input from the customer you use it an image how do you check whether an image is an actual image that’s tricky and that’s something also they fail because one of the explains what you do what you do you created like G file and put coordinates and it was still Google too many checks you know it will still go to this nut imagemagick specific but generally if you are developing an application and accepting image as an applause the content of the image can be dangerous you can easily inject for example PHP code into an image and form an image processor point of view it will be still valid image formats it’s not that tricky even without exit exit it’s very straightforward if you just add that stuff into the exit right of the image not even without eggs if it’s very possible and it’s dangerous so in the image still renders it does interesting it’s not necessarily pretty by browser ahead I gotcha I gotcha no that’s that’s really cool um so the the mitigation for this is to apply a patch which isn’t out yet right I didn’t catch the next you I’m not quite sure the patches are so not I know they were ex waiting to

publish the exploits but just someone found out in the comments in hecka news and they said you know what the hell I’m just gonna publish it now so I guess you’re right the pitch is not out there but they publish the X anyway because you know people figured it out it was almost very straightforward based on the changes Oh having said that I’m preach you dig up the top comments sorry it commits mm-hmm I get pictures to vulnerability I don’t know how reliable it is or reddit for production but I’ve seen the you know changes so I’m not sure yeah they did they did publish a workaround which edits the policy that XML file image magic in it it did say I don’t those articles dated or not but it’s interesting they say the patch was a fixed has been promised for the weekend starting for 23 2016 which was last month okay interested but this article was published like today so yeah I suppose it’s page though yes because they’ve done the commit changes right freezing liddell working fine so it’s supposed to potentially awesome but it shows us of you know are you cannot just trust on a third-party library hmm yet you had to because if you note it it’s not practical for you also want to talk about some bug bounty stuff to which i think is interesting i was reading about some bug bounty stuff recently as one of my one of my friends sons now i actually went to work for facebook and he was telling me like how crazy they are about security in facebook being I think the largest subscribe to web application on the planet I think I’m pretty safe in saying that right so we’ve got a big responsibility applying security to that now what’s interesting is in the past year I want to say Facebook spent almost a million dollars and paid out bug bounties to over 200 individuals averaging about 13 or 14 thousand dollars per individual for bug bounty programs so it’s clear that when your facebook I mean that’s not a lot of money but that’s a lot of people and a lot of bugs that they fixed as a result of that program I would imagine and I think it’s pretty successful for face because I haven’t heard about a big Facebook vulnerability in a while I don’t know if that’s a measure of success or how you feel about how you measure the success of a bug bounty program I think that’s a very good point and you know you and I remember how it was so it’s kind of yeah we’re in a different landscape right now Randy you know back in the day when you find a vulnerability all the cheers about you know hopefully I’m not gonna go to jail right I even even before that if you found a vulnerability like we went from like no one caring right right in the late nineties are issues that i found a web but they’re like I don’t care about that whatever right we went to like ninja lawyers like coming down from helicopters and in police breaking down your door if you disclose the web vulnerability to now where the companies give you money if you find a vulnerability like it’s just amazing how we’ve seen the progression like that that’s that’s fantastic I did it’s literally one of the biggest wings or security you know this is this is great I I I don’t think anyone could have imagined this ten years ago you know this was it sopia in insecurity community but either way so we came to this point and I think that’s why we are not hearing our vulnerabilities in facebook are being exploited because people are actually finding vulnerabilities and they ship to say you know I’m just gonna I’m just kind of sense well it’s okay you’re gonna get a five ten thousand I think it’s most which is I don’t know how you yeah obviously if you if you decide the value of vulnerability based on the potential impact in the hands of a bad guy then so many vulnerabilities such as remote code execution should value like a couple of million dollars for a company like Facebook right yeah that’s not happening yeah but at the end of today they are definitely getting more and more secure the interesting people what we see we see so all of these issues with companies such as Facebook to to compare it with another actual hack um for example hacks such as a hacking team of finishes that kind of facts when you read about how they got hacked it’s actually very interesting you know you see that for example they found a zero-day in one of the rooters oh I think and other devices yeah was it was an embedded system here he found the decision that’s what I remember these edits okuma it took him a couple of weeks and they found a zero-day vulnerability which then let him right he customized firmware to use that vulnerability to replace the firmware on the which is pretty cool pretty impressive by all

means and we don’t see that oh I’m sure we see that now and then in in you know bug bounties but what we see more than that what we see is very well known vulnerabilities and one of the common patterns is ok before got this server in here with default password and you can actually access a database folder yeah I said a lot of that too far when I read about some of the bounties it’s like they didn’t find a vanar ability on sub using facebook i’ll use uber because you mentioned uber and your nose right yeah you know like uber has like another server that they’re piloting some program or some server that hosts some files and they forgot to apply the security to that server and they get a bug bounty because there was a sequel injection across its scripting or you know see a sort of on that particular system yeah and that shows us one thing even these big companies who chase about security who is maybe crazy about you today are doing bug bounties they got dedicated security teams I’m sure they do so many other things right even then they don’t have this process of their future forget stuff right yeah that’s shocking but that’s the reality that we keep repeating the city and that’s well again automation and the process matter salons you know if you have a policy this is a problem that you can solve it a policy plus automation if you know your inventory if you know all of your service mm-hmm if you know all of your applications then you can automate it and all of these very easy to find vulnerabilities will be found you know that’s that’s not working side it’s a very well salt problem oh yeah I thought so don’t see good yeah oh I’m sorry I’m sorry interrupt you but I was just going to say you know we have automation on the building of the application side right so we use virtualization containers cloud security and we can script the whole the whole thing of creating all of this environment we need automation on the other side to be able to test it all look as it needs to be balanced right right and they actually doing solutions now I mean they’re not all necessarily perfect but we are scalable web application skinny we have stainable network infrastructure skinning and however if you don’t know you even have a web application in the first place if you don’t know how many web service you have and honestly so many companies don’t and that’s other problems so because you need to start from the you know one or one kind of okay let’s let’s get that infrastructure in place let’s ensure people are not just deploying stuff on our public interface where you know with access to critical parts of a network or components or service or a key is Facebook got a similar think right they forgot an old API that you can just get an access everyone’s data right and that’s that’s just insane but it happens you know um so farrah in terms of the Nets Parker product we talked about a couple of new features there any new features in the Nets Parker cloud or nets Parker scanning application yes we actually got couple of cool new features are one of the things via we are focusing right now one thing we used to do always is eliminating false positive by safely exploiting vulnerabilities so when n SQ a sequel injection is been identified in an application Nancy Parker safely exploit sit and marks test confirmed so when user sees it they know it’s confirmed they don’t have to double check it that’s all good that’s perfect but what we have seen in real world there are two problems one because of the past experience mostly users still do not trust the skin they say okay Skinner tells me cover but no I’m not I’ve been burned by that so many times right right yeah even though we don’t have that problem and after a while users get used to it and they say okay I’ve been double-checking this for a year and never seen a confirmed tissue turn out to be a false positive so i will stop checking that that’s good you know users get that but what is it okay you know I bet we got this problem and we still have the problem of convincing developers they have the vulnerability in the first place because developers sometimes comes back to a security guy sensei I don’t have a problem in here I’m sure your tool is you know giving me false positive and stuff like that and the security guide then have to figure out how to exploit it and you know show him you know make kind of a demonstration to prove that the vulnerability exists now what we do instead of that you know your automated that as well now let’s park it doesn’t just doesn’t tell you there’s a sequel injection and an attacker might steal your data it tells you look there’s a sequel injection I figured out how to

export it I marked it as confirmed and here is the data from your database here is your data is username with your database version and here is the database name and then you have it when you show it to your developer well it’s done deal right you definitely hacked into that application its improvement yeah no that’s that’s really great so many of us have been in that situation or in that situation today where the developers don’t believe you and then you have evidence sometimes even if you do have evidence developer still don’t want to believe you but that’s not a problem in an automated scanner can fix right that’s an interpersonal non-state yeah there’s a leadership thing there has to be a good working relationship with the security team so but it’s great that you’ve done all those steps so that as security people now you can kind of focus on working more with your developers rather than spending the time before like going to try and exploit it to prove it like there’s a less step in there to getting to the point where code is actually getting fixed which is great all right correct I don’t think also we are focusing is single page applications we are seeing more and more in the public we got angularjs and so many new JavaScript frameworks and we got so many new single page application models now we are focusing on the challenges of single page applications like in a single page applications you can have multiple states how can you cover multiple states how can you for example there is an input and it has let’s say autocomplete feature how can you make the application trigger that autocomplete feature so you can see the interaction and you can test that interaction as well so that’s something we have been focusing and we really added lots of new features or support single page applications much better now so you know it’s a constant battle between modern web development new features and um how can we support all of those yeah I think you’re gonna be busy for a really long time because I think this is always going to be I mean you know in the past several years that we’ve been talking about web applications and web technology I mean even before I started doing the show you know we looked at CGI scripts in 1999 to where we are today there’s always something new especially with web application so you get your work cut out for you in there yeah yeah we’ve been doing this for seven years Fonuts parker and before that you know I was in web development and web security for you know about 14 years now but for net spark for the last seven years we have seen so many changes you know because we have to support every single mutant we keep a really close eye on do you know what’s getting popular what’s getting there what are the new technologies it’s insane it’s just insane and so many new development models they are just so different and they come with their own security challenges not from our point of view from developers point of view as well like you know how to solve cross-site request forgery but when you move a bit too xmlhttprequest Jason and all that kind of stuff you have you got a slightly different problem not everyone knows after so perfectly there is no well-defined way to solve it every everything old becomes new again yeah well that’s awesome Farrah thank you very much for appearing on security weekly again as always it’s a pleasure speaking with you and that concludes his interview so stay tuned we’ll be right back