Debunking Security for Developers (Part 1)

Published by Farrukh Jadoon (@fkj) and Umar Sikander (@us)
primo secondo
By @fkj  and  @us

A primer on commonly used security terms.

CVE, RCE, SAST, DAST, S.I.E.M, XSS, OWASP… ok wait, what?

For an everyday developer, cybersecurity seems like a soup of convoluted buzzwords and acronyms. In no way to undermine their importance, there is a massive gap today in the fundamental understanding of security concepts between security professionals and practitioners today.

As the industry continues to shift left (aha, another one!) and attacks continue to rise to an alarming extent, security for developers can’t just remain as an afterthought. It is important for developers to understand how their everyday work impacts the security posture of the software they’re building, its users, and the organizations they are a part of.

This educational post is intended to simply explain some of these terms in a way that is relatable to the everyday developer; the way you’d explain it to your mother. Think of SparkNotes… but for developer security.

Let’s define the personas we’ll be using in our examples through this post.

Sam (they/them) - a savvy full-stack web developer

PeaceCorp - a company building software for world peace, where Sam is part of the engineering organization

$evilx - an adversary with evil intentions of sabotaging world peace

pwned - an instance getting breached, in context of this post.

Attack Surface

all the places PeaceCorp can get pwned by $evilx

The attack surface (aka threat surface) is the sum of all entry points and possible exposures that could be exploited by a threat actor to gain access to your system, application, or organization. This includes all code, data, and network connections on a computer system, as well as any hardware and software components. A larger attack surface means a higher chance of a successful breach.

Two relevant attack surfaces in this context are:

  • Digital Threat Surface

    using machines (e.g. Sam’s computer) to pwn PeaceCorp

    A digital attack surface relates to entry points accessible through the internet, such as servers, databases, and remote devices. The growing trend of remote work and cloud-based software has increased the number of potential vulnerabilities.

  • Human Threat Surface

    using humans (e.g. Sam) to pwn PeaceCorp

    A human attack surface refers to targeting individuals within an organization, usually employees and contractors. Social engineering attacks like phishing are an example of an attacker expoliting a human threat surface. A recent example is the Uber breach in Sep 2022, for which the entrypoint was an extrenal contractor.

Attack Surfaces for Software Applications

How can $evilx can use the software Sam is building to pwn PeaceCorp?

In the context of software applications, the attack surface can refer to the vulnerabilities or flaws in its desig and development process. The way an application handles user input or external data sources can leave it open to a breach, if exploited by an attacker.

The primary attack surfaces in software applications are often remote entry and exit points, such as internet interfaces or third-party tools and modules (such as open source packages) used in the development process. To assess the attack surface of a software app, it’s crucial to map all functions for vulnerability review and testing, including known and unknown threats. This involves examining all entry and exit points in the source code, as well as monitoring changes over time. A larger attack surface makes it easier for attackers or malware to access and run code on a target machine.

Internal attack surface can include:

  • Publicly exposed IP addresses, CIDR blocks and TCP/IP ports
  • Expired SSL/TLS Certificates
  • Public and private cloud resources (e.g. exposed S3 buckets)
  • Domains and subdomains (especially those about to expire)
  • Web server services such as emails and databases

External attack surface can include:

  • Open source modules from public registries (such as npm, PyPi and Crates.io). Notably transitive dependencies.
  • Developer tools for monitoring (e.g. Sentry, PostHog)
  • External APIs and services used during developement (e.g. Stripe, Mailgun)

Attack Vector

the specific pathway $evilx utilizes to pwn PeaceCorp

An attack vector (aka threat vector) is the term used to describe how an attacker gains access to your system. In other words, it’s the way they get in (and the entrypoint they use) to perform the actual attack.

An attack vector is derived from the overall attack surface of the target entity. It can refer to a specific vulnerability in software or hardware, a method of exploiting that vulnerability, or a method of delivering malicious code to a target. Some examples of popular attack vectors include email attachments, infected websites, unpatched software, a misconfigured system or an open source dependency being used by an application.

The goal of an attacker is to identify a vulnerability, exploit it to craft an attack vector and achieve their malicious objectives.

How is a Threat Vector Used?

$evilx figuring out the best way to pwn PeaceCorp, directly or indirectly

In order to gain access to a system, a hacker can use common attack vectors with the following intentions:

  • Identify a potential target and its attack surface
  • Gather information (reconnaissance) about potential targets
  • Use that information to identify the tools needed to carry out the attack
  • Gain access to systems in order to steal data or install malicious code
  • Takes control of the hacked system with a command and control server for malicious purposes (e.g. extracting sensitive data and PII to encrypting it to be released for ransom)

Common attack vectors

Below are a few attack vectors commonly used by threat actors to compromise software developers and applications.

Phishing

impersonating someone legitmate (e.g. Sam’s manager) to pwn Sam, and then pwns PeaceCorp

Attacks that use social engineering to trick employees into sharing credentials with fraudsters by pretending to be trusted sources.

Credential stuffing

$evilx tries all possible combinations of credentials in hopes of pwning PeaceCorp

Automated injection of compromised authentication credentials (e.g. username and password pairs) into login forms to fraudulently gain access to user accounts.

Account takeover (ATO)

$evilx takes over Sam’s account, which is then used to pwn PeaceCorp

These attacks occur when an attacker gains access to the account of a legitimate user or entity. Gaining access to a legitimate entity can be used to carry out malicious acitivites (such as malware injection) which can be particularly hard to detect as the targeted entity is usually trusted.

To learn more about this attack vector in the context of open source software, check out this blog post.

Supply chain attack

$evilx cleverly compromises an external dependency used by Sam in their dev workflow. Using that dependency, $evilx pwns PeaceCorp.

One of the top security buzz words in the recent past - and also one of the most commonly misunderstood - supply chain attacks are becoming a popular method for threat actors to target multiple organizations at the same time.

Simply put, a supply chain attack is the type of attack which originates from an interaction with a third-party. This can include any code, tool or service for which the owner is outside of our organization. Supply chain attacks are particiularly destructive in consequences, and are quite difficult to trace and prevent due to the ever increasing dependence of modern software on third-parties.

A software supply chain is anything that touches your code, from developement through CI/CD, until it gets deployed into production - evilpacket

It’s important to note that supply chain attacks are not the same as attacks that result from the exploitation of known vulnerabilties. Read more about the difference in this blog post.

Threat Actor

the adversary aka $evilx

A threat actor is a person or group that seeks to harm or exploit a system or organization, with the goal of stealing data or using the system for malicious purposes. Threat actors can have various motives, including monetary gain, political activism, or protest. The nature of threat actors has become more complex over time, and can range from rogue insiders and hactivists to hostile nation-states.

For example, a recent attack on Uber resulted in a breach of critical systems, with the hacker posting a message on the company’s internal Slack with the intention of raising awareness about driver pay. Threat actors can also be part of organized groups known for regular cyberattacks, such as the LAPSUS$ gang.

Threat Model

Lets figure out how and what can get pwned at PeaceCorp, so we can prevent it from happening in the first place

A threat model is a representation of the information that affects the security of a system, including the attack surface, attack vectors, and threat actors. Threat modelling is the process of using hypothetical scenarios, system diagrams, and testing to help secure systems and data. It helps stakeholders improve their security posture and stay ahead of security threats.

Summary

Putting it all together:

$evilX (threat actor) utilizes weak GitHub credentials (attack surface) of Sam (the developer) to craft a supply chain attack (attack vector) intended to compromise PeaceCorp (the org).

  • Attack vector: a vulnerability that can be exploited to access a system
  • Threat surface: all possible entry points into a system
  • Threat actor: an individual or group with the means and motivation to attack an organization’s assets
  • Threat model: analyses that identify the origin of threats, potential attack surfaces, and likelihood of success.

Educating practioners has become critical for security to scale in the modern era of software. Hopefully this introductory post was helpful in demystifying some of the commonly used jargons in security (stay tuned for future posts in this series).

Security is not just about catching when you get pwned, but also about having awareness and guardrails in place to prevent it from happening in the first place - @izs