Secure Coding: Fix from the root

Workshop by Gopika Subramanian & Hitesh Kumar

Time: 01.30 PM - 05.30 PM

The training aims to overcome the drawbacks of the current approach of teaching application security by blindly attacking applications to analyze vulnerabilities. This results in engineers being unable to figure out the proper fix for the vulnerabilities and hence allowing attackers to exploit the same. The talk will help security enthusiasts, developers and students to identify the root cause of the vulnerability in the code, patch it, re-deploy the application, and finally verify the fix. As an attendee, you will learn to find vulnerabilities with both an attacker and a defenders point of view which would help in a swift SDLC of fixing and moving forward instead of traditional pentesting procedures of fixing the issues at the end of the cycle. The demonstration will be done using a vulnerable e-cart application with microservice architecture which is deployed using docker where the vulnerable code is attacked and replaced with secure code snippets, compiled, deployed and pentested again to demonstrate how fixing a vulnerability at the root saves engineers time and efforts.

The training will be divided into two sections: Attack & Secure Coding. This training is completely beginner friendly for an audience ranging from students to professionals and will start with fundamentals of web, web architecture and technologies.

Web Architecture (Client-Server components, models, styles and types)

    Web Fundamentals:
  • Caching
  • Cloud Storage
  • Load Balancers
  • CDN
  • Databases

    Application layer (Web services mapped in OSI Layer):
  • Requests & Responses
  • HTTP Methods
  • HTTP Status codes
  • Cookies & Sessions
  • SOP
  • Sandbox
  • URL & its decomposition

Web & API Exploitation:
The Hands-on lab is an intentionally vulnerable dockerized e-commerce application that can be deployed in the trainees laptops and they can start testing for bugs which our team would demonstrate. The application uses a microservice architecture which uses multiple components of the e-commerce app as services which are written in different programming languages and databases to help attendees learn attack and defense vectors in multiple tech stacks. We would explain the bug, where to find it and why it occurs along with a demonstration of how to look for the bug in any application. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques.

    Hands-on labs to attack the components of the vulnerable e-commerce site would be provided with multiple ways of exploiting the bug.
  • Mass Assignment vulnerability
  • SQL Injection
  • File Upload Vulnerability
  • Remote Code Execution
  • IDOR
  • Server Side Template Injection
  • OS Command Injection
  • Server Side Request Forgery
  • Cross Site Scripting
  • Lack of validation
  • Local File Inclusion

This training takes a comprehensive and practical approach at implementing DevSecOps Practices for efficient Application Security.

    The attendees would be taught to do source code analysis, mitigation techniques and security practices. Secure code snippets to implement the following practises would be taught:
  • Input Sanitisation
  • Data transfer Objects
  • Parameterized queries
  • Stored procedures
  • File type validation checks
  • Access Controls
  • Whitelisting
  • Rate Limiting
  • Sandboxing
  • Shell Escape Mitigations
  • Parameter Validation
  • Response Validation
  • Regex checks
  • Authorisation Checks

They will in turn have to modify the vulnerable code with secure code snippets, deploy it with docker and test the attack vectors again. We will wrap the session with a Capture the Flag style competition hosted in CTFd platform with multiple challenges on Source code review where the participants will be provided with dockerized challenges to test their attacking and patching skills learned from the training.

Who should attend this talk?
This training is completely beginner friendly, from newbies, developers, security engineers to pentesters who want to get more practical experience in finding vulnerabilities and secure coding practices.

Prerequisites & Requirements
Attendees need to have a laptop with docker installed.

Speaker's Bio

Gopika Subramanian is a security researcher with primary focus on Web and Mobile Application Security. She is currently working as a Security Engineer at PhonePe. Gopika is responsible for engineering, threat modeling and implementing Application Security Initiatives at PhonePe. In her free time she participates in CTF competitions and has presented/trained in a multitude of conferences including Women in security India, Bsides Delhi, Wicys and more.

Hitesh Kumar is a passionate Product Security Engineer with three years of experience in keeping digital systems safe and secure.Throughout his career, Hitesh has become an expert in protecting websites, mobile apps, and the underlying systems that power them. He has worked with different industries and teams, learning how to find and fix vulnerabilities and follow secure coding practices. Hitesh has a good understanding of microservice architecture and threat modeling. Hitesh has helped multiple companies create guidelines for secure coding. In his free time, he plays CTF and does Bug Bounty.