A Tester Walks into a Security Conference

There’s no punchline. sorry.

This post is all about me attending my very first Security Conference at BSides Leeds on Friday the 24th of January 2020. There are links to resources and tools at the end, some of which are mentioned in the body of this post. Please make your own judgements on using them.

I’m always keen to pick up knowledge in areas I’m less familiar with. Knock some of my ignorance off if you will, and this seemed an ideal opportunity. I mean, other than Leeds Testing Atelier and now Geordie Atelier, there are not that many opportunities to attend quality conferences for just £5 or less, other than online. I’m not detracting from online conferences and no doubt we will be seeing more of them in the coming months given the current situation. That said, there’s something about being able to hear and join in conversations with people you would otherwise not get the opportunity. I’m looking forward to those times returning when it is safe to do so.

Mark Carney is the main organiser and made the opening remarks. Mark has been attending Ministry of Testing Leeds Meetup for some time now and it was great to hear him encourage the attendees to go to testing meetups. In fact, he said that in some areas, testing was ahead of security by 15 years! I’m not sure about that, but I do know that I’ve learnt a lot from chatting with Mark during and after our meetups so as much as he encouraged attendance at testing meetings, I’d strongly encourage the same for testers to go to security meetings and conferences.

The more we can learn to spot that ‘low hanging fruit’, the more the specialist can spend time focusing their knowledge on the areas they can most add value. Add to the fact that there’s a very real desire to ‘shift left’ testing, then surely that should include all forms of testing. Security, testability, automation and accessibility can all be thought about early. There is real value in thinking about all of these and more upfront to at least know the potential scope. But I digress.

Dan Cuthbert gave the keynote following the conference theme of ‘Vision’ and after quite rightly pointing out that Leeds has led the way in building everything (don’t @ me, its true!). He outlined the revolutions that change the world from the first industrial revolution to the second electrical and third electronic. His vision was that we are currently in a fourth cyber / technological revolution and that geeks have indeed inherited the earth! His rationale was hard to argue with. The FBI (Federal Bureau of Investigation, USA) now have a cyber most wanted list. There are more cybercrimes than physical ones. He spoke of the weaponizing of social influencing giving an example of where texts were sent saying a child was in hospital and to use this link for the location. Of course, the link is malware or similar to harvest data.

Amongst other things mentioned were a Netflix documentary called ‘The Great Hack’, massive personal data collected on Chinees Muslims and the fact that there is no real InfoSec (Information Security) regulations. Overall a very interesting and thought stimulating keynote.

It’s not my intention to try to document all the speakers or activities but I will try to summarise a few. If you get the chance to go to a lock picking workshop, I would highly recommend it. It was great fun learning the basics and the sense of achievement of that first ‘click’ to open a lock is quite something. So too is the ‘Car Hacking Village’ where you can see all the components of cars security systems laid out and try to hack them.

So, to the summary.

CI/CD Pipeline Ideas (Continuous Integration / Continuous Delivery) There were things suggested through the day that could be added to the process. These are also things that can be learnt and executed by every tester and / or things to question early in the project. It was generally noted that good clear logs are needed to help these and useful in general. While not specifically called out I did think about observability a few times through the day as helping security in general.

  • Out of sequence navigation Basic injection (SQL etc.)

  • Role permission exceptions and segregations (e.g. publish own changes, release own batches that require two users)

Shift Left ideas

  • Mentioned a few times in different ways was shifting security left

  • Asking questions early can help identify potential gaps or risks relating to security. This is why having a basic understanding is really useful for both testers and developers

  • Understanding the OWASP (Open Web Application Security Project) Top 10 can add value to teams by demystifying the basics and identifying opportunities to make our software more secure.

Similarities

  • In the same way we use risk to guide our testing, threat modelling is used to map out potential target points (risks) to security systems.

  • Security can be brought into the design stage just like accessibility

  • Security failings can have similar if not more reputational damage to poor quality, user experience or compatibility issues

Conclusion

For me, this was a really valuable day where I took away lots of learning to apply in projects. One of a testers powers comes from asking questions. If we can add basic security knowledge, we can ask questions earlier and at a time where it is most valuable. If we can execute basic security tests, we can save the company time and money allowing the experts to concentrate where they can add most value.

Be the tester that walks into a security conference and add to your value.

Useful links: (Please note I am not endorsing any of these tools or their use, just sharing information from the conference. Please make up your own mind if it is right to use them in your context)

Bsides Leeds (http://www.bsidesleeds.co.uk/)

Mark Carney Twitter (https://twitter.com/LargeCardinal)

Big list of naughty strings (https://github.com/minimaxir/big-list-of-naughty-strings)

OWASP Top 10 (https://owasp.org/www-project-top-ten/)

PWNDEFEND (https://www.pwndefend.com/category/defense/)

NMAP free security scanner (https://nmap.org/)

Sentry MBA automated attack tool used by cybercriminals (https://www.shapesecurity.com/reports/sentry-mba)

SQLi Dumper, SQL injection testing tool (https://www.cybrary.it/blog/0p3n/pentesting-sqli-dumper-v8-tool/)

Yarn performs vulnerability audits against installed packages (https://classic.yarnpkg.com/en/docs/cli/audit/)

The Great Hack – Netflix review (https://www.rottentomatoes.com/m/the_great_hack)

FBI Cyber Most Wanted (https://www.fbi.gov/wanted/cyber)

Leeds Testing Atelier (https://testingatelier.community/)

Geordie Test Atelier (https://geordietestatelier.netlify.com/)