In this episode of the We Hack Purple podcast host Tanya Janca met with Anant Shrivastava! We talked about securing the entire software supply chain (including your CI/CD and where you get your packages from), and how it is more than just buying a software composition analysis (SCA) tool. He explained the new and very different risks of securing a mobile app versus a regular web app or an API, that’s he’s more of an ops than a dev person, and how the risks are all coming together now that many of us are doing DevOps. He shared his numerous open source projects, such as:
Code vigilant: https://codevigilant.com/,
TamerPlatform : https://tamerplatform.com/ and
HackingArchivesOfIndia https://hackingarchivesofindia.com/.
Anant’s Bio:
Anant Shrivastava is an experienced information security professional with over 15 years of corporate experience. He has expertise in Network, Mobile, Application and Linux Security. He is the founder of Cyfinoid Research, a cyber security research firm and has previously served as Technical Director at NotSoSecure Global Services, a boutique cyber security consultancy. He is a frequent speaker and trainer at international conferences such as BlackHat, Nullcon, and c0c0n. Additionally, Anant leads the open source projects Tamer Platform and CodeVigilant and maintains the Hacking Archives of India. He also participates in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info and his blog is here https://blog.anantshri.info/!
Very special thanks to our sponsor: The Diana Initiative!
The Diana Initiative is seeking sponsors for their annual event happening Monday August 7, 2023 in Las Vegas - https://www.dianainitiative.org/sponsor/ for more information
The Diana Initiative Call For Presentations opens on March 1, if you have a topic you want to share submit at tdi.
The Diana Initiative Is: A diversity-driven conference committed to helping all underrepresented people in Information Security. This year the theme is “Lead the Change.” You can submit to be a speaker at tdi . mobi / CFP or if your company would like to support the event by sponsoring check out https://www.dianainitiative.org/sponsor/
Join We Hack Purple!
Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
In this episode of the We Hack Purple podcast host Tanya Janca met with Anant Shrivastava! We talked about securing the entire software supply chain (including your CI/CD and where you get your packages from), and how it is more than just buying a software composition analysis (SCA) tool. He explained the new and very different risks of securing a mobile app versus a regular web app or an API, that’s he’s more of an ops than a dev person, and how the risks are all coming together now that many of us are doing DevOps. He shared his numerous open source projects, such as:
Code vigilant: https://codevigilant.com/,
TamerPlatform : https://tamerplatform.com/ and
HackingArchivesOfIndia https://hackingarchivesofindia.com/.
Anant’s Bio:
Anant Shrivastava is an experienced information security professional with over 15 years of corporate experience. He has expertise in Network, Mobile, Application and Linux Security. He is the founder of Cyfinoid Research, a cyber security research firm and has previously served as Technical Director at NotSoSecure Global Services, a boutique cyber security consultancy. He is a frequent speaker and trainer at international conferences such as BlackHat, Nullcon, and c0c0n. Additionally, Anant leads the open source projects Tamer Platform and CodeVigilant and maintains the Hacking Archives of India. He also participates in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info and his blog is here https://blog.anantshri.info/!
Very special thanks to our sponsor: The Diana Initiative!
The Diana Initiative is seeking sponsors for their annual event happening Monday August 7, 2023 in Las Vegas - https://www.dianainitiative.org/sponsor/ for more information
The Diana Initiative Call For Presentations opens on March 1, if you have a topic you want to share submit at tdi.
The Diana Initiative Is: A diversity-driven conference committed to helping all underrepresented people in Information Security. This year the theme is “Lead the Change.” You can submit to be a speaker at tdi . mobi / CFP or if your company would like to support the event by sponsoring check out https://www.dianainitiative.org/sponsor/
Join We Hack Purple!
Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
welcome to the we hack purple podcast
where each episode I meet someone who works in application security who's
fighting the good fight to secure all the things I'm Tanya Jenka I am your
host and this episode is sponsored by the Guyana initiative an amazing
conference that happens in August right around when all of hacker summer camp is
happening including black hat and Defcon it is a conference for people who are
underrepresented in Tech and want to find a place where everyone looks like them this episode's guest is a nant anant can
you please tell the audience a little bit about yourself hi um I'm Anand srivastav
um close to about 15 years of corporate experience about 17 years I've been a trainer I've been involved with Linux
for about 20 years or so and uh I started out as a administrator server administrator
somewhere down the line I did a lot of development work and then around 2010 is when I fully moved into information
security have been into a sock kind of roles and then into pen testing kind of
roles two then in my last job I was managing a team of about 50 60 pen testers to my current uh job where or my
current company where I'm trying to build a small Niche research based firm which then gives out all the content
whatever we have researched in the form of training programs so you and I chatted a bunch of before
we decided to record and a thing that you and I were talking about is supply chain security and I feel like literally
every conference is talking about supply chain security so we might as well do it too
can you explain for the audience like what does that mean okay so supply chain security is a very
generic term which basically talks about whatever is the pipeline that is there
to reach a product to you now that's a general supply chain just like every
other keyword that information security or information technology takes from other fields they took this supply chain
and they framed it in software context so what we generally in it talk about is a software supply chain security
effectively when you are creating a software so you are writing a bunch of
code what generally happens nowadays is you write about 20 of the code yourself
and 80 of the stuff is import this import that and then the whole thing
works at the code level this is your supply this is the chain that is there these
are smaller components that are basically forming your code they are part of your supply chain
but the supply chain is not just this there are bigger pieces around it right
from so if we look at it from a full end-to-end Journey perspective the codes
Jeremy starts from a developer's laptop where they have bunch of different softwares installed and then one of the
software is an IDE which has multiple plugins in it and then that's where they're writing the code
from there they are committing the code into a what you say a source code repository mostly it is get but it could
be SVN it could be bunch of other source control softwares so the code goes there
from there uh there might be automated tools like what we call a CI CD or
continuous integration continuous deployment softwares so those tools will basically take that code perform certain
number of actions on it and then move to the next phase then you might have a test environment where the code gets
deployed and you perform some test then there is a production environment where the code gets deployed and then other
people can access it the environments that are there are also pieces of this
whole puzzle to then the software that are used to monitor your production
environment or your test environments every single piece that is there right
from every single software installed on your developer's machine to every single software installed on your servers the
entire pipeline is your software supply chain a compromise at any of this level can
lead to a compromise of your product so that's the whole piece according to
my understanding so far what do you say Tanya oh I agree I saw a conference talk
at besides Ottawa in November of 2020 or 2022 and um this friend of mine Alex Dao
from Mirai security he did a talk about how his pen testers attacked an entire
devops tool chain and you know here's how we got in through Docker here's how we gone through Jenkins here's how we
gotten through this here's how we and there was like 11 different points of compromise and people said you know well
why would someone attack why would someone attack your cicd and
then he's like solar winds um because that's what happened if they
could release your code themselves and have it go out into production to your
customers like oh my gosh that's so terrifying it's like someone taking over your
manufacturing Factory for just an hour and shipping poison cookies
so I have two stories around this one is
basically a news that is coming out now so if you look at last few days Circle CI got hacked LastPass got hacked or at
least they accepted that they got hacked slack got hat okay got hacked
these pieces you won't actually consider them part of your supply chain or in
general you won't talk about them because these are third-party SAS vendors but each of them are very
crucial ingredients of your whole process the second story that I had is I think
from 2015 or 2016. we were doing a pen test and we realized that one of the
website was exposing dot SVN directory so SVN was the version control system
that they were using and they were doing active deployments and the dot SVN
folder was exposed over the internet so I have written a custom tool of my own I was able to download the whole
content from there and the important thing that I got was the URL where the
source code was and the username that was there which was pushing the code in
it now it was a proper username but I did not have to even Brute Force the
password the same username was the password okay and this company
was a multinational company having all of their Regional websites in those
repositories all we had to do was push one PHP file into all of them and we had shells into
50 different Regional servers in like a span of 10 minutes because there was an
automated deployment as soon as the change is pushed into the Repository oh well oh my gosh you make such good
points in that I don't know if you remember I think it was sometime last year where
um there was a company that had essentially an advanced persistent threat which means hackers like living
on your network for a while and the malicious actor or like the the
ransomware group basically started publishing to the internet pictures of the slack
conversation of the company security team and that they didn't realize that
their slack had been compromised and I remember trying to explain to some of my staff what out of bound or out of band
means I'm like we need to discuss out of band if something happens like this and they're like What's out of band I'm like
well for instance not using our company email like setting up a private you know a
Gmail account or something that we're all sharing or uh just sending to our private emails or using our personal
cell phones instead of work cell phones like you don't know the level of compromise they're just like oh my gosh working a security company Tanya like
so the important bit that I kept in mind uh was don't store the data that you
don't want to protect that's the biggest key that is there
unless you're an Advertising based company where then you want everything stored
still everyone's personal private information and sell it for profit
so so if the entire supply chain includes basically every everything that
you use including the ingredients to make your software a thing that we briefly talked about was
where do you get your packages then yep yep so um I mean this is a fun
scenario because there is a concept of long-term stable releases and I'm only focusing on Linux
right now we can kind of extrapolate it to Windows and Mac also so there's a
concept of long-term release or long-term supported releases in Linux environments you have red hat providing
their long-term release you have Debian which comes out like once in three years you have Ubuntu where every two years
their 0.04 release is actually a long term stable release the way they talk about stability is
they will keep the packages in the same version so no matter what software you're running you are always sure that
this version of software is present as the base product this does not sits well with anyone who
is a recent developer because they want to work on the latest version of
softwares so the problem that comes is you have node.js you have Ruby you have python
people are now installing softwares from different sources which are not the
distro maintained sources so a distribution in Linux maintains their own packages a small number of
packages and they try to maintain the security aspects around it they try to tightly couple that yeah the updates
should be there they should be frequently pushed out and all those things compared to that if you have installed
something from say pip or ruby gem location or let's say from a npm
repository the accounts of ensuring that the packages are kept up to date is on
you now this is where the fun part starts because
in all of these languages the developer can freeze the version that they are
using now they are confident that the product works on this version let's say in for one of the other reason
the developer is not able to update the version so not able to test the software on latest versions and a security patch
has come up in the latest version you can't install the latest version because you don't know if the software
is going to continue working or not I have as part of my open source
projects I work on Android related distribution called Tamer platform this
was the biggest challenge that I had softwares one software needs Ruby but a
module of say version 5.4 the other would not work with 5.4 but would work
with 5.3 there are packages which work with Java 11 the others will work with Java 17. so
different softwares require different things and because of those complexities
people end up creating a sort of a Frankenstein monster which is a
combination of multiple sources with no clear path on how the update should
happen Docker came up with the whole concept of containers came up to the whole uh idea
that yeah you package things in separate containers and then you isolate things the problem that has also now happened
is those container themselves again needs an update process you have isolated them but they might
still be vulnerable and you again need to track one more thing where we are not able to track 10 things now we have to
track 20 things so the the cycle keeps going in people keep looking at more variety and
this is where uh at times the thing comes that hey why not build something
which is on a stable background rather than running for the most latest version
of things so the packages uh so a long-winded answer to your question the packages by
default would come from your native sources but the problem with that is they are not of the liking of what do
people want to code so the sources of packages are varied now this is where uh I shift from Linux
to let's say mac in Mac any developer worth their salt would not be using the native
development tools from Mac they'll be using brew and then they'll be installing a number of packages from
other sources Brew then allows you to tap into different people's repositories and
whatnot the good part and the bad part about it is you are relying on someone else to
ensure that the packages are updated and then you are relying and everyone
else is relying on you to ensure that you keep yourself updated if anyone fails in the chain the whole
situation is compromised so that's the yeah
it's a trust going on yes yes we shouldn't necessarily be putting our
trust there like like security people were big on not doing implied trust
where just by default We Trust something we're supposed to not trust by default or have zero trust that's the case is
yeah I mean it's it's an oxymoron kind of a situation for me security people talk
about hey we should not be trusting other people the the one end of the spectrum is going self-hosting and just
doing bare minimum and ensuring things work in your own environment you have full control over everything but when
you look at the recommendations given by most of the Security Professionals they would be like hey someone else can
actually take care of the security far better so instead of you doing things in your own you should be relying on a SAS
render to do things for you now you are dependent on that SAS vendor
the problem does not comes with having one or two vendors the ground reality situation is right now all of us are
dependent on maybe about 50 to 100 to 200 SAS vendors and every one of them
have to keep their business functional so that we are secure yes
so that is that is the other side and uh the part about
trusting uh the bigger challenge that also comes so let's say you're you're
someone who does not trust people and let's say you have uh you are of the
person who has done the full code audit of every single module that you've used now look at the situation that a
decently sized organization and let's say they're using node as their language
of choice I'm just picking on node because I hate JavaScript but applies to
every language so if they're using node and they build a decent side of sized application they
might be depending somewhere between 200 to 500 modules now let's say you have a
team of 10 people who are looking at your environment from a security standpoint
then you realistically believe that these 10 people would be able to audit all the 500 modules when a new version
of them comes out and be able to provide a judgment to your team that hey the new version came
out it is good to be used so if if the ownership is taken at the
org level the complexities keep on increasing for them it's a factor of Manpower it's a factor of cost and all
of that plus the rapid Pace at which the development work happens and the reason
I keep picking on npm and I don't know if you've seen that but there is an npm
module called is even which tells you whether the number is an even number or an odd number
and then there is a module is odd okay both of them are developed by the
same person and I don't remember which one but one of them actually depends on the other
one so it's like if you install is even it depends on is odd and what it does is
it passes the number to is odd and if the is odd says it's odd it says it's
not even and if it says it's not odd it says it's even so the dependency hell
that is there with cascading dependencies I mean it's one side to talk about that
hey I can just leverage a module and use it but people keep forgetting a term which is called technical debt every
time you use something which is not wetted by you or you've not actually
realized whether you actually need it or not then a technical debt increases
the funniest situation comes not in the web application space but in the mobile
space so you take an application and let's say an Android application you decompile it
and I've had this multiple times you realize okay this application has four
different packages which are doing root detection which should be doing root
detection but at the end of it the author is not called even one function out of the
Earth they are imported for something else that is available in those packages
but this feature was there but that was not called at all so the code rot that
keeps on increasing in your code base because of all the modules that you randomly just keep importing and then a
lot of times people don't even realize that hey I'm not using this module or I found a better alternative to remove
this module the whole aspect about reducing your dependencies on others where you don't
actually need to depend is something people keep missing nowadays could be a
factor of you need to build with speed could be a factor of I don't care if everything works all I need to do is add
more RAM into the system add more course and Cloud supports me to do that auto scaling and people don't care about it
it's it's not ideal I I feel like when a
lot of security folks talk about supply chain security we just talk about a software
composition analysis tool because it's something we can sell you yeah
and yeah and I feel like you've outlined that there's sufferers like the supply chain security
the idea of the whole thing is not just so a software compositional analysis
tool or SCA is super helpful does tons of stuff but also just teaching your
developers to remove unused dependencies and to work with your technical debt to reduce
it so you don't have so much security debt and you can't sell that so like a
lot of companies are like they can figure that out for themselves yes because the number of hours that you
spend on technical debt there is no direct impact in terms of a new feature getting added although it makes things
easier for you to work on a longer scale but the immediate benefit is not there
uh so yeah that's that's definitely there uh there is one thing which again
uh a reference uh I'll make so a friend of mine uh they run a company called
redundant labs they wrote an article about assets what is an asset so it was
part marketing part of knowledge based article but the idea was to take the
approach where asset does not necessarily means an IP address or a domain name
an asset for an organization is also the git repositories that you have is also
the cloud accounts that you have the S3 buckets that you have and that random
subdomain that was assigned to a developer to run a test environment for you that's also your asset
yeah the test box that they forgot about from 2014 and it's still floating around
there yep so yeah
so I was saying besides s bomb the other important and this is this a point that
everyone talks about no one knows how deep the rabbit hole goes is the asset
inventory you don't even know what you have so you can't even protect what you don't know
that is it's so important it's usually my first step when I get somewhere yeah
do you have an inventory and they're like well you know four years ago we had a co-op student that interviewed some
people and they made a Excel spreadsheet and I was like okay so you don't have one got it yep
so a fun story uh back from I think 2010 2012 time frame I was working with an
organization and uh I was doing blog monitoring and uh recording logs and
analyzing them and they had a massive project going on there where they were inventorying
everything so they had about 5 000 Assets in their environment at that time when we looked at the asset list and
we're like hey there seems to be something wrong in this and the thing that came up and we were
able to clean up that inventory to about 95 96 percent because we we had visibility
into multiple different logs and we used basic correlation techniques
if a semantic area is installed on your machine there's a very high chance you
are a Windows machine if you're marked as a Linux box I just need to double check once
back in those days Windows did not had 22 Port open on them so if there's a
port 22 open on a device there's a very high chance it is not Windows
so we would use this correlation on like a weekly basis and we were able to find
so many discrepancies like a machine that is supposed to have semantic AV installed because it's a Windows machine
does not have semantic AV installed because it is marked as a Linux box in the inventory so inventory when it was within the Lan
Network we were able to do this because we had that kind of a visibility but when you take the inventory out like for
example recycle CI hack the credentials that were stored inside
Circle CI which were used to access buckets and whatnot across your network
you have no visibility of what is there what is not there and how you are dealing with it
it makes me sad when tool makers get hacked because it's like but I I have so
much faith in you now I feel like some of my faith is broken because I I've
used Circle CI I like it yeah I mean it's a good tool I haven't really met a
CI CD I don't like though so uh have you played with Jenkins
self-hosted on a limited amount of RAM no
I've only done the cloud junk answer me yeah
so one of one of the things we were talking about before was that you're
more of an ox person than a Dev person and last year I wrote this article called like what is infrastructure
versus what is considered like custom apps or software or stuff that software developers work on and I I did it
because I was talking with a friend who's kind of getting into Tech and he's like wait so operating systems are
software but it's called infrastructure but when you make an app or you're one of those apps that you test that's
called software he's like isn't it all software and so I wrote an article about it and a lot of people read it and I was
surprised because I was like this is so basic no one will want it so tell us what does that mean like
being more into Ops than death okay so uh I'll take a slightly uh larger view
devops is the term that generally people use nowadays but the the traditional
format was there was a development team and there was an operations team so if you consider the older waterfall model
uh a business people would let's say your company is a software development or a software Product Company there'd be
business people would basically bring in the business or the idea that this is what we want to build it then that requirement goes to the
development team the development team is supposed to do all the coding and get the software working as they feel at
that it should work then they would give it out to another team which was called the QA team quality assurance team they
would do all sorts of testing on it and tell you hey this is wrong this might be problematic this is where things are bad
and whatnot and then they would come up with their own recommendations development team will fix those and then
it will move forward just a side note this QA team the entirety of infosec
under application sphere is kind of a part of this QA team the same team we
generally try to disabout we are like a smaller portion of that QA process yeah
and then once the software is built the development team would then say hey
I've got the software working in my environment we now need to make it
available for our customer so the difference is a software working for a
developer means on my laptop it's working I can open a web page I can see how the web application is working or I
can launch the software and it's working but when you say I want to make it available in production for all of our
customers that basically then means a separate set of processes where an
environment is going to be created which is optimized for your set of application
role and then tweaking would be done in the environment in such a way that the
application can work like for all of your customers let's say if your customers are 10 or 20 I don't need to
care much about it I can just start the software the base software let's say it's a PHP application I just need a web
server PHP on it maybe a database server and everything runs in a single box but
then let's say I have 50 000 customers I'll be like Yep this is not going to work this way I need one server which is
sitting in the front then another server which is the PHP server and then another server which is the database server and
then I need to optimize the database server so it can handle multiple connections because multiple people will
be accessing things I I need to maybe set up a load balancer on the front so that if 50 000 people parallely come in
they can be channelized and multiple servers can actually load balance everything
all this aspect of putting the whole uh software into an environment where it
can function and serve a large number of people is what is the operations aspect
now what has happened is as everyone kept growing there were differences
between how developers would approach a Thing versus how an Ops person would approach a thing like for example I was
talking about packages that was a major disagreement between Ops and devs devs would be like I want to use the latest
Ops should be like nah you're getting this version of Linux you're getting this package figure it out
so then you came a point where in in short the developers were given the
freedom that hey look at what the Alps is doing can you do something about it and the developers being developers they
came up with an approach where hey why not try and figure out how we can bring
the manual effort into automation into code so that's where the whole
infrastructure scored piece came into picture and the new term devops became
common now as security has it my understanding my usual crib about it security wants a
name of their own so they want their own name in the picture so they became devsecoffs the term that should never
have existed but it exists the dev and Ops Ops what two two
separate components which are now combined together and the reason for combining them together is to ease out
the whole disagreement between the two people rather make it a single person's job
this is very much beneficial for startup space it is very much not beneficial for a
corporate space on a bigger 20 000 people company you don't want one person doing end-to-end
work you want 10 people doing checks and balances doing cross-referencing with each other and getting the job done but
on a startup you don't want to hire 10 people you want one person do everything if the person can mop the floors and
bring you sales you would be more than happy so does that answers your question
it does it reminds me of um a funny story so uh sometimes companies will try
to recruit me to come work for them and I'm like oh I run we have purple so I'm
pretty busy um and uh so the so the CEO is telling me well you really want to join our
company because our product is made out of devops and you like devops and he's like your
products made out of devops and the CEO said yeah it's literally made out of devops and it's like devops isn't a
substance and the CEO insisted no it is so you should meet our CTO our chief
technology officer so I met with the the CTO and I said oh so your CEO was and I you
know like when you're friends with people that work at a company and they're just like just go through the interview and I was like no I'm pretty happy is what I'm doing they're like no
no no go so I meet with the CTO and the CTO is like oh no our product isn't made out of devops you're right it's not a
substance and he's like but we do devops and I was like oh okay what does devops
mean to you and he said well we can't afford two technical people so I have to
do the dev and I have to do the Ops so therefore our product is devops and I
was like I have to go now and to go but at least he knew it wasn't a substance
so that's good okay I want to ask you one more thing
because we're like because I'll talk to you all day just like I did last time we had a call
um okay so Android security so my Achilles heel of absec is mobile apps and you've
done a lot of Android security can you I don't know just tell us a little bit about that
all right so uh the major change that you have to do in your mentality when
when it comes to web apps versus mobile is that you have to take that whole idea
out of your head that there is a trusted end in web applications we have the web
server which we can Harden which we can protect and that becomes the trusted entity and then what we can do is hey
don't do anything client-side do everything server side because server side we know we can control
when it comes to mobile if your application is actually based on a client server architecture you can
rely on the server but if you rely too much on the server your
application is just basically taking input sending it out to the server and coming back which means
one the slowness to the bandwidth consumption it's not just that it's slow it's costing money to the person to
operate your app now the other thing that comes is one
the app developer cannot trust so you can't rely on the server and you
can't trust anything within the device itself you don't know if the user that is
running the application is a trustable user or someone who is out there to hack
your machine you can't trust whether the app is running in a secure environment you
might be in a rooted device you might be running in an environment where the idea is to cause damage to your product or
the idea is to uh not cause a harm to them in terms of not
let their money be used in your application in terms of in-app purchases
so most of the mobile apps have in-app purchases I remember the days around 2014 2015 time frame before Pokemon
became a big thing in-app purchase hacks were the most common hacks that were
there so you would create an app you would have the app with micro transactions built in the person would
basically install a software and then all of your purchases would be automatically authorized without
actually spending money funny enough it was the gaming industry and especially Pokemon go that kind of
made it a hard thing for everyone the whole route detections to SSL pinning to
basically in-app blocking in the whole apple and the Android ecosystem saying
hey we need to do something about in app hacks all of that came up somewhere around the
Pokemon go and the other tooling that came up other games that came up around that time so in Mobile security one
thing is you can't trust anything you are running your application in an hostile environment all the time
so anything that comes cannot be trusted you can't rely that a header that is
coming from the server is a trusted header it could have been faked in between so every in and out has to be validated
you can't trust any of it that's one major chunk the other thing which is
where I have a gripe with the infosec community in general what I'm seeing nowadays is there's a
handful of people who are actually doing anything around mobile apps themselves
what has happened is everyone has kind of figured out hey most of the apps have
some web server sitting in the back end so what we will do is we will not focus on the app itself because that's the
tricky bit we will start the app start burp or Zapped
check the traffic and then focus on just the apis there are lots of problems that are
there in the app itself that that are there in the device itself that no one
touches like I think just two three days back someone posted a bug in Samsung's
TTS talk to uh I mean a tap to talk or push to talk service or text to speech
service where by just one intent call you're
able to get into a routine or not exactly a root shell but a high
privileged system shell which then has higher privileges than what you have
now there's the other interesting aspect in your web applications or in your
server space or in your desktop space you have the concept of a super user you can become an administrator you can
become a root and then do a lot of things mobile devices are by default built in
such a way that when you are the owner of the device when you are running an application in the device none of the
applications are minimal number of applications are running with higher user privileges you are running application as a very
low level privileged user a recommendation which a lot of times people have given on Windows that hey
use a non administrative user as your default user so that's kind of the idea
that mobile devices have taken and they by default run in a non uh super user or
non-admin mode that then means that one if a user is
able to find a way to become root they'll be able to access a lot of things for example uh fun fun stuff uh
Google Authenticator which stores your two-factor Authentication
for a very long time and I don't know the current state because I stopped using Google
Authenticator at one point Google Authenticator would rely on the fact that the application data cannot be read
by other applications So within Google authenticators app data space there
would be an sqlite file if you are able to access that it has the website or wherever you have
accessed the token it has the token value it has the timestamp all those details are there in clear text they
were not even encrypting that and they had a very clear public issue around it we rely on the Android's native
capability to protect if you're running on rooted device you can't do anything about it so those sort of assumptions
are there some people make the Assumption on the side that hey it is protected we will assume it's protected
the other people make the Assumption hey everything is compromised and they end up creating a such a complex process
where everything slows down and they can't justify it but that's how they are
able to manage things like nowadays everything is there your cryptocurrency wallets are there your
banking applications are there your so in India UPI is a big thing so UPI is
like a payment transfer the whole Gateway concept is there and you can
transfer money from one account to another across Banks across the country within seconds so there are n number of
apps which rely on that platform and all of them are there in the device itself and that's where the complexity comes
that the since you can't trust anything you have to build checks and balances
the more checks and balances you build the more complex the app gets
it feels like a balancing act now it is it is it is definitely and uh then the
next aspect that comes is people have now started relying on other Frameworks so again the problem that hey uh Native
application is becoming very tricky for me so hey can I use something which works on iOS and on Android so there are
now middle Frameworks so there's another layer of dependency now so your application is built in the framework
which does the translation into native code and then the native code runs so
these middleware again adds their own layer of complexity so when we are dealing with mobile applications let's
say if I give an advice for a security researcher the mobile application space
is a bit more complex but the understanding that
everything is compromisable gives you the freedom to actually let
your threat model fly out and where we would stop that hey that this thing went
to the server now I can't do anything about this server here you can control everything even if this this data is
going to the server what is coming back from the server you can temper with it
and if the app reacts badly there is a problem
so that's that's for the researchers part for the developers and for the uh for say uh yeah from a developer's point
of view uh the more complexity you add into the application
the more difficult it is to protect it and in short like I said in the
beginning if you don't keep the data you don't have to worry about it so you need to keep revisiting in what
you are doing do you really need to do that and only do what you really need to
do you are anyways reducing your threat model
that was such a good summary oh my gosh this is awesome
thank you laughs I feel like I could talk to you all day
I know I'm not allowed to so I you've done a bunch of really cool open
source projects and I I was wondering if like just super briefly if you could just tell us about you know code Village
and Tamer platform and hacking art hacking archives of India
all right so I'll take a very quick story like Journey I started working
with Android around 2010 I realized the software installation because of all the
complexities and one is built in Java six one is in Java 8 whatever was way
too complex for people so I ended up creating a very basic virtual machine which had the tools rightly configured
and I realized a bunch of people needed it so I made it available publicly that's when I started the Tamer project
and that has kept going on so now we've reached a point where the new version is
about to be released in a couple of months and what we are doing with it is there is a virtual machine environment
there's a Debian package environment there is a emulator that is available for Android devices there is a package
repository for that emulator which will have like vulnerable much vulnerable applications or your hacking tools
pre-baked in and then there's a minimal tools uh sort
of knowledge base which will tell you what tool how you can use which particular tool so that's the Tamer
platform because I wanted to do something for myself I made it and made it available
for everyone the code Vigilant project yeah oh I just want to say so for people
that are listening it's Tamer like a lion tamer t-a-n-e-r
platform.com so go check that out yes tell us about the next one so Ben I
think around 2014 I was sort of in that zone where I knew how to write
applications I knew how to do the deployment and other bits I knew how to pen test applications but I was trying
to figure out how to do code reviews and I found another friend of mine who was in the same situation and we were
like yeah let's do something together so that's where code which didn't started and we took WordPress ecosystem as our
base so what we did was we were like I am not going to find a bug if I start looking at a code line by line
so we downloaded I think there was about 30 000 WordPress plugins at that point we downloaded all of them
so we had 30 000 WordPress plugins PHP code and we're like how does xss happens
so the simple logic was Eco and if there's a dollar underscore get that's
an exercise we wrote a regular expression for grep ran that over the entire Repository
and then manually analyzed all of them wow so we ended up finding about 300 odd
bugs in 2014 that was the first iteration that happened right now I'm running the second
iteration of code Vigilant uh I stopped doing that because I was like grep and
then manually doing everything is way too complicated way too problematic for me and then the other things kept
happening so I shift it new things that happened in 2021 sem
group came out [Music] came out I was like yeah this sounds
interesting and the day they released PHP capabilities PHP support into it I
was like okay take this start writing the rules and start finding bugs
2021 we ended up disclosing about 50 60 odd SQL injections
in WordPress plugins wow all of that is on codevision.com and
right now we are again running more code so now what we're doing is because we have a set process so we run sum grip
and we find bugs all of that gets piped into a vulnerability management system that's where we do the trial and hit and
validation of the bugs and then we start reporting them so that's that's a massive project that we keep on working
oh my gosh okay so everyone go to codevillageant.com
so it's c-o-d-e-v-i-g-i-l-a-n-t.com [Music]
Vigilant not Villages Vigilant thank you sorry
okay then uh I think around 2015 2016 uh
I started going out of India and started attending various conferences and this
this was a common thing that came up that people were not even aware who is actually from India but is actually
representing people outside whenever I would talk with people from infosec space in India they would be talking
about people who are outside of the country and they would be idolizing them or they would be saying hey they're
doing fantastic work no one does things in India is not true that's not true there's so
much stuff going on in India so I I started a hunt so I was like okay I need
to find out who are the good people in India and there should be a place where people can see what these people have
been doing so if you now go to hacking archives of India I think I've not updated 2021 and 2022 data in it but
till 2020 all the big conferences that used to happen
I basically went into all the listings and identified who all identify
themselves as Indians and I've then added the details in so
for each author or rather be hacker their name is there their social media
handles are there if they are making it available in public and then all the talks they have done is listed the fun
part is the top person who is in that list uh some uh
he has been active in infosex space since 1997. whoa
whoa and a lot of people don't know so this was my way of putting this out
so now whenever someone says hey do people in India do this I'm like go to
that website you see the whole list how can people not know like India has
such a huge technology industry it's right it's giant yeah it's giant but the
thing is uh people don't glorify themselves people don't keep bragging
that they've done this we've done that I at one side I feel like that's a good thing on the other side I sometimes feel
like yeah at least you should brag at least you should tell people that hey this is what I am this is what I do so
they're not doing it I'm doing it for them I'm just putting out this is what they're doing
do you feel like maybe that's cultural like lots of women are told like you should
be modest you should be humble so then I tell them oh if you're going to speak at this conference you should tell everyone
on social media and they're like well I don't want to break I'm like well the conference wants lots of people to come
and like they have you speaking because they think people will really enjoy your talk
and and if you don't tell people they can't come see it and they're
missing out and it's your fault you're not bragging you're informing them I'm going to speak at this conference I'm
super excited to be there I'm going to talk about XYZ come on out yeah I mean for myself
personally it has been a bigger hurdle that I have to cross myself I have been more of in that jinxed I'd
not jinx it by saying I'm going there and I'm excited so I would end up not
talking about it and then most of the time so this is this has been my uh kind
of the way I would have operated I would talk about whatever I've done not what
I'm about to do so that's where I it's a monkey block that I'm trying to slowly
come out of but yeah that's that's the thing if you're doing something publicly you need to at least talk about it if
not brag about it yes well then on that note I was going
to ask if there's anything that you want so people who are listening obviously you want more an ant this is clearly not
enough so tell them where they can see you again or learn more about you or follow you
all right so I am available on all social media platforms under the name
Anand Shri so that's a n a n t s h r i it's kind of a combination of my first
name and a bit of my surname and uh I am also available on fediverse which is the
whole Mastodon and the whole uh other softwares why are my email ID which is
anantree dot info and that's the email address that's my federal ID that's my
xmpp ID so however you want to connect talk I am more than happy I am
interested in talking with people who are planning to do something interesting who are facing challenges right now in
security and just want a year to listen to and maybe get some discussion going
on I won't say I'll be able to guide them I won't say I'll be able to Mentor them but yeah I can definitely be a
listening ear be a support system and maybe give my thoughts about how things
would work if I want to do it he also gives security training folks in
case you wanted to know yep oh my gosh this has been so great thank you Annette
you're awesome I'm so glad you said yes thank you thank you for coming on the
show do you have any last words of advice that you want to offer before I do the Whirlwind wrap-up okay
um I do things that I keep on saying one don't idolize people
everyone is doing their own Journey Don't idolize anyone you do your own journey and uh you be a
parallel partner to others have them get help from them the other thing is uh
it is okay to say you don't know what is not okay is after six months
still saying you don't know so say don't know but then go and read
go and study figure out what you don't know and then you know that
that is awesome thank you so much Annette thank you so much to our sponsor
the Diana initiative which is a conference that is in Vegas this summer in August right before Defcon starts
also um I have a small amount announcement I will have two things that I'm going to
be doing I'm going to be one of the Keynotes at OAS Global appstack in
Dublin Ireland next month and I'm going to be at RSA in San Francisco in April
I'm going to be giving a learning lab Workshop about how to put SAS into your
CI CD pipeline without losing all your friends and I'm going to use some grab just like you were talking about
um it's like how can you do this but like not have it run for 400 years and tick off all of our nice newly made Dev
friends so I'm Tanya Jacob this was the we had purple podcast and we had a nance on and
it was awesome thank you so much for being on the show and Aunt thanks a lot for inviting me
hi everyone thank you bye everyone