We Hack Purple Podcast Episode 64 with guest Anant Shrivastava

Show Notes

In this episode of the We Hack Purple podcast host Tanya Janca met with Anant Shrivastava! We talked about securing the entire software supply chain (including your CI/CD and where you get your packages from), and how it is more than just buying a software composition analysis (SCA) tool. He explained the new and very different risks of securing a mobile app versus a regular web app or an API, that’s he’s more of an ops than a dev person, and how the risks are all coming together now that many of us are doing DevOps. He shared his numerous open source projects, such as:
Code vigilant: https://codevigilant.com/,
TamerPlatform : https://tamerplatform.com/ and
HackingArchivesOfIndia https://hackingarchivesofindia.com/. 

 Anant’s Bio:
Anant Shrivastava is an experienced information security professional with over 15 years of corporate experience. He has expertise in Network, Mobile, Application and Linux Security. He is the founder of Cyfinoid Research, a cyber security research firm and has previously served as Technical Director at NotSoSecure Global Services, a boutique cyber security consultancy. He is a frequent speaker and trainer at international conferences such as BlackHat, Nullcon, and c0c0n. Additionally, Anant leads the open source projects Tamer Platform and CodeVigilant and maintains the Hacking Archives of India. He also participates in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info and his blog is here  https://blog.anantshri.info/!

Very special thanks to our sponsor: The Diana Initiative!

The Diana Initiative is seeking sponsors for their annual event happening Monday August 7, 2023 in Las Vegas - https://www.dianainitiative.org/sponsor/ for more information

The Diana Initiative Call For Presentations opens on March 1, if you have a topic you want to share submit at tdi.

The Diana Initiative Is: A diversity-driven conference committed to helping all underrepresented people in Information Security. This year the theme is “Lead the Change.” You can submit to be a speaker at tdi . mobi / CFP or if your company would like to support the event by sponsoring check out https://www.dianainitiative.org/sponsor/

Join We Hack Purple!

Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

Transcript

welcome to the we hack purple podcast

where each episode I meet someone who works in application security who's

fighting the good fight to secure all the things I'm Tanya Jenka I am your

host and this episode is sponsored by the Guyana initiative an amazing

conference that happens in August right around when all of hacker summer camp is

happening including black hat and Defcon it is a conference for people who are

underrepresented in Tech and want to find a place where everyone looks like them this episode's guest is a nant anant can

you please tell the audience a little bit about yourself hi um I'm Anand srivastav

um close to about 15 years of corporate experience about 17 years I've been a trainer I've been involved with Linux

for about 20 years or so and uh I started out as a administrator server administrator

somewhere down the line I did a lot of development work and then around 2010 is when I fully moved into information

security have been into a sock kind of roles and then into pen testing kind of

roles two then in my last job I was managing a team of about 50 60 pen testers to my current uh job where or my

current company where I'm trying to build a small Niche research based firm which then gives out all the content

whatever we have researched in the form of training programs so you and I chatted a bunch of before

we decided to record and a thing that you and I were talking about is supply chain security and I feel like literally

every conference is talking about supply chain security so we might as well do it too

can you explain for the audience like what does that mean okay so supply chain security is a very

generic term which basically talks about whatever is the pipeline that is there

to reach a product to you now that's a general supply chain just like every

other keyword that information security or information technology takes from other fields they took this supply chain

and they framed it in software context so what we generally in it talk about is a software supply chain security

effectively when you are creating a software so you are writing a bunch of

code what generally happens nowadays is you write about 20 of the code yourself

and 80 of the stuff is import this import that and then the whole thing

works at the code level this is your supply this is the chain that is there these

are smaller components that are basically forming your code they are part of your supply chain

but the supply chain is not just this there are bigger pieces around it right

from so if we look at it from a full end-to-end Journey perspective the codes

Jeremy starts from a developer's laptop where they have bunch of different softwares installed and then one of the

software is an IDE which has multiple plugins in it and then that's where they're writing the code

from there they are committing the code into a what you say a source code repository mostly it is get but it could

be SVN it could be bunch of other source control softwares so the code goes there

from there uh there might be automated tools like what we call a CI CD or

continuous integration continuous deployment softwares so those tools will basically take that code perform certain

number of actions on it and then move to the next phase then you might have a test environment where the code gets

deployed and you perform some test then there is a production environment where the code gets deployed and then other

people can access it the environments that are there are also pieces of this

whole puzzle to then the software that are used to monitor your production

environment or your test environments every single piece that is there right

from every single software installed on your developer's machine to every single software installed on your servers the

entire pipeline is your software supply chain a compromise at any of this level can

lead to a compromise of your product so that's the whole piece according to

my understanding so far what do you say Tanya oh I agree I saw a conference talk

at besides Ottawa in November of 2020 or 2022 and um this friend of mine Alex Dao

from Mirai security he did a talk about how his pen testers attacked an entire

devops tool chain and you know here's how we got in through Docker here's how we gone through Jenkins here's how we

gotten through this here's how we and there was like 11 different points of compromise and people said you know well

why would someone attack why would someone attack your cicd and

then he's like solar winds um because that's what happened if they

could release your code themselves and have it go out into production to your

customers like oh my gosh that's so terrifying it's like someone taking over your

manufacturing Factory for just an hour and shipping poison cookies

so I have two stories around this one is

basically a news that is coming out now so if you look at last few days Circle CI got hacked LastPass got hacked or at

least they accepted that they got hacked slack got hat okay got hacked

these pieces you won't actually consider them part of your supply chain or in

general you won't talk about them because these are third-party SAS vendors but each of them are very

crucial ingredients of your whole process the second story that I had is I think

from 2015 or 2016. we were doing a pen test and we realized that one of the

website was exposing dot SVN directory so SVN was the version control system

that they were using and they were doing active deployments and the dot SVN

folder was exposed over the internet so I have written a custom tool of my own I was able to download the whole

content from there and the important thing that I got was the URL where the

source code was and the username that was there which was pushing the code in

it now it was a proper username but I did not have to even Brute Force the

password the same username was the password okay and this company

was a multinational company having all of their Regional websites in those

repositories all we had to do was push one PHP file into all of them and we had shells into

50 different Regional servers in like a span of 10 minutes because there was an

automated deployment as soon as the change is pushed into the Repository oh well oh my gosh you make such good

points in that I don't know if you remember I think it was sometime last year where

um there was a company that had essentially an advanced persistent threat which means hackers like living

on your network for a while and the malicious actor or like the the

ransomware group basically started publishing to the internet pictures of the slack

conversation of the company security team and that they didn't realize that

their slack had been compromised and I remember trying to explain to some of my staff what out of bound or out of band

means I'm like we need to discuss out of band if something happens like this and they're like What's out of band I'm like

well for instance not using our company email like setting up a private you know a

Gmail account or something that we're all sharing or uh just sending to our private emails or using our personal

cell phones instead of work cell phones like you don't know the level of compromise they're just like oh my gosh working a security company Tanya like

so the important bit that I kept in mind uh was don't store the data that you

don't want to protect that's the biggest key that is there

unless you're an Advertising based company where then you want everything stored

still everyone's personal private information and sell it for profit

so so if the entire supply chain includes basically every everything that

you use including the ingredients to make your software a thing that we briefly talked about was

where do you get your packages then yep yep so um I mean this is a fun

scenario because there is a concept of long-term stable releases and I'm only focusing on Linux

right now we can kind of extrapolate it to Windows and Mac also so there's a

concept of long-term release or long-term supported releases in Linux environments you have red hat providing

their long-term release you have Debian which comes out like once in three years you have Ubuntu where every two years

their 0.04 release is actually a long term stable release the way they talk about stability is

they will keep the packages in the same version so no matter what software you're running you are always sure that

this version of software is present as the base product this does not sits well with anyone who

is a recent developer because they want to work on the latest version of

softwares so the problem that comes is you have node.js you have Ruby you have python

people are now installing softwares from different sources which are not the

distro maintained sources so a distribution in Linux maintains their own packages a small number of

packages and they try to maintain the security aspects around it they try to tightly couple that yeah the updates

should be there they should be frequently pushed out and all those things compared to that if you have installed

something from say pip or ruby gem location or let's say from a npm

repository the accounts of ensuring that the packages are kept up to date is on

you now this is where the fun part starts because

in all of these languages the developer can freeze the version that they are

using now they are confident that the product works on this version let's say in for one of the other reason

the developer is not able to update the version so not able to test the software on latest versions and a security patch

has come up in the latest version you can't install the latest version because you don't know if the software

is going to continue working or not I have as part of my open source

projects I work on Android related distribution called Tamer platform this

was the biggest challenge that I had softwares one software needs Ruby but a

module of say version 5.4 the other would not work with 5.4 but would work

with 5.3 there are packages which work with Java 11 the others will work with Java 17. so

different softwares require different things and because of those complexities

people end up creating a sort of a Frankenstein monster which is a

combination of multiple sources with no clear path on how the update should

happen Docker came up with the whole concept of containers came up to the whole uh idea

that yeah you package things in separate containers and then you isolate things the problem that has also now happened

is those container themselves again needs an update process you have isolated them but they might

still be vulnerable and you again need to track one more thing where we are not able to track 10 things now we have to

track 20 things so the the cycle keeps going in people keep looking at more variety and

this is where uh at times the thing comes that hey why not build something

which is on a stable background rather than running for the most latest version

of things so the packages uh so a long-winded answer to your question the packages by

default would come from your native sources but the problem with that is they are not of the liking of what do

people want to code so the sources of packages are varied now this is where uh I shift from Linux

to let's say mac in Mac any developer worth their salt would not be using the native

development tools from Mac they'll be using brew and then they'll be installing a number of packages from

other sources Brew then allows you to tap into different people's repositories and

whatnot the good part and the bad part about it is you are relying on someone else to

ensure that the packages are updated and then you are relying and everyone

else is relying on you to ensure that you keep yourself updated if anyone fails in the chain the whole

situation is compromised so that's the yeah

it's a trust going on yes yes we shouldn't necessarily be putting our

trust there like like security people were big on not doing implied trust

where just by default We Trust something we're supposed to not trust by default or have zero trust that's the case is

yeah I mean it's it's an oxymoron kind of a situation for me security people talk

about hey we should not be trusting other people the the one end of the spectrum is going self-hosting and just

doing bare minimum and ensuring things work in your own environment you have full control over everything but when

you look at the recommendations given by most of the Security Professionals they would be like hey someone else can

actually take care of the security far better so instead of you doing things in your own you should be relying on a SAS

render to do things for you now you are dependent on that SAS vendor

the problem does not comes with having one or two vendors the ground reality situation is right now all of us are

dependent on maybe about 50 to 100 to 200 SAS vendors and every one of them

have to keep their business functional so that we are secure yes

so that is that is the other side and uh the part about

trusting uh the bigger challenge that also comes so let's say you're you're

someone who does not trust people and let's say you have uh you are of the

person who has done the full code audit of every single module that you've used now look at the situation that a

decently sized organization and let's say they're using node as their language

of choice I'm just picking on node because I hate JavaScript but applies to

every language so if they're using node and they build a decent side of sized application they

might be depending somewhere between 200 to 500 modules now let's say you have a

team of 10 people who are looking at your environment from a security standpoint

then you realistically believe that these 10 people would be able to audit all the 500 modules when a new version

of them comes out and be able to provide a judgment to your team that hey the new version came

out it is good to be used so if if the ownership is taken at the

org level the complexities keep on increasing for them it's a factor of Manpower it's a factor of cost and all

of that plus the rapid Pace at which the development work happens and the reason

I keep picking on npm and I don't know if you've seen that but there is an npm

module called is even which tells you whether the number is an even number or an odd number

and then there is a module is odd okay both of them are developed by the

same person and I don't remember which one but one of them actually depends on the other

one so it's like if you install is even it depends on is odd and what it does is

it passes the number to is odd and if the is odd says it's odd it says it's

not even and if it says it's not odd it says it's even so the dependency hell

that is there with cascading dependencies I mean it's one side to talk about that

hey I can just leverage a module and use it but people keep forgetting a term which is called technical debt every

time you use something which is not wetted by you or you've not actually

realized whether you actually need it or not then a technical debt increases

the funniest situation comes not in the web application space but in the mobile

space so you take an application and let's say an Android application you decompile it

and I've had this multiple times you realize okay this application has four

different packages which are doing root detection which should be doing root

detection but at the end of it the author is not called even one function out of the

Earth they are imported for something else that is available in those packages

but this feature was there but that was not called at all so the code rot that

keeps on increasing in your code base because of all the modules that you randomly just keep importing and then a

lot of times people don't even realize that hey I'm not using this module or I found a better alternative to remove

this module the whole aspect about reducing your dependencies on others where you don't

actually need to depend is something people keep missing nowadays could be a

factor of you need to build with speed could be a factor of I don't care if everything works all I need to do is add

more RAM into the system add more course and Cloud supports me to do that auto scaling and people don't care about it

it's it's not ideal I I feel like when a

lot of security folks talk about supply chain security we just talk about a software

composition analysis tool because it's something we can sell you yeah

and yeah and I feel like you've outlined that there's sufferers like the supply chain security

the idea of the whole thing is not just so a software compositional analysis

tool or SCA is super helpful does tons of stuff but also just teaching your

developers to remove unused dependencies and to work with your technical debt to reduce

it so you don't have so much security debt and you can't sell that so like a

lot of companies are like they can figure that out for themselves yes because the number of hours that you

spend on technical debt there is no direct impact in terms of a new feature getting added although it makes things

easier for you to work on a longer scale but the immediate benefit is not there

uh so yeah that's that's definitely there uh there is one thing which again

uh a reference uh I'll make so a friend of mine uh they run a company called

redundant labs they wrote an article about assets what is an asset so it was

part marketing part of knowledge based article but the idea was to take the

approach where asset does not necessarily means an IP address or a domain name

an asset for an organization is also the git repositories that you have is also

the cloud accounts that you have the S3 buckets that you have and that random

subdomain that was assigned to a developer to run a test environment for you that's also your asset

yeah the test box that they forgot about from 2014 and it's still floating around

there yep so yeah

so I was saying besides s bomb the other important and this is this a point that

everyone talks about no one knows how deep the rabbit hole goes is the asset

inventory you don't even know what you have so you can't even protect what you don't know

that is it's so important it's usually my first step when I get somewhere yeah

do you have an inventory and they're like well you know four years ago we had a co-op student that interviewed some

people and they made a Excel spreadsheet and I was like okay so you don't have one got it yep

so a fun story uh back from I think 2010 2012 time frame I was working with an

organization and uh I was doing blog monitoring and uh recording logs and

analyzing them and they had a massive project going on there where they were inventorying

everything so they had about 5 000 Assets in their environment at that time when we looked at the asset list and

we're like hey there seems to be something wrong in this and the thing that came up and we were

able to clean up that inventory to about 95 96 percent because we we had visibility

into multiple different logs and we used basic correlation techniques

if a semantic area is installed on your machine there's a very high chance you

are a Windows machine if you're marked as a Linux box I just need to double check once

back in those days Windows did not had 22 Port open on them so if there's a

port 22 open on a device there's a very high chance it is not Windows

so we would use this correlation on like a weekly basis and we were able to find

so many discrepancies like a machine that is supposed to have semantic AV installed because it's a Windows machine

does not have semantic AV installed because it is marked as a Linux box in the inventory so inventory when it was within the Lan

Network we were able to do this because we had that kind of a visibility but when you take the inventory out like for

example recycle CI hack the credentials that were stored inside

Circle CI which were used to access buckets and whatnot across your network

you have no visibility of what is there what is not there and how you are dealing with it

it makes me sad when tool makers get hacked because it's like but I I have so

much faith in you now I feel like some of my faith is broken because I I've

used Circle CI I like it yeah I mean it's a good tool I haven't really met a

CI CD I don't like though so uh have you played with Jenkins

self-hosted on a limited amount of RAM no

I've only done the cloud junk answer me yeah

so one of one of the things we were talking about before was that you're

more of an ox person than a Dev person and last year I wrote this article called like what is infrastructure

versus what is considered like custom apps or software or stuff that software developers work on and I I did it

because I was talking with a friend who's kind of getting into Tech and he's like wait so operating systems are

software but it's called infrastructure but when you make an app or you're one of those apps that you test that's

called software he's like isn't it all software and so I wrote an article about it and a lot of people read it and I was

surprised because I was like this is so basic no one will want it so tell us what does that mean like

being more into Ops than death okay so uh I'll take a slightly uh larger view

devops is the term that generally people use nowadays but the the traditional

format was there was a development team and there was an operations team so if you consider the older waterfall model

uh a business people would let's say your company is a software development or a software Product Company there'd be

business people would basically bring in the business or the idea that this is what we want to build it then that requirement goes to the

development team the development team is supposed to do all the coding and get the software working as they feel at

that it should work then they would give it out to another team which was called the QA team quality assurance team they

would do all sorts of testing on it and tell you hey this is wrong this might be problematic this is where things are bad

and whatnot and then they would come up with their own recommendations development team will fix those and then

it will move forward just a side note this QA team the entirety of infosec

under application sphere is kind of a part of this QA team the same team we

generally try to disabout we are like a smaller portion of that QA process yeah

and then once the software is built the development team would then say hey

I've got the software working in my environment we now need to make it

available for our customer so the difference is a software working for a

developer means on my laptop it's working I can open a web page I can see how the web application is working or I

can launch the software and it's working but when you say I want to make it available in production for all of our

customers that basically then means a separate set of processes where an

environment is going to be created which is optimized for your set of application

role and then tweaking would be done in the environment in such a way that the

application can work like for all of your customers let's say if your customers are 10 or 20 I don't need to

care much about it I can just start the software the base software let's say it's a PHP application I just need a web

server PHP on it maybe a database server and everything runs in a single box but

then let's say I have 50 000 customers I'll be like Yep this is not going to work this way I need one server which is

sitting in the front then another server which is the PHP server and then another server which is the database server and

then I need to optimize the database server so it can handle multiple connections because multiple people will

be accessing things I I need to maybe set up a load balancer on the front so that if 50 000 people parallely come in

they can be channelized and multiple servers can actually load balance everything

all this aspect of putting the whole uh software into an environment where it

can function and serve a large number of people is what is the operations aspect

now what has happened is as everyone kept growing there were differences

between how developers would approach a Thing versus how an Ops person would approach a thing like for example I was

talking about packages that was a major disagreement between Ops and devs devs would be like I want to use the latest

Ops should be like nah you're getting this version of Linux you're getting this package figure it out

so then you came a point where in in short the developers were given the

freedom that hey look at what the Alps is doing can you do something about it and the developers being developers they

came up with an approach where hey why not try and figure out how we can bring

the manual effort into automation into code so that's where the whole

infrastructure scored piece came into picture and the new term devops became

common now as security has it my understanding my usual crib about it security wants a

name of their own so they want their own name in the picture so they became devsecoffs the term that should never

have existed but it exists the dev and Ops Ops what two two

separate components which are now combined together and the reason for combining them together is to ease out

the whole disagreement between the two people rather make it a single person's job

this is very much beneficial for startup space it is very much not beneficial for a

corporate space on a bigger 20 000 people company you don't want one person doing end-to-end

work you want 10 people doing checks and balances doing cross-referencing with each other and getting the job done but

on a startup you don't want to hire 10 people you want one person do everything if the person can mop the floors and

bring you sales you would be more than happy so does that answers your question

it does it reminds me of um a funny story so uh sometimes companies will try

to recruit me to come work for them and I'm like oh I run we have purple so I'm

pretty busy um and uh so the so the CEO is telling me well you really want to join our

company because our product is made out of devops and you like devops and he's like your

products made out of devops and the CEO said yeah it's literally made out of devops and it's like devops isn't a

substance and the CEO insisted no it is so you should meet our CTO our chief

technology officer so I met with the the CTO and I said oh so your CEO was and I you

know like when you're friends with people that work at a company and they're just like just go through the interview and I was like no I'm pretty happy is what I'm doing they're like no

no no go so I meet with the CTO and the CTO is like oh no our product isn't made out of devops you're right it's not a

substance and he's like but we do devops and I was like oh okay what does devops

mean to you and he said well we can't afford two technical people so I have to

do the dev and I have to do the Ops so therefore our product is devops and I

was like I have to go now and to go but at least he knew it wasn't a substance

so that's good okay I want to ask you one more thing

because we're like because I'll talk to you all day just like I did last time we had a call

um okay so Android security so my Achilles heel of absec is mobile apps and you've

done a lot of Android security can you I don't know just tell us a little bit about that

all right so uh the major change that you have to do in your mentality when

when it comes to web apps versus mobile is that you have to take that whole idea

out of your head that there is a trusted end in web applications we have the web

server which we can Harden which we can protect and that becomes the trusted entity and then what we can do is hey

don't do anything client-side do everything server side because server side we know we can control

when it comes to mobile if your application is actually based on a client server architecture you can

rely on the server but if you rely too much on the server your

application is just basically taking input sending it out to the server and coming back which means

one the slowness to the bandwidth consumption it's not just that it's slow it's costing money to the person to

operate your app now the other thing that comes is one

the app developer cannot trust so you can't rely on the server and you

can't trust anything within the device itself you don't know if the user that is

running the application is a trustable user or someone who is out there to hack

your machine you can't trust whether the app is running in a secure environment you

might be in a rooted device you might be running in an environment where the idea is to cause damage to your product or

the idea is to uh not cause a harm to them in terms of not

let their money be used in your application in terms of in-app purchases

so most of the mobile apps have in-app purchases I remember the days around 2014 2015 time frame before Pokemon

became a big thing in-app purchase hacks were the most common hacks that were

there so you would create an app you would have the app with micro transactions built in the person would

basically install a software and then all of your purchases would be automatically authorized without

actually spending money funny enough it was the gaming industry and especially Pokemon go that kind of

made it a hard thing for everyone the whole route detections to SSL pinning to

basically in-app blocking in the whole apple and the Android ecosystem saying

hey we need to do something about in app hacks all of that came up somewhere around the

Pokemon go and the other tooling that came up other games that came up around that time so in Mobile security one

thing is you can't trust anything you are running your application in an hostile environment all the time

so anything that comes cannot be trusted you can't rely that a header that is

coming from the server is a trusted header it could have been faked in between so every in and out has to be validated

you can't trust any of it that's one major chunk the other thing which is

where I have a gripe with the infosec community in general what I'm seeing nowadays is there's a

handful of people who are actually doing anything around mobile apps themselves

what has happened is everyone has kind of figured out hey most of the apps have

some web server sitting in the back end so what we will do is we will not focus on the app itself because that's the

tricky bit we will start the app start burp or Zapped

check the traffic and then focus on just the apis there are lots of problems that are

there in the app itself that that are there in the device itself that no one

touches like I think just two three days back someone posted a bug in Samsung's

TTS talk to uh I mean a tap to talk or push to talk service or text to speech

service where by just one intent call you're

able to get into a routine or not exactly a root shell but a high

privileged system shell which then has higher privileges than what you have

now there's the other interesting aspect in your web applications or in your

server space or in your desktop space you have the concept of a super user you can become an administrator you can

become a root and then do a lot of things mobile devices are by default built in

such a way that when you are the owner of the device when you are running an application in the device none of the

applications are minimal number of applications are running with higher user privileges you are running application as a very

low level privileged user a recommendation which a lot of times people have given on Windows that hey

use a non administrative user as your default user so that's kind of the idea

that mobile devices have taken and they by default run in a non uh super user or

non-admin mode that then means that one if a user is

able to find a way to become root they'll be able to access a lot of things for example uh fun fun stuff uh

Google Authenticator which stores your two-factor Authentication

for a very long time and I don't know the current state because I stopped using Google

Authenticator at one point Google Authenticator would rely on the fact that the application data cannot be read

by other applications So within Google authenticators app data space there

would be an sqlite file if you are able to access that it has the website or wherever you have

accessed the token it has the token value it has the timestamp all those details are there in clear text they

were not even encrypting that and they had a very clear public issue around it we rely on the Android's native

capability to protect if you're running on rooted device you can't do anything about it so those sort of assumptions

are there some people make the Assumption on the side that hey it is protected we will assume it's protected

the other people make the Assumption hey everything is compromised and they end up creating a such a complex process

where everything slows down and they can't justify it but that's how they are

able to manage things like nowadays everything is there your cryptocurrency wallets are there your

banking applications are there your so in India UPI is a big thing so UPI is

like a payment transfer the whole Gateway concept is there and you can

transfer money from one account to another across Banks across the country within seconds so there are n number of

apps which rely on that platform and all of them are there in the device itself and that's where the complexity comes

that the since you can't trust anything you have to build checks and balances

the more checks and balances you build the more complex the app gets

it feels like a balancing act now it is it is it is definitely and uh then the

next aspect that comes is people have now started relying on other Frameworks so again the problem that hey uh Native

application is becoming very tricky for me so hey can I use something which works on iOS and on Android so there are

now middle Frameworks so there's another layer of dependency now so your application is built in the framework

which does the translation into native code and then the native code runs so

these middleware again adds their own layer of complexity so when we are dealing with mobile applications let's

say if I give an advice for a security researcher the mobile application space

is a bit more complex but the understanding that

everything is compromisable gives you the freedom to actually let

your threat model fly out and where we would stop that hey that this thing went

to the server now I can't do anything about this server here you can control everything even if this this data is

going to the server what is coming back from the server you can temper with it

and if the app reacts badly there is a problem

so that's that's for the researchers part for the developers and for the uh for say uh yeah from a developer's point

of view uh the more complexity you add into the application

the more difficult it is to protect it and in short like I said in the

beginning if you don't keep the data you don't have to worry about it so you need to keep revisiting in what

you are doing do you really need to do that and only do what you really need to

do you are anyways reducing your threat model

that was such a good summary oh my gosh this is awesome

thank you laughs I feel like I could talk to you all day

I know I'm not allowed to so I you've done a bunch of really cool open

source projects and I I was wondering if like just super briefly if you could just tell us about you know code Village

and Tamer platform and hacking art hacking archives of India

all right so I'll take a very quick story like Journey I started working

with Android around 2010 I realized the software installation because of all the

complexities and one is built in Java six one is in Java 8 whatever was way

too complex for people so I ended up creating a very basic virtual machine which had the tools rightly configured

and I realized a bunch of people needed it so I made it available publicly that's when I started the Tamer project

and that has kept going on so now we've reached a point where the new version is

about to be released in a couple of months and what we are doing with it is there is a virtual machine environment

there's a Debian package environment there is a emulator that is available for Android devices there is a package

repository for that emulator which will have like vulnerable much vulnerable applications or your hacking tools

pre-baked in and then there's a minimal tools uh sort

of knowledge base which will tell you what tool how you can use which particular tool so that's the Tamer

platform because I wanted to do something for myself I made it and made it available

for everyone the code Vigilant project yeah oh I just want to say so for people

that are listening it's Tamer like a lion tamer t-a-n-e-r

platform.com so go check that out yes tell us about the next one so Ben I

think around 2014 I was sort of in that zone where I knew how to write

applications I knew how to do the deployment and other bits I knew how to pen test applications but I was trying

to figure out how to do code reviews and I found another friend of mine who was in the same situation and we were

like yeah let's do something together so that's where code which didn't started and we took WordPress ecosystem as our

base so what we did was we were like I am not going to find a bug if I start looking at a code line by line

so we downloaded I think there was about 30 000 WordPress plugins at that point we downloaded all of them

so we had 30 000 WordPress plugins PHP code and we're like how does xss happens

so the simple logic was Eco and if there's a dollar underscore get that's

an exercise we wrote a regular expression for grep ran that over the entire Repository

and then manually analyzed all of them wow so we ended up finding about 300 odd

bugs in 2014 that was the first iteration that happened right now I'm running the second

iteration of code Vigilant uh I stopped doing that because I was like grep and

then manually doing everything is way too complicated way too problematic for me and then the other things kept

happening so I shift it new things that happened in 2021 sem

group came out [Music] came out I was like yeah this sounds

interesting and the day they released PHP capabilities PHP support into it I

was like okay take this start writing the rules and start finding bugs

2021 we ended up disclosing about 50 60 odd SQL injections

in WordPress plugins wow all of that is on codevision.com and

right now we are again running more code so now what we're doing is because we have a set process so we run sum grip

and we find bugs all of that gets piped into a vulnerability management system that's where we do the trial and hit and

validation of the bugs and then we start reporting them so that's that's a massive project that we keep on working

oh my gosh okay so everyone go to codevillageant.com

so it's c-o-d-e-v-i-g-i-l-a-n-t.com [Music]

Vigilant not Villages Vigilant thank you sorry

okay then uh I think around 2015 2016 uh

I started going out of India and started attending various conferences and this

this was a common thing that came up that people were not even aware who is actually from India but is actually

representing people outside whenever I would talk with people from infosec space in India they would be talking

about people who are outside of the country and they would be idolizing them or they would be saying hey they're

doing fantastic work no one does things in India is not true that's not true there's so

much stuff going on in India so I I started a hunt so I was like okay I need

to find out who are the good people in India and there should be a place where people can see what these people have

been doing so if you now go to hacking archives of India I think I've not updated 2021 and 2022 data in it but

till 2020 all the big conferences that used to happen

I basically went into all the listings and identified who all identify

themselves as Indians and I've then added the details in so

for each author or rather be hacker their name is there their social media

handles are there if they are making it available in public and then all the talks they have done is listed the fun

part is the top person who is in that list uh some uh

he has been active in infosex space since 1997. whoa

whoa and a lot of people don't know so this was my way of putting this out

so now whenever someone says hey do people in India do this I'm like go to

that website you see the whole list how can people not know like India has

such a huge technology industry it's right it's giant yeah it's giant but the

thing is uh people don't glorify themselves people don't keep bragging

that they've done this we've done that I at one side I feel like that's a good thing on the other side I sometimes feel

like yeah at least you should brag at least you should tell people that hey this is what I am this is what I do so

they're not doing it I'm doing it for them I'm just putting out this is what they're doing

do you feel like maybe that's cultural like lots of women are told like you should

be modest you should be humble so then I tell them oh if you're going to speak at this conference you should tell everyone

on social media and they're like well I don't want to break I'm like well the conference wants lots of people to come

and like they have you speaking because they think people will really enjoy your talk

and and if you don't tell people they can't come see it and they're

missing out and it's your fault you're not bragging you're informing them I'm going to speak at this conference I'm

super excited to be there I'm going to talk about XYZ come on out yeah I mean for myself

personally it has been a bigger hurdle that I have to cross myself I have been more of in that jinxed I'd

not jinx it by saying I'm going there and I'm excited so I would end up not

talking about it and then most of the time so this is this has been my uh kind

of the way I would have operated I would talk about whatever I've done not what

I'm about to do so that's where I it's a monkey block that I'm trying to slowly

come out of but yeah that's that's the thing if you're doing something publicly you need to at least talk about it if

not brag about it yes well then on that note I was going

to ask if there's anything that you want so people who are listening obviously you want more an ant this is clearly not

enough so tell them where they can see you again or learn more about you or follow you

all right so I am available on all social media platforms under the name

Anand Shri so that's a n a n t s h r i it's kind of a combination of my first

name and a bit of my surname and uh I am also available on fediverse which is the

whole Mastodon and the whole uh other softwares why are my email ID which is

anantree dot info and that's the email address that's my federal ID that's my

xmpp ID so however you want to connect talk I am more than happy I am

interested in talking with people who are planning to do something interesting who are facing challenges right now in

security and just want a year to listen to and maybe get some discussion going

on I won't say I'll be able to guide them I won't say I'll be able to Mentor them but yeah I can definitely be a

listening ear be a support system and maybe give my thoughts about how things

would work if I want to do it he also gives security training folks in

case you wanted to know yep oh my gosh this has been so great thank you Annette

you're awesome I'm so glad you said yes thank you thank you for coming on the

show do you have any last words of advice that you want to offer before I do the Whirlwind wrap-up okay

um I do things that I keep on saying one don't idolize people

everyone is doing their own Journey Don't idolize anyone you do your own journey and uh you be a

parallel partner to others have them get help from them the other thing is uh

it is okay to say you don't know what is not okay is after six months

still saying you don't know so say don't know but then go and read

go and study figure out what you don't know and then you know that

that is awesome thank you so much Annette thank you so much to our sponsor

the Diana initiative which is a conference that is in Vegas this summer in August right before Defcon starts

also um I have a small amount announcement I will have two things that I'm going to

be doing I'm going to be one of the Keynotes at OAS Global appstack in

Dublin Ireland next month and I'm going to be at RSA in San Francisco in April

I'm going to be giving a learning lab Workshop about how to put SAS into your

CI CD pipeline without losing all your friends and I'm going to use some grab just like you were talking about

um it's like how can you do this but like not have it run for 400 years and tick off all of our nice newly made Dev

friends so I'm Tanya Jacob this was the we had purple podcast and we had a nance on and

it was awesome thank you so much for being on the show and Aunt thanks a lot for inviting me

hi everyone thank you bye everyone