SlideShare a Scribd company logo

How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code

DevOps.com
DevOps.com

While graph databases are primarily known as the backbone of the modern social networks, we have found a much more interesting application for them: program analysis. This talk aims to demonstrate that graph databases and the typical program representations developed in compiler construction are a match made in heaven, allowing large code bases to be mined for vulnerabilities using complex bug descriptions encoded in simple, and not so simple graph database queries. This talk will bring together two well-known but previously unrelated topics: static program analysis and graph databases. After briefly covering the "emerging graph landscape" and why it may be interesting for hackers, a graph representation of programs exposing syntax, control-flow, data-dependencies and type information is presented, designed specifically with bug/backdoors/business logic flaws hunting in mind. Capabilities of the system will then be demonstrated live with Joern, an open source code exploration tool, as we craft queries for RCE exploits, insider attacks, data leak detection.

Technology
1 of 19
Download to read offline
ShiftLeft Ocular How-To Find Malicious Backdoors in your code Chetan Conikee – Founder/CTO
Agenda • Source Code : Your unit of value • Common traits of source code (from code to application) • What is the Code Property Graph and its applicability • What are backdoors? • Querying the Code Property Graph using Ocular to hunt for backdoors
Source Code : Your unit of value
Common traits of source code Lexing Parsing IR (Intermediary Representation)
Software Components …
Code Property Graph – a versatile graph format Instruction Level - Syntax, Control & Semantics Flow Methods, Type information, Call Graph, Data Flow and Configurations High Level Information Flows Violations – vulnerable flows that unifies syntax, control and semantics in one representation
Insider Threats SOURCE: www.cert.org/archive/pdfCERTInsiderThreatVulnerabilityAssessment.pdf The cases of insiderIT sabotage were among the more technically sophisticated attacks examined in the Insider Threat Study and resulted in substantial harmto people and organizations. Forty-nine cases were studied. 86%of the insiders held technical positions. 90% of them were granted system privileges. In those cases, 81% of the organizations that were attacked experienced a negative financial impact as a result of insider activities. The losses ranged from a low of five hundred dollars to a high of tens of millions of dollars
What can attackers do with backdoors? • Install backdoor for future access to system • Destroy sensitive data stored on the database, while “riding on” the established connection from the application to the database. • Log sensitive information generated by applications, such as credit card numbers, passwords, encryption keys, and so forth. • Execute OS commands using the user’s identity, or provide a remote command prompt while using a reverse shell.
• Tools for security analysts, appsec teams and developers • Powerful querying capabilities to identify vulnerable conditions • Understand application structure and attack surface • Baseline and compare high level information flows
Buckle up! Let’s hunt for insider attack patterns in an application using Ocular https://github.com/conikeec/tarpit
Logic Bomb • Malicious code that executes when specific trigger conditions are met • A time bomb is a type of logic bomb that uses a date and time as its trigger condition. • When the time bomb or logic bomb is detonated, it may perform a denial of service such as crashing the system, deleting critical data, or degrading system response time.
MagicValue • Developer intentionally places “Malicious Easter Egg” which is triggered based on magic value entered in form field or REST API • Why? • Bypass compliance for debugging production data • Preparation for attack by disgruntled employee/consultant
Sensitive Data Leak to file • Write PII, PHI, Cloud credentials to log file • Exfiltrate log file prior to rotation or aggregation by rsyslog daemon
Data Exfiltration endpoint Trivial amount of code to enable exfiltrating files for file system
Attack using compiler API • DevOps bake in images with JDK (not hardened) rather than just the JRE • This makes Java compiler API available to compile an attack class • Attack class encoded to escape code reviewers keen sight
Attack using compiler API continued • DevOps bake in images with JDK (not hardened) rather than just the JRE • This makes Java compiler API available to compile an attack class (from exposed HTTP endpoint) • Attack class encoded to bypass application firewall
Escaping Validation Frameworks Approach to work around validation framework mandated by company
Ocular Workflow • Enable development and security teams to create #AppSec requirements via scripts using Ocular • Enforce execution of Ocular scripts in CI/CD to conduct checks for every release • Create your own scripts or use ShiftLeft’s packages • SCA (Software Composition Analysis) • Business Logic flaws • Sensitive Data leaks • Insider attack patterns
Try Ocular on Your Code 14 Day Ocular Free Trial • Download here: https://go.shiftleft.io/ocular-free-trial • Java only • Trial version does not include security profile queries, policies or frameworks Ocular Proof of Concept • Email sales@shiftleft.io • Java or C/C++ • Full featured product version • Support & training • Custom timeframe

Recommended

Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
 
Intrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIntrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural Network
IOSR Journals
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
Kirti Ahirrao
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker Containers
Black Duck by Synopsys
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 

Recommended

Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
 
Intrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIntrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural Network
IOSR Journals
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
Kirti Ahirrao
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker Containers
Black Duck by Synopsys
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)
Sandeep Jayashankar
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
Black Duck by Synopsys
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
penetration testing
penetration testingpenetration testing
penetration testing
Shitesh Sachan
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps.com
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
Andy Hoernecke
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
Priyanka Aash
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 
Gloriolesoft Consulting Security and Privacy Offering
Gloriolesoft Consulting Security and Privacy Offering Gloriolesoft Consulting Security and Privacy Offering
Gloriolesoft Consulting Security and Privacy Offering
Debasis Chakraborty
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
kiansahafi
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
DevOps.com
 

More Related Content

What's hot

Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 

What's hot (20)

Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
penetration testing
penetration testingpenetration testing
penetration testing
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
 
Gloriolesoft Consulting Security and Privacy Offering
Gloriolesoft Consulting Security and Privacy Offering Gloriolesoft Consulting Security and Privacy Offering
Gloriolesoft Consulting Security and Privacy Offering
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Security testing
Security testingSecurity testing
Security testing
 

Similar to How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code

Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
DevOps.com
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
sparkfabrik
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 

Similar to How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code (20)

Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 

More from DevOps.com

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 

More from DevOps.com (20)

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code

  • 1. ShiftLeft Ocular How-To Find Malicious Backdoors in your code Chetan Conikee – Founder/CTO
  • 2. Agenda • Source Code : Your unit of value • Common traits of source code (from code to application) • What is the Code Property Graph and its applicability • What are backdoors? • Querying the Code Property Graph using Ocular to hunt for backdoors
  • 3. Source Code : Your unit of value
  • 4. Common traits of source code Lexing Parsing IR (Intermediary Representation)
  • 6. Code Property Graph – a versatile graph format Instruction Level - Syntax, Control & Semantics Flow Methods, Type information, Call Graph, Data Flow and Configurations High Level Information Flows Violations – vulnerable flows that unifies syntax, control and semantics in one representation
  • 7. Insider Threats SOURCE: www.cert.org/archive/pdfCERTInsiderThreatVulnerabilityAssessment.pdf The cases of insiderIT sabotage were among the more technically sophisticated attacks examined in the Insider Threat Study and resulted in substantial harmto people and organizations. Forty-nine cases were studied. 86%of the insiders held technical positions. 90% of them were granted system privileges. In those cases, 81% of the organizations that were attacked experienced a negative financial impact as a result of insider activities. The losses ranged from a low of five hundred dollars to a high of tens of millions of dollars
  • 8. What can attackers do with backdoors? • Install backdoor for future access to system • Destroy sensitive data stored on the database, while “riding on” the established connection from the application to the database. • Log sensitive information generated by applications, such as credit card numbers, passwords, encryption keys, and so forth. • Execute OS commands using the user’s identity, or provide a remote command prompt while using a reverse shell.
  • 9. • Tools for security analysts, appsec teams and developers • Powerful querying capabilities to identify vulnerable conditions • Understand application structure and attack surface • Baseline and compare high level information flows
  • 10. Buckle up! Let’s hunt for insider attack patterns in an application using Ocular https://github.com/conikeec/tarpit
  • 11. Logic Bomb • Malicious code that executes when specific trigger conditions are met • A time bomb is a type of logic bomb that uses a date and time as its trigger condition. • When the time bomb or logic bomb is detonated, it may perform a denial of service such as crashing the system, deleting critical data, or degrading system response time.
  • 12. MagicValue • Developer intentionally places “Malicious Easter Egg” which is triggered based on magic value entered in form field or REST API • Why? • Bypass compliance for debugging production data • Preparation for attack by disgruntled employee/consultant
  • 13. Sensitive Data Leak to file • Write PII, PHI, Cloud credentials to log file • Exfiltrate log file prior to rotation or aggregation by rsyslog daemon
  • 14. Data Exfiltration endpoint Trivial amount of code to enable exfiltrating files for file system
  • 15. Attack using compiler API • DevOps bake in images with JDK (not hardened) rather than just the JRE • This makes Java compiler API available to compile an attack class • Attack class encoded to escape code reviewers keen sight
  • 16. Attack using compiler API continued • DevOps bake in images with JDK (not hardened) rather than just the JRE • This makes Java compiler API available to compile an attack class (from exposed HTTP endpoint) • Attack class encoded to bypass application firewall
  • 17. Escaping Validation Frameworks Approach to work around validation framework mandated by company
  • 18. Ocular Workflow • Enable development and security teams to create #AppSec requirements via scripts using Ocular • Enforce execution of Ocular scripts in CI/CD to conduct checks for every release • Create your own scripts or use ShiftLeft’s packages • SCA (Software Composition Analysis) • Business Logic flaws • Sensitive Data leaks • Insider attack patterns
  • 19. Try Ocular on Your Code 14 Day Ocular Free Trial • Download here: https://go.shiftleft.io/ocular-free-trial • Java only • Trial version does not include security profile queries, policies or frameworks Ocular Proof of Concept • Email sales@shiftleft.io • Java or C/C++ • Full featured product version • Support & training • Custom timeframe