The software development industry has widely adopted the mantra of “shifting left” with security or in other words, moving security activities earlier in the development lifecycle. While developers, architects, and other team members are generally supportive of this theory, they sometimes lack the skills needed to effectively implement it. Training can fill much of the gap and is usually necessary, but organizations find that both live and computer-based training produces a spike in security activities, but that the activity quickly drops off as participants get pulled back to their old routines by the legitimate demands of the business..
Meristem believes that one powerful tool to shift the security culture within a development organization is to provide a regular cadence of security activities that stimulate developer’s interests. Naturally, these activities must be small and constructed so that they can work into small gaps in a developer’s day to avoid significantly disrupting their regular schedule.
The Program
The Vulnerability-a-Month program is a series of quick lessons coupled with hands-on activities designed to be completed in 30 minutes or less. The topics center around the OWASP Top 10 application security risks with current high visibility vulnerabilities mixed in. For example, one lesson explains the mechanics of Cross-site Scripting (JavaScript injection) and then gives students access to a website where they can execute . Another module covers the Log4Shell vulnerability, and again provides a vulnerable application so that students can see the exploit in action.
Target Audience
For convenience, this document frequently uses the term “developers” when referring to students. While developers are the most common audience, other participants in the software development lifecycle often have the technical skills required to complete the modules and receive the full benefit of the program. No programming skill is required to understand the modules, but a strong familiarity with web technologies will probably be needed. If the participant could look at the text of a raw POST request and understand what is being submitted or look at an HTML response and find an error message among the tags, they likely have enough of a background to benefit from the program.
Changing the Psychology
The activities associated with each module deliberately puts students in the role of the attacker rather than the defender. When developing an application is very easy to focus on meeting business requirements and never stepped back think about what could be done by a user instead of just what users should do. Putting on the attacker’s hat, even briefly, shifts their mental model from crafting a functional application to considering all of those parts as potential tools to gain access to private data or features. Also, exploiting a vulnerability themselves makes believers out of developers when it comes to discussing the risks associated with security requirements. Even if the developer does not have the skill to exploit all vulnerabilities, when I developer knows they could exploit some vulnerabilities, it is a shorter leap of faith to believe that someone has that extra bit of skill required.
Sample Curriculum
the following is a set of topics that might be put together into a year-long program. Meristem can customize these topics for your company’s needs if there are particular vulnerabilities that pose a greater risk to your application based on its functionality or technology stack. In some cases, a particular type of vulnerability has been reported frequently during security scans or assessments and a customized modular to can be part of a plan to address this vulnerability across an organization.
- Cross-site Scripting - Session Tokens
- Cross-site Scripting - Internal Function Calls
- JWT Manipulation
- SQL Injection
- Hidden API Endpoints
- Hidden JavaScript Endpoints
- Bypassing Client-side Input Validation
- File Downloads - Directory Traversal
- File Downloads - CSV Injection
- File Uploads - MIME-type Validation
- Famous Vulnerability - Shell Shock
- Famous Vulnerability - Log4Shell
Logistics
For each module, Meristem will provide web-based learning materials and host a vulnerable application where each student can perform the exploit in a legally-allowed environment, without interfering with other students. Typically, you will provide a list of student email addresses and Meristem will send an email to each student that contains links to the learning materials and practice environments. If desired, you may handle the distribution of these links yourself, recognizing that the link for each student may be slightly different depending on the modules.
Meristem recommends that the completion of each module be tied to small reward. Something as trivial as a $10 gift card goes a long way towards encouraging participation and putting students in a positive mindset with respect to the effort required. Meristem can handle the distribution of these rewards which may avoid the need to treat the reward as benefits for tax purposes. You are free to manage the distribution of rewards yourself as well. In either case, Meristem will provide a list of students who have completed the activity, and their time of completion, so that you can monitor participation.