In short, the conference once again distinguished itself with a rich program. It included six tracks of reports, one of them is CTF.Zone, traditionally complex tasks from top authors were solved here. The program also included five workshops, a tattoo zone for those who came to get fresh stuff or try themselves as a master, and, of course, activities, including Game.Zone, as well as quests and contests at the partners’ stands.
In general, everything is super, as always. Well, we want to tell you how the preparation and work of the AppSec.Zone application security section went, what presentations were made this year and how difficult it was to get there with a report. Moreover, our team took part in its organization, and we have some insider information 🙂
What is AppSec.Zone and how experts selected reports
AppSec.Zone – this is a section for those who don’t feed bread, let’s look for unusual vulnerabilities, build a secure architecture for applications, introduce security tools into development pipelines, establish information security processes, experiment with interesting approaches to testing and warn colleagues about where the “rake” is buried “. In other words, AppSec.Zone is a professional community where specialists exchange experiences and just communicate.
In AppSec.Zone, as well as in other sections, reports were presented in short talk (15 minutes) and talk (45 minutes) formats. The materials were considered by the CFP-committee, which included key experts in the information security field, including Yuri Shabalin, lead architect of Swordfish Security Group and CEO of Stingray Technologies.
Speakers were attracted through the media, social networks, OFFZONE information channels and section partners. Also, members of the CFP committee addressed directly to familiar speakers with an invitation to speak at AppSec.Zone. Thus, all received applications participated in the selection, as well as relevant reports that did not make it to the main tracks of the conference and were not announced in the AppSec.Zone.
Despite the narrow specifics of the section, AppSec.Zone accounted for about a quarter of the total number of applications. Both experienced speakers and newcomers who were just about to speak to the enthusiastic OFFZONE audience for the first time were served. If we talk about the specialization of the speakers, these are all the same security officers and heads of information security departments, pentesters and specialists in security analysis of technology holdings, Internet services, banks, fintech players, IT companies and other organizations.
The topics outlined in the applications resonated with industry trends. This year there were many reports about Bug Bounty, the security of Open Source components, as well as attacks on machine learning systems and language models and the use of these tools in information security tasks. Also, by tradition, many speakers from large companies that build Application Security processes applied to AppSec.Zone to share their know-how with colleagues and talk about how they coped with difficulties.
The presentations were selected by voting. The experts gave marks, and the materials with the largest number of votes got into the program. The Committee first of all drew attention to the relevance and novelty of the topics.
! If you’re considering applying to AppSec.Zone next year, here’s a tip from the CFP committee. To choose a topic, sit down and think carefully about what made things easier for you when building secure development processes or finding vulnerabilities, what tools helped you optimize your work and save time. Methods should be new or little known, and most importantly, useful. When you decide on the topic, describe it as accurately as possible, but briefly, succinctly formulate the key theses. The abstract of the report should reflect the main details, be understandable so that the experts catch your idea.
AppSec.Zone speakers — who are these people and what did they come up with
We talked to the speakers of AppSec.Zone and found out what experience they have in information security, how they prepared for the speech, what they wanted to convey to the public and what impressions they had left.
Andrey Borisov, head of the information security department of Zena, VK
Andrey opened the section by presenting a report “AppSec on OSS – you have to fail (based on Zen’s real experience)”. The expert told how the platform team implemented open source software, what difficulties they encountered, how and with what tools they analyzed the security of such elements, how they generally organized work with Open Source.
“I came to IB from development about two years ago. He started his security career at MTC, where he built the AppSec platform with the team. This experience helped me and the guys from Zen to solve the problems that we faced as part of building application security processes on the platform.
This is my first public speech, I got an interesting experience, I think we need to develop in this direction too. With my report, I wanted to show that if you want to build AppSec on Open Source, you will have to dive deep into how this Open Source works. This may not be suitable for everyone and not always, because significant labor costs and a certain expertise or time to obtain it will be required. The company must be prepared for this path. It worked for us, and I told you how. I also wanted to share our life hacks on SCA scanning and building AppSec processes in general.
The idea to talk about all this on AppSec.Zone came, one might say, naturally. We thought that colleagues would be interested in listening. I prepared the report in a fairly short time. I just had to sit down and paint the thoughts that I had long wanted to share.
I was surprised that the public had so many questions, to be honest, I did not expect [довольно улыбается]. The questions were good. In general, the level of expertise of the section participants is high, the guys share their insides, and we share ours. Planned to listen to the speaker from Luntry [Сергей Канибор, R&D / Container Security], from this company usually give in-depth technical reports. In general, it’s cool, this is how the community should develop. I think that I will return to AppSec.Zone”— Andrey shared.
Savely Krasovsky, security engineer, developer, X5 Group
The expert made a presentation “Improving the security of GitLab CE”. Saveliy talked about how you can safely work with secrets in CE and how to use pre-receive hooks to increase security.
“For 2.5 years I worked in a bank as a Golang developer. In products, out of the corner of my eye, I began to notice vulnerabilities, went to the security guards and asked them to take a closer look at these places. At some point, they came to me with the words: ”Listen, and come to us?” That’s how I ended up in the information security department, in the department that was engaged in pentesting, after 1.5 years I moved to the AppSec division, where advised developers, showed them how to do it. And for the last six months I have been working at X5 Group as a DevSecOps engineer, building SSDLC.
This was my first public performance. In the report, I highlighted two main topics related to secrets. Unfortunately, they are difficult to work with safely in CE. We specifically studied how Vault is used in our infrastructure, and found out that the vast majority of developers do not use it correctly enough. To solve this problem, we wrote our own mini-solution, which I shared in my speech. I also talked about server hooks that allow you to prevent unwanted things from appearing in a Git repository. In my opinion, this feature is not even in the premium subscription. GitLab Premium allows you to upload secrets to a repository, and then report that these secrets are there. That is, after the fact, when an attacker could already put the repository on monitoring and steal all the secrets. Server hooks just help to avoid this: at the push stage, the developer gets an error in the console. This applies not only to secrets, but secrets are the simplest case that can be closed by the proposed solution.
Many of the improvements that I talked about in the report, I made myself, because I know Go. All the utilities that I have presented are written in this language. In general, I am often drawn to code – this is my passion, and security is more of a hobby, I’m thinking about someday returning to development using my background in information security. In general, it seems to me that a good AppSec specialist should know at least one language in order to understand how programmers work and notice problems. When you know what pitfalls developers face, you immediately imagine where there might be mistakes. For example, misuse of standard libraries is common.
Returning to server-hooks, I began to explore them while working at a bank, and continued at the X5 Group. I shared my ideas with the new leader, and he invited me to make a presentation. Since I was deeply immersed in the topic, the preparation did not take me much time. I quickly sketched out the presentation, rehearsed a few times and came to AppSec.Zone. After the report, I was asked so many questions, but I thought there would be a tumbleweed, I’ll put down the microphone and that’s it, for now [смеется].
If we talk about OFFZONE in general, I’m here for the first time. What attracts me the most is the educational part, the reports of colleagues, in particular on AppSec for obvious reasons. Well, since I worked as a pentester, I’m interested in CTF.Zone reports about how the guys broke something, found vulnerabilities in real systems”— Savely said.
Ramazan Ramazanov (r0hack), bughunter, head of external pentests at DeteAct
Ramazan presented the report “Baghunting: cases, tools and recommendations”. The speaker spoke about the reasons for failures in bag hunting and ways to find vulnerabilities, shared useful case studies and talked about how things are in the Russian industry today. At the end, Ramadan held a small quiz for the participants, the winner received a hoodie from the State Services (in the spring, the first Bug Bounty program ended on the portal, white hackers found 34 vulnerabilities).
“I have been in IB since the summer of 2018. At that time I was a developer, went through social security after participating in CTF, got a job at DeteAct, where I work to this day. Now we already have a fairly large team of techies. I started actively baghunting around the end of 2019, and since then I have been doing it consistently 2-3 times a year. I am also actively developing this area, especially now, when it has become, let’s say, important for the whole country, I promote it in my Telegram channel Bounty On Coffee and at other venues, I myself show baghancha to young people how it should be.
I have spoken more than 10 times at different conferences. This year, for AppSec.Zone, I specially prepared a light report without complex technical details, so that it would be understandable to beginners who still find it difficult to understand the topic. Often guys write to me in PM and say in chats that they don’t understand where to start their journey in baghunting, how it all works, why it doesn’t work. Therefore, I decided to tell the young people what and how to break today, and to share with them little secrets, guides. In general, I can advise beginners this: gain knowledge and experience, do what you like, and then you will definitely succeed.
Now baghunting is actively developing. In my report, I gave statistics on the Standoff 365 and BI.ZONE Bug Bounty platforms: approximately 50 million rubles. was paid to baghunters only in 2023. Last year, few people were doing this, then the programs were only gaining momentum. Given the current growth, the future of baghunting looks bright. August 24 at OFFZONE was a press conference [BI.ZONE Bug Bounty: итоги года], where Dmitry Gadar, Vice President, Director of the Information Security Department of Tinkoff, spoke on behalf of the client company, and Evgeny Voloshin, BI.ZONE Strategy Director, and Andrey Levkin, Head of BI.ZONE Bug Bounty Product, spoke on the part of the platform developer. Experts expect the bugbounty market to grow up to 5 times in the coming year in terms of the number of companies. Such a forecast seems quite optimistic to me, but the trends are such that growth during the year will in any case be at least 2-3 times. This will also affect the number of public programs on the BI.ZONE Bug Bounty platform.
I prepared my report right up to the last moment, at first I formed a skeleton, and then supplemented it for several days. I always take preparation seriously. In my opinion, we have a small, let’s say, jamb at our conferences on information security, when the organizers do not seriously check anything, so the speakers write reports at the last moment. For comparison, we can cite conferences for developers, where the material must be ready in two months. Speakers are allocated speakers, they are called to the stage and asked to drive away the speech in front of the experts. All this helps to make the final output more clear, accurate.
For the quiz, I partly used ready-made tasks with pieces of code that I gave at the HighLoad ++ conference for developers (the participants actually did better there), partly came up with new questions related to the topic of the report, added tasks with logical bugs, — Ramadan commented.
Nikolay Khechumov, Staff Security Engineer, Avito
The speaker made a presentation “Search and management of finds in Avito: expandable shift-left that cannot be built with DefectDojo”. Nikolai shared the results that have been achieved over several years of building a flexible orchestration system for finding vulnerabilities and managing finds.
“After graduation, I worked as a full-stack developer for a year, learned how it all works in the enterprise, then switched to security. For the past seven years I have been continuously involved in AppSec, and here I often come in handy with experience in development. We have problems regarding the security of applications for which there are no ready-made solutions, so we have to develop for information security.
I try to speak at conferences more often, and we also hold internal security meetups at Avito. But on OFFZONE, to be honest, I like it the most. I performed here in 2022 and now I’m back again. In my opinion, this year, compared to the last conference, there are more juicy reports, the audience of AppSec.Zone has grown, and the popularity of OFFZONE too. It also seems that the audience has become more serious, it is no longer so easy to spin it as a joke. [смеется].
In my presentation, I shared the principle of tracking and managing scanner finds throughout the entire development life cycle. This is exactly the story that is not now, probably, in any product. Companies have separate tools that scan, verify hits, etc., but there is no system that would glue all these processes together and could tell about the historicity of each find. Such a thing allows you to unload the AppSec team from routine and collect metrics that give an understanding of which direction security is moving in, where improvements are needed. Actually, for this we have developed our system, it primarily expands knowledge about the processes and increases the efficiency of goal setting in the framework of ensuring security.
Our basic idea is to put the system in Open Source. We compared it with DefectDojo and came to the conclusion that it is well done and even better. True, while our development is “avito-specific”, first we need to untie it from us, add integrations, make it more general – we are still thinking about this and how to “open” it. Probably, we will open in parts.
Judging by what I have seen in the world over the past year, foreign companies are moving in this direction – full-fledged find management systems are appearing on the market. Russian organizations are probably also going in this direction, because there is definitely a problem, it is long overdue, and AppSec specialists are suffering. I think that in the near future there will be more and more such products on the market, and, probably, within five years the problem will be solved.
My report has matured for quite some time. At the last OFFZONE, I showed a whole slide on this topic and said that it would be better to talk about it in a separate report. That is, back in that year I knew approximately what I would come with today. [25 августа]. Until now, all this has crystallized into a single structure, which showed our principle of organizing processes, which allows scaling with almost no restrictions. After the speech, I realized that the topic hit the very core, aroused great interest among the public. I was asked a lot of good questions, although there were a lot of them last year too.”— shared Nicholas.
Swordfish Security speakers also spoke in the AppSec.Zone section. In particular, Yuri Shabalin presented the report “5 life hacks for Mobile DevSecOps”. The expert talked about how the development of mobile applications works, what nuances and features should be taken into account when implementing and using security tools in order to increase the efficiency of scanning.
“Everyone is used to standard web applications and everything related to them: frontend, backend, middleware, CI / CD, etc. But when it comes to mobile applications, there are various nuances. They either do not know about these features, or do not know how to use them for good. In addition, information security practices can be applied to mobile applications in different ways due to the specific architecture of such products.
Since the guys from Stingray Technologies and I are developing a system for dynamic analysis of the security of mobile applications, we have to closely interact with mobile developers and immerse ourselves deeply in their processes. Quite often, specialists from the information security department ask us questions about the features of mobile products. Therefore, I decided to prepare an overview report about the most popular moments, so that more people are aware of how it all functions, so that they are not afraid of mobile phones, but, on the contrary, use their chips to improve the convenience of work.
This year I performed at OFFZONE for the third time. This is my favorite conference among Russian events. And the organizers are trying, and the reports are of a high level, and, most importantly, the atmosphere is cool. A big plus is that there are very few selling materials and business parts on the conference. And on AppSec.Zone you can meet different people from enterprise companies and small startups. Also researchers, baghunters come here. This is great: you can see from all sides how security processes are arranged in different companies, and learn from the experience of colleagues. But the main thing is still the community that has formed here.
Speaking of the community: the team and I presented the booth of the mobile security channel at the conference for the second time. Mobile AppSec World. It’s great that the organizers of OFFZONE give different communities the opportunity to express themselves – this is respectful”— Yuri commented.
Application security activities
This year, OFFZONE again had a lot of activities for every taste. Some of them echoed the theme of AppSec.Zone. Let’s talk briefly about the most interesting and memorable.
In the CUB_3 installation zone, it was possible not only to get acquainted with the main artifact of OFFZONE 2023, but also to solve tasks. For the most hardcore hack task, they were given 2000 offcoin. By the way, the organizers scrupulously approached the implementation of the idea with the cube. They even prepared report according to the results of “laboratory observations” behind this riddle. It tells how the cube got to OFFZONE and what abilities it has.
The participants also tried their hand at the famous (on OFFZONE) activity HACK IN 15 MIN. Guests received a task to hack the system and only 10 minutes to solve it. Those who did not have time were given another 5 minutes, but for every additional 60 seconds a fine was issued – a hot shot.
CTF-competitions in the Jeopardy format with different categories of tasks were held at the Sovcombank Technologies booth. Our guys at the Swordfish Security booth also hosted the classic Jeopardy Web CTF for developers and aspiring security professionals.
The guests also had the opportunity to hack into the Positive Technologies stand and place their nickname on it, as well as play the Midori White Hat Mission from Kaspersky Lab and analyze the sustainability of the smart city infrastructure. At the Start X booth, attendees tested their secure development skills with a 20-case quiz on how developers’ mistakes led to known applications being hacked. And on the site of the Jet Infosystems company, guests could exploit the vulnerabilities of the galactic infrastructure and capture the network.
Instead of output
This year, the desire of the organizers to adapt AppSec.Zone to industry trends and turn it into a hub for the exchange of practical information that will help counter modern threats can be seen even more clearly. The program of the section included many reports devoted to point questions, cases that provide specific algorithms for solving urgent problems. This suggests that the industry has left the state of shock behind and is now actively fighting to get back on its own solid rails.
In general, in our opinion, the section was a success.
See you at OFFZONE 2024!