Security for Non-Security Experts

— Tell us a little about yourself. Why did you choose what you do?

— In the 4th year of MEPhI, the teacher told us how he was looking for bugs and hidden cameras. It was so cool that it hooked me. I learned about pentesting, started diving into the field and I really liked it. It was such a thrill: to look for vulnerabilities in applications, to try different exploitation methods until you manage to make a "breakthrough", steal personal data or perform another critical business action.

The most important thing is that it was not easy — I had to deal with countermeasures or technological features that did not allow exploiting the vulnerability just like that. I generally love solving complex and diverse tasks, so everything came together.

— And what tasks, of those that you had to solve, were the most interesting?

— The most interesting cases in my practice are related to the loss of money and the compromise of remote servers. When I was still working at Singleton Security, we were checking a client with seriously built business processes for information security and a huge amount of functionality. We tried to exploit XSS, cross-site scripting — a cross-site scripting vulnerability. This vulnerability allows stealing personal data of users of the main application by placing a malicious payload in advertising banners and bypassing the implemented CSP (Content Security Policy). And when we exploited this vulnerability, and I received a response with user data — the payload worked and the server responded. It was an incredible feeling.

— And are there usually many such holes in the protection?

— In fact, there are quite a few such cases in my practice when client-side vulnerabilities lead to critical business consequences. Often, neither developers nor managers think about the fact that client-side vulnerabilities are also about high risks.

While I was working as a pentester, I managed to perform actions on behalf of other users, take over other people's accounts (including administrators), steal money and personal data. And it's good that the Customer learned about these vulnerabilities during pentests, and not after a real attack. Of course, the consequences for each business can be different, but it is better to identify them in advance than to deal with financial or reputational damage later.

Insufficient knowledge or lack of information about client-side attacks among developers convinced me that it is worth raising this topic.

— So you decided to apply for this conference?

— I wanted to show those who do not work with security how an attacker thinks and what vulnerabilities they look for, what to pay attention to at all stages of development, and how to prevent attacks. My former supervisor told me about FrontendConf and suggested I give it a try. I applied, and during the first call with the program committee, we quickly realized that we were concerned about the same thing — users. I just focus on security, while developers focus on UI and UX. But I wanted to draw developers' attention to security issues. However, since I'm not a frontender, I didn't fully understand how to do it. I needed someone in the field who could look at my explanations of attacks from the outside and summarize whether they were understandable for non-security people.

My conference curator helped me a lot with this. We did several run-throughs and constantly made some adjustments. I really liked the organization of the preparation and the interaction between the program committee and the speakers. Everything is clearly structured, understandable, and transparent. It was very cool that there were workshops: on preparation, creating a good presentation, and the actual performance. I never regretted my decision to speak at this conference.

— Has the preparation for the presentation already finished?

— Of course not. It is quite intensive and will continue right up to the conference itself. I have gathered a lot of material, prepared stands to look for vulnerabilities in applications together with the audience. I want my presentation to be memorable, especially its main idea that security is important.

When preparing, I put myself in the listener's shoes. When you are a listener, you are very picky about the presentations and get upset if the speaker did not explain something clearly enough. Therefore, I decided that my presentation should be understandable even to the most picky listener. So that there is no such thing that a person came to my presentation and left with the thought of wasted time.

This definitely puts pressure and increases responsibility, but I meticulously prepared and tried to put as much interesting and useful material into the presentation as possible.

There will be many other presentations dedicated to frontend development, which also went through a rigorous selection process to become part of the intensive program, but if you look at the big picture, all the presentations complement each other. Because I believe that security cannot be separated from development. They must go hand in hand.

— Yes, now many issues are easier to solve together. Does the community help solve such problems?

We have lost support for many tools, we have to look for analogues or develop our own tools. This is especially significant for security. After all, most attacks are carried out using exploits for zero-day vulnerabilities. When there is a vulnerability in an update, a race against time begins between organizations and attackers. And the company wins only when it patches the vulnerability, that is, installs the security update from the vendor, before the attackers exploit it and cause serious damage. And when there are problems with installing the update, the company is at great risk.

In this regard, of course, the most reliable solution is to develop your own software. Yes, it is often difficult, long, and expensive, but many organizations are gradually starting to do this, based on some open-source product. Moreover, it seems that now not only the company itself but also the entire community is beginning to invest in the development of such products. After the change in the global situation, it seems as if there is some incredible unity within IT. This is especially noticeable at meetups and conferences. When you come to such an event, you meet a bunch of interesting, talented guys, you start talking and sharing experiences that are useful to each of you. I am very glad that this is happening because such unity actually strengthens and develops the field as a whole.

— Do problems with support and other issues negatively affect the development of the industry?

As always, there are both positive and negative sides. There are problems, but with the increase in the number of attacks on Russian companies, attention to security issues is also increasing. Security is increasingly being considered not as an additional expense item, but as one of the priority areas of development. Companies have begun to increase investment in education and retraining of employees. In my opinion, this is very important.

There are not as many truly professional events as we would like. There is a lack of networking, communication, and useful experience. Knowledge needs to be shared, which is why I decided to participate in FrontendConf. They already have a community, channels, chats, and this helps to share. Such an exchange will overcome difficulties and make the direction of frontend development more sustainable in terms of technology and security. Undoubtedly, we still have challenges ahead, but they need to be seen as points of growth, learning, and new opportunities.

— So you are for any activities?

— I really love the field of security, especially pentesting. In my spare time, I regularly participate in competitions as part of the True0xA3 team, sometimes playing in CTF. Also, my colleagues from Singleton Security and I are developing the EASM (External Assets Surface Management) product, which inventories client assets, performs basic vulnerability scanning, and provides a report.

I also love to travel, go to exhibitions, and experience new gastronomic impressions.

Participate in events, develop yourself, and help others develop!