sdlc · Denis Makrushin

Dev Sec Oops: how agile security increases attack surface

by Denis Makrushin June 9, 2023

If you ask a product security engineer, what is the main entry point for an organization’s adversary to gain access to their crown jewels, he would answer: “a human.” He most likely means those employees with a low level of security awareness. In today’s reality, security engineers are the guards of employees’ security-related code of conduct. But who guards the guards?

Based on real scenarios of supply chain attacks, we’ve performed for various software developing companies, we demonstrated the weakest points of the “Agile Security” paradigm in software development lifecycle and redefine Code of Conduct for product security.

The research is presented at OWASP Israel.

June 9, 2023

Research

Dev Sec Oops: как инструменты безопасности в гибкой разработке увеличивают поверхность атаки

by Denis Makrushin May 26, 2023

В рамках всё более ускоряющегося процесса разработки не обойтись без автоматизации максимального количества контролей безопасности. Но что, если сами сервисы и средства безопасности окажутся уязвимыми и могут быть использованы для атаки?

В этом докладе, опубликованном на OWASP Moscow, мы переосмыслили типичные сценарии целенаправленных атак и рассмотрели security-инженеров и их повседневные инструменты в качестве опорной точки для атакующего. В ходе исследования выявлены недостатки конфигурации и баги в популярных security-инструментах (в том числе в инструментах с открытым исходным кодом), которые могут использоваться злоумышленником для компрометации жизненного цикла разработки программного обеспечения и краже интеллектуальной собственности.

В новом контексте тривиальные уязвимости приобретают новую ценность.

May 26, 2023

Blog

Старт курса “Основы безопасности приложений” в НИЯУ МИФИ

by Denis Makrushin September 2, 2022

September 2, 2022

Research

Security Audit Logging in Microservice-Based Systems: Survey of Architecture Patterns

by Denis Makrushin November 8, 2021

https://www.researchgate.net/publication/350364503_Security_Audit_Logging_in_Microservice-Based_Systems_Survey_of_Architecture_Patterns

Service-oriented architecture increases technical abilities of attacker to move laterally and maintain multiple pivot points inside of compromised environment. Microservice-based infrastructure brings more challenges for security architects related to internal event visibility and monitoring.

The research paper published by Alexander Barabanov in “Cybersecurity Issues” provides helpful resources to application and product security architects, software, and operation engineers on existing architecture patterns to implement trustworthy logging and audit process in microservice-based environments. We performed threat modeling for typical architecture pattern of logging system, defined threat mitigation strategy, and, as a result, provided bunch of high-level security requirements for audit logging system.

November 8, 2021

Research

JavaScript prototype pollution: practice of finding and exploitation

by Denis Makrushin April 27, 2021

https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2

Finally, the English version of “JavaScript prototype pollution: practice of finding and exploitation” article is prepared. Using the techniques Nikita Stupin discovered CVE-2020–28460 in multi-ini parser and a vulnerability in the merge-deep package. With the first one, everything went smoothly, but with the second one, a funny situation came out: after sending the report, the maintainer did not get in touch for a long time, and as a result, GitHub Security Lab found the same vulnerability, managed to reach the maintainer earlier and registered it (GHSL-2020–160). All details related to these vulnerabilities, discovery and exploitation techniques, and recommendations on how to protect your applications are collected in the article.

April 27, 2021