After an action-packed December, our team of engineers had more fun trying to crack Salv’s security systems and understand what can be improved, thanks to a hackathon organised jointly by the engineering team.
The hackathon sprouted from the seeds planted by The Open Web Application Security Project (OWASP), an open-source foundation whose entire efforts are directed towards building a more secure web. OWASP is widely recognised for its comprehensive research of software security risks, as well as frameworks and tools for testing web application security controls.
OWASP Top 10 is an annual report focusing on the most critical web application security risks. Based on data-driven research, it provides data on common vulnerabilities, and potential remediation actions. In 2021, some of the top risks identified by OWASP included broken access control, cryptographic failures, and injection.
The January hackathon consisted of three parts: deep-diving into the OWASP Top 10, applying theoretical skills in a training environment, and finally using the acquired knowledge to test Salv’s systems. During the first two parts, the participants warmed up by analysing and testing vulnerabilities using ZAP (security automation tool) and WebGoat app (an interactive environment for web application security). Later on, they explored black-box testing technique that allows for testing an entire system with no prior knowledge of its internal structures or workings.
In their discovery of best security practises, the guys went down untrodden paths and thought outside the box. And their efforts paid off.
“I was a hacker” was the #1 topic at many family dinners that day.
It has been said that in order to fight crime, one must think like a criminal. During the hackathon, our engineers put on a hacker’s hat and looked for new ways to safeguard our code and infrastructure from attackers. It’s useful to change your mindset and look at the code from different angles. In some cases, it can be eye-opening.
A successful attack consists of several stages: reconnaissance or information gathering, scanning or discovery of entry points, then access and escalation. The third, practical part of the hackathon was based on exactly that: hacking into the Matrix. To tackle the issues at hand, the three teams directed their focus toward collecting open-source intelligence, social engineering, identifying and fingerprinting Salv’s infrastructure, and exploiting critical issues in our website and products.
My team collected public information about fellow employees at Salv: social profiles and personal details, company information, and whatever else could be useful for impersonating people or crafting a successful phishing attack. Equipped with this knowledge, Karl explored different ways of using it against the company, and devised smart scenarios of security attacks which can be later used for security awareness training. Putting a good guy in a bad guy’s shoes may sound a bit like Dr Jekyll and Mr Hyde. But it had to be done.
Tarmo, Rando and Raido got on with mapping the external infrastructure, fingerprinting services, and black-box testing. The guys did a great job by performing technical reconnaissance and creating Salv’s infrastructure map as seen by an outsider. Among other tools, they used Maltego to create maps. Their goal was to understand if there are any unattended systems or resources that may be available to attackers. For example, you may think that an outdated app that fell out of use is no big deal. But it may contain confidential company information that, if only it gets into the wrong hands, can make a real mess.
In the third team, Risto, Jürgen and Priidu put on their reading glasses and searched for critical issues in the product. On any regular day, it’s hard to imagine all the different ways a user (malicious or not) can behave. But when your sole task is to do just that, you may come up with some interesting findings. As the saying goes, he who searches finds. The guys were able to find and quickly resolve a vulnerability that could make it easier for attackers to get access to the platform. But not anymore!
The hackathon provided a lot of inspiration for the whole team. I asked the participants how they feel about it and the answer didn’t surprise me: “It was awesome”. The January hackathon proved to be a great team-building exercise that improved communication and cooperation in and between the teams. As with every hackathon, our developers learned new methods and techniques, and achieved great results in a short period of time.