This year, Edwin Tunggawan and Oliver Valentino from Bukalapak’s security team attended Black Hat Asia 2017 on Marina Bay Sands, Singapore. It’s Edwin Tunggawan writing. We also apologize for the late post, since there are lots of things to do here.
We departed to Singapore on March 29, and arrived at around 1 PM in GMT+8 zone. As soon as we arrived, we went to the hotel, took a quick stroll around, and went to Marina Bay Sands where the event was held for registration.
Black Hat Asia 2017’s briefings was held on March 30 and March 31, and each day started with a keynote speaker. We had Thomas Dullien a.k.a Halvar Flake as the keynote speaker for the first day, and Saumil Shah for the second.
We split up and attended many briefings. But the most interesting part, for me, was the two keynotes.
Halvar Flake is a security expert who pioneered early Windows heap exploitation and various reverse engineering techniques. He’s currently working for Google, and contributed for several Google Project Zero’s publications. Halvar was speaking for the keynote on the first day of Black Hat Asia 2017.
Halvar talked about why we’re not building a defendable Internet, which roots to how security team mostly have zero involvement in the design and implementation process of a software system. According to Halvar, the approaches used by many organizations are flawed in the way they reward the contributors.
Companies and organizations tend to reward those who build things, such as new framework, new libraries, and so on. But most of the time, they overlooked those who remove unnecessary things from their system, such as dead code and abandoned features or services. This lead to a lot of people wanting to build stuff to be rewarded, but very few actually thinking about the risk contained by stuff they’re building and whether it’s actually necessary for the system. Those stuff might end up as another unnecessary complexity in the system later.
Every line of code, and every piece of software, running on our machines should be considered as a risk to the organization. The lines of code add complexity to the system, and as the system becomes more complex it’s easier to miss an unexpected behavior that could endanger the organization. To actually write secure software, the developers need to use risk management approach when writing the code.
Interestingly, according to Halvar, 90% of vulnerabilities exists in the code which gives less than 10% benefit. I have to agree, as most of the vulnerabilities in Bukalapak’s system that we found also existed in services or parts that doesn’t provide the most impact to Bukalapak’s overall system. They’re usually found on parts those aren’t very well-maintained. Since most of the parts with greater impact to the system are better-maintained, it’s also more thoroughly reviewed during the development and maintenance.
One example of a critical vulnerability that was lurking in Bukalapak’s system and came from the “10% benefit” stuff mentioned by Halvar is the ImageTragick found by Herdian Nugraha. The feature that was vulnerable to ImageTragick was the user avatar image upload, which still uses ImageMagick to process the uploaded image. Contrasts with the product image upload feature, which uses an in-house built system to process the image for better production performance.
Technically, even if the user avatar functions are disabled in Bukalapak, it wouldn’t cause much disturbance regarding the system and overall transaction flow between Bukalapak’s users. Yet, it’s where the most critical vulnerability ever found in Bukalapak’s system lies.
Halvar would seem to love the idea of removing those parts to reduce risk and maintenance cost. I’d definitely love the thought of it, as I also frequently look for dead codes and other unnecessary complexity to remove when auditing Bukalapak’s source code. But for Bukalapak’s growth and for Bukalapak to have great UX, sometimes those “10% benefit” stuff needs to be kept intact. Removing the user avatar feature to remove an unnecessary complexity might end up with a barrage of complaints from Bukalapak’s users.
Saumil Shah is a veteran Black Hat instructor, starting back in 2000. He’s currently the CEO of Net-Square, a security company he founded. Saumil was speaking for the keynote on the second day of Black Hat Asia 2017.
Saumil shared his views on seven axioms of security. But personally, what I found most interesting is his views on the current state of security professionals working for an organization. He didn’t seem to be into the idea that security team should take care of compliance problems.
According to Saumil, an organization’s security team should be separated from the compliance team. Compliance should be regarded as a fixed business cost, while security team should focus on defending the company’s assets from malicious parties. Compliance team should deal with the auditors, while the security team should deal with the attackers.
Being compliant is meant to pass a standard set for the organization to run its business. It is meant to follow a set of defined rules, and if the organization is compliant to a security standard it simply means that the organization fulfills a list of to-do check boxes and passes audits. But simply fulfilling a to-do check boxes and passing audits don’t equal to security. We never know what might be missed by our team, the auditors, or even the standard setters.
While I have nothing to say regarding other organizations’ security teams, I agree with how security and compliance shouldn’t be mixed up. I personally think that compliance could lead us to a false sense of security, and being compliant isn’t the same as being secure.
Bukalapak’s security team and compliance team is relatively young, with security team founded in August 2016 and compliance team founded in September 2016. Security team would deal with technical stuff, checking out and testing systems running in Bukalapak’s servers, assisting development team with the security requirements and implementations, and incident handling. While the compliance team would deal with the company policy, making sure proper standards are enforced regarding the business processes, and auditing employee activities to ensure no internal fraud happens.
There are some other interesting talks in Black Hat Asia 2017’s briefings. My personal favorite is Seunghun Han and Junghwan Kang’s presentation about Shadow-Box, a hypervisor-based kernel protector they built to protect Linux systems from rootkits. Another one that I found really cool is Michael Schwarz and Manuel Weber’s presentation, demonstrating how they demonstrated how to tap data communication between two virtual machines in the same physical host.
Will Bukalapak send the security team again to next year’s Black Hat Asia? Let’s hope so, since there are lots of stuff to learn there. I especially love the technical presentations regarding the low-level parts of systems we usually take for granted.