Are custom security tests a product security superpower? ⎜Keshav Malik (LinkedIn)
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
In this article, we'll cover the main takeaways from our conversation with Keshav Malik, a senior Product Security Engineer at LinkedIn. Our goal is to help you understand how to better write your custom security tests. Dive right in!
Keshav's background
Keshav is a Senior Product Security Engineer at LinkedIn. With experience in information security and a passion for automation, Keshav brings a unique blend of expertise to the table.
Keshav is also a dedicated tech enthusiast and deeply passionate about contributing to the community. He actively writes custom security rules for various applications like Semgrep and has built several projects like QuickXSS, a bash script automating XSS workflows. Not stopping there, Keshav loves to share his knowledge by organizing workshops, empowering others to write their own custom security tests.
Watch the full interview below:
Referenced:
The importance of custom security testing in business applications
The security of business applications represents one of the biggest challenges in 2024. With the rise in data breaches and vulnerabilities, relying solely on automated security testing tools may not be sufficient. With Keshav we explored the challenges of using automated tools and the need for custom security testing in identifying and preventing business logic issues and vulnerabilities.
The limitations of automated security testing tools
Automated security testing tools are widely used to scan web applications for non-security issues. However, when it comes to detecting security issues specific to a business, these tools often fall short. Issues related to custom business logic or vulnerabilities unique to an organization cannot be easily detected by automated scanners. This is where custom security testing tools come into play.
The role of custom security testing
Custom security testing involves writing specific tests tailored to an organization's infrastructure and business requirements. While the choice of tooling language may vary, the goal remains the same - to identify and prevent security vulnerabilities at scale. Custom tests are essential for detecting critical severity issues and addressing business-specific security concerns.
Identifying the need for custom security tests
Determining whether custom security tests are necessary involves multiple steps. Initially, organizations may try using automated testing tools to see if they can identify the required issues. However, for large-scale companies like LinkedIn or Microsoft, relying solely on automated tools may not be effective. Custom security testing tools, with their ability to create and enforce custom rules, become indispensable in such scenarios.
Examples of business-specific security issues
To better understand the need for custom security tests, let's consider an example. Imagine a shopping website that utilizes coupon codes. Issues related to the generation, storage, and usage of these coupons are highly specific to the business. Automated scanners may not be able to detect vulnerabilities in this area. By writing custom tests that focus on the infrastructure and coupon code management, organizations can uncover security issues that automated tools miss.
Maintaining custom security tests
While custom security tests are crucial for identifying vulnerabilities, maintaining them can be challenging. Dynamic testing, in particular, requires continuous updates as the codebase evolves. Changes in API responses or schema can cause tests to fail. Therefore, regular collaboration with developers and staying updated on code changes are essential for effective custom security testing.
The role of developers in custom security testing
"Regular collaboration with developers and staying updated on code changes are essential for effective custom security testing."
Developers play a vital role in custom security testing. Their knowledge of the codebase and data flow is invaluable in writing accurate and effective tests. Collaboration between security engineers and developers is crucial for understanding how fixes work and ensuring the accuracy of custom tests.
Integrating custom tests with code
Integrating custom tests with the codebase can streamline the testing process. By automating the execution of custom tests alongside code changes, organizations can ensure that security vulnerabilities are detected and addressed promptly. While technologies like GenAI show promise in assisting with test case refinement, writing complete test cases from start to end still requires human expertise and understanding of the infrastructure.
Leveraging community resources
While open-source rules and community-contributed tests can be helpful in understanding how rules work, they may not directly apply to an organization's infrastructure. Custom tests often require closed sets of rules tailored to specific business needs. However, the community plays a crucial role in maintaining and sharing knowledge about test cases, providing valuable insights for security engineers.
Bug bounty programs and internal testing
Organizations receive security reports from bug bounty programs and internal penetration testing.
"Bug bounty programs and internal penetration testing serve as a starting point for identifying vulnerabilities and determining the need for custom tests."
These reports serve as a starting point for identifying vulnerabilities and determining the need for custom tests. Discussions and collaboration between security engineers and developers help decide which issues require custom tests and who will be responsible for writing them.
The learning journey in security testing
Becoming proficient in security testing requires continuous learning and self-study. While formal education and training provide a foundation, individuals must take the initiative to stay updated with the latest cybersecurity practices. Resources such as books, YouTube videos, and blog posts can be valuable tools for expanding knowledge in this field.
Action items for Product Security engineers
- Prioritize the development and implementation of custom tests to detect and prevent business-specific security issues.
- Focus on identifying critical severity issues and develop custom tests specifically tailored to address these vulnerabilities.
- Collaborate closely with developers to gain insights into the codebase and data flow, enabling the writing of accurate and effective custom tests.
- Establish a process for ongoing collaboration with developers to ensure that custom tests are updated and maintained as the codebase evolves.
- Explore ways to automate the execution of custom tests alongside code changes, improving the efficiency and effectiveness of the testing process.
- Actively engage with the security community to learn from and contribute to the collective knowledge of test cases, enhancing expertise in custom security testing.
- Leverage bug bounty programs and internal penetration testing to gather insights and prioritize the development of custom tests for identified vulnerabilities.
- Prioritize continuous learning and professional development to stay updated with the latest cybersecurity practices and technologies, enhancing skills in custom security testing.
Conclusion
Custom security testing plays a vital role in identifying and preventing business logic issues and vulnerabilities in web applications. While automated security testing tools have their place, they often fall short in detecting security issues specific to an organization's infrastructure. By leveraging custom tests and collaborating with developers, organizations can enhance their security posture and protect their valuable data.