Are custom security tests a product security superpower? ⎜Keshav Malik (LinkedIn)

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

In this article, we'll cover the main takeaways from our conversation with Keshav Malik, a senior Product Security Engineer at LinkedIn. Our goal is to help you understand how to better write your custom security tests. Dive right in!

Keshav's background

Keshav is a Senior Product Security Engineer at LinkedIn. With experience in information security and a passion for automation, Keshav brings a unique blend of expertise to the table.

Keshav is also a dedicated tech enthusiast and deeply passionate about contributing to the community. He actively writes custom security rules for various applications like Semgrep and has built several projects like QuickXSS, a bash script automating XSS workflows. Not stopping there, Keshav loves to share his knowledge by organizing workshops, empowering others to write their own custom security tests.

Watch the full interview below:

💡
Listen now on Spotify and YouTube. The Elephant in AppSec caters to all: Whether you prefer listening or watching, we have something for everyone 😌

Referenced:


The importance of custom security testing in business applications

The security of business applications represents one of the biggest challenges in 2024. With the rise in data breaches and vulnerabilities, relying solely on automated security testing tools may not be sufficient. With Keshav we explored the challenges of using automated tools and the need for custom security testing in identifying and preventing business logic issues and vulnerabilities.

The limitations of automated security testing tools

Automated security testing tools are widely used to scan web applications for non-security issues. However, when it comes to detecting security issues specific to a business, these tools often fall short. Issues related to custom business logic or vulnerabilities unique to an organization cannot be easily detected by automated scanners. This is where custom security testing tools come into play.

The role of custom security testing

Custom security testing involves writing specific tests tailored to an organization's infrastructure and business requirements. While the choice of tooling language may vary, the goal remains the same - to identify and prevent security vulnerabilities at scale. Custom tests are essential for detecting critical severity issues and addressing business-specific security concerns.

Identifying the need for custom security tests

Determining whether custom security tests are necessary involves multiple steps. Initially, organizations may try using automated testing tools to see if they can identify the required issues. However, for large-scale companies like LinkedIn or Microsoft, relying solely on automated tools may not be effective. Custom security testing tools, with their ability to create and enforce custom rules, become indispensable in such scenarios.

Examples of business-specific security issues

To better understand the need for custom security tests, let's consider an example. Imagine a shopping website that utilizes coupon codes. Issues related to the generation, storage, and usage of these coupons are highly specific to the business. Automated scanners may not be able to detect vulnerabilities in this area. By writing custom tests that focus on the infrastructure and coupon code management, organizations can uncover security issues that automated tools miss.

Maintaining custom security tests

While custom security tests are crucial for identifying vulnerabilities, maintaining them can be challenging. Dynamic testing, in particular, requires continuous updates as the codebase evolves. Changes in API responses or schema can cause tests to fail. Therefore, regular collaboration with developers and staying updated on code changes are essential for effective custom security testing.

💡
Escape rules adapt to the evolution of your existing APIs and to your new APIs without the need to maintain them. Including adapting to database fixtures in development environment.

The role of developers in custom security testing

"Regular collaboration with developers and staying updated on code changes are essential for effective custom security testing."

Developers play a vital role in custom security testing. Their knowledge of the codebase and data flow is invaluable in writing accurate and effective tests. Collaboration between security engineers and developers is crucial for understanding how fixes work and ensuring the accuracy of custom tests.

Integrating custom tests with code

Integrating custom tests with the codebase can streamline the testing process. By automating the execution of custom tests alongside code changes, organizations can ensure that security vulnerabilities are detected and addressed promptly. While technologies like GenAI show promise in assisting with test case refinement, writing complete test cases from start to end still requires human expertise and understanding of the infrastructure.

Leveraging community resources

While open-source rules and community-contributed tests can be helpful in understanding how rules work, they may not directly apply to an organization's infrastructure. Custom tests often require closed sets of rules tailored to specific business needs. However, the community plays a crucial role in maintaining and sharing knowledge about test cases, providing valuable insights for security engineers.

Bug bounty programs and internal testing

Organizations receive security reports from bug bounty programs and internal penetration testing.

"Bug bounty programs and internal penetration testing serve as a starting point for identifying vulnerabilities and determining the need for custom tests."

These reports serve as a starting point for identifying vulnerabilities and determining the need for custom tests. Discussions and collaboration between security engineers and developers help decide which issues require custom tests and who will be responsible for writing them.

The learning journey in security testing

Becoming proficient in security testing requires continuous learning and self-study. While formal education and training provide a foundation, individuals must take the initiative to stay updated with the latest cybersecurity practices. Resources such as books, YouTube videos, and blog posts can be valuable tools for expanding knowledge in this field.

Action items for Product Security engineers

  1. Prioritize the development and implementation of custom tests to detect and prevent business-specific security issues.
  2. Focus on identifying critical severity issues and develop custom tests specifically tailored to address these vulnerabilities.
  3. Collaborate closely with developers to gain insights into the codebase and data flow, enabling the writing of accurate and effective custom tests.
  4. Establish a process for ongoing collaboration with developers to ensure that custom tests are updated and maintained as the codebase evolves.
  5. Explore ways to automate the execution of custom tests alongside code changes, improving the efficiency and effectiveness of the testing process.
  6. Actively engage with the security community to learn from and contribute to the collective knowledge of test cases, enhancing expertise in custom security testing.
  7. Leverage bug bounty programs and internal penetration testing to gather insights and prioritize the development of custom tests for identified vulnerabilities.
  8. Prioritize continuous learning and professional development to stay updated with the latest cybersecurity practices and technologies, enhancing skills in custom security testing.

Conclusion

Custom security testing plays a vital role in identifying and preventing business logic issues and vulnerabilities in web applications. While automated security testing tools have their place, they often fall short in detecting security issues specific to an organization's infrastructure. By leveraging custom tests and collaborating with developers, organizations can enhance their security posture and protect their valuable data.

💡 Want to discover other episodes? Check it out below: