Application Security: Bug Hunting Essentials
When it comes to personal data storage and everyday financial operations, the almost total shift from the physical to the online world has initiated a huge amount of attacks by cybercriminals attempting to steal money or precious information. First and foremost, they target “what’s in your hand” – data from the web and the mobile apps you use. Like just about everyone else on the planet, you reveal loads about yourself to these applications, such as credit card passwords, personal information, corporate emails and much more. Traditional apps are now moving to the cloud, meaning you can use them for a variety of tasks in your browser. If you don’t, you simply won’t be able to lead a normal life or do business – almost all our daily processes now involve online actions. The losses caused by cyberattacks on applications are very serious, both financially and reputationally, and they occur with alarming frequency. According to the University of Maryland, hackers attack every 39 seconds – 2,244 times a day on average.
Scary, huh? Keep calm and read on! We know how to help you protect yourself.
A recent threat worth mentioning here is that of attacks on GDPR data (General Data Protection Regulation, introduced in the EU in 2018) involving theft of personal information or business-sensitive data from individuals and companies. In the GDPR’s first year alone, 89,000 data breaches were recorded. They occur in most cases because bugs in applications are first found and then used by cybercriminals. Of course, it’s impossible to have a completely secure app architecture; the world of IT technologies is constantly evolving, and IT threats keep pace too. Hence, many companies already understand the importance of timely alerts about dangerous bugs in their apps and invest in application bug hunting.
What Is Application Bug Hunting?
This is when product engineers act like a bug hunter, but don’t use the information they acquire in a bad way. Having found a weakness in an application, they inform the owners of the vulnerable components and their developers about the vulnerability so it can be promptly fixed. Also, they develop a mitigation strategy for developing and implementing the fix. This can protect against both financial and reputational losses.
Application bug hunting is based on the following steps:
Analysis of recent attacks and their tactics;
Identifying the data that’s of most interest to cybercriminals;
Creating possible attack scenarios;
Searching for bugs and vulnerabilities that hackers will look for;
Mitigation strategy and tactics for product developers.
Can I be sure my business is secure after I find all the bugs in an application?
As long as you’re living a digital life, you can be targeted by bug hunters and application security engineers. You can be sure your business operations are safer if your product team is aware of current threats and they know the main tactics, techniques and tools of bug hunting, and they have a solid understanding of the concepts on which these tools work.
How can itrainsec training on application bug hunting help here?
The workshop focuses on core application security principles aimed at product developers, architects, program managers and testers. The workshop aims to equip product engineers with platform- and technology-agnostic remediation strategies against application security vulnerabilities. In addition to the updated concepts of the OWASP Top 10 vulnerabilities, the module introduces real-world case studies, demos and hands-on exercises. The modules are designed to drive home the concept of building applications securely – irrespective of technology and platform.
About the trainer
Denis Makrushin is a security researcher and consultant focusing on vulnerability assessment and product security. Denis formerly worked for Ingram Micro as the Head of Application Security. He built and implemented a product security program for an enterprise-scale platform used by companies from the Fortune 100 list.
More recently, as a Security Researcher with the Global Research and Analysis Team at Kaspersky, he focused on vulnerability research and security assessment of emerging technologies.
Denis has trained and presented at many international conferences, including Defcon, RSA Conference, Security Analyst Summit, and Infosecurity, as well as at multiple closed-door industry events. He holds a master's degree in Information Security from the National Research Nuclear University.