1
00:00:00,000 --> 00:00:05,600
So today we will present something different. Most of the times I present ethical hacking,

2
00:00:05,600 --> 00:00:12,320
red teaming, capture the flag, technical stuff about that. Lately I tried to revise some of my

3
00:00:12,320 --> 00:00:19,280
courses to have the audience on the IT, the common IT people that they don't eventually

4
00:00:19,280 --> 00:00:24,320
want to go to the cyber security, but they want to learn some basic fundamental stuff about

5
00:00:24,320 --> 00:00:30,960
security. In the past cryptography and encryption schemes were the basics. Lately these things

6
00:00:30,960 --> 00:00:38,320
changed, so I think right now for developers it's important to include the security perspective

7
00:00:38,320 --> 00:00:43,760
on their development. Of course we don't want to put them a lot of effort, extra effort, additional

8
00:00:43,760 --> 00:00:50,560
effort to do their job, but it's important because later on it will be very difficult to

9
00:00:51,440 --> 00:00:58,240
cover the vulnerabilities of vulnerabilities and so on. On that perspective which one of you

10
00:00:58,240 --> 00:01:05,920
do already have a github account, an account of github, more than half. Okay, how many of you

11
00:01:05,920 --> 00:01:11,600
have you seen a secret, not secret tab, it's called the, there is a tab, let me show you,

12
00:01:12,560 --> 00:01:22,320
security on github. There are some of you, okay, let me show you just a quick, so it's this tab here,

13
00:01:23,200 --> 00:01:33,760
you see, it's not a hidden, but normally very few click on that, let's say, button on security.

14
00:01:34,560 --> 00:01:40,240
So, we will explain what is that button actually today, that's the meaning, okay.

15
00:01:40,960 --> 00:01:42,480
So, let's go back here.

16
00:01:47,200 --> 00:01:51,760
Okay, so for the healthcare environment, there are a lot of critical devices that we want to

17
00:01:51,760 --> 00:01:57,840
protect, so there are a lot of software running on the background, on the server side,

18
00:01:57,840 --> 00:02:04,320
storing DICOM images, it's like x-rays images, blood test results on the laboratory information

19
00:02:04,320 --> 00:02:10,240
system, there is medical data that is critical. All of these software have, you know, code inside,

20
00:02:10,240 --> 00:02:20,240
so code is not always good, good written, it's not very properly handled and it has also

21
00:02:20,240 --> 00:02:27,840
vulnerabilities. Before, Koutras and Christos Grigorellis presented, you know, the buffer

22
00:02:27,840 --> 00:02:33,920
overflows in C, so these are some common weaknesses that we have in terms of some of the coding,

23
00:02:33,920 --> 00:02:40,480
so we will try to cover these basic stuff here. So, we will more specifically see the SAST tools,

24
00:02:40,480 --> 00:02:48,960
so it's a security scanning tools, there are multiple, you know, ways to do that,

25
00:02:48,960 --> 00:02:55,040
we will use GitHub in order to do some automated scanning of our code. Of course,

26
00:02:55,040 --> 00:03:00,960
there are other tools and methodologies that we can use and here I can present DAST,

27
00:03:00,960 --> 00:03:06,560
which is dynamic application security testing, which is different. You run actually the software

28
00:03:06,560 --> 00:03:11,040
and you try to identify the vulnerabilities, we will stick mostly on the SAST tools,

29
00:03:11,040 --> 00:03:17,760
on the static analysis, let's say.

30
00:03:17,760 --> 00:03:24,080
So, the thing is like that, so we have a workflow that we build, we run a SAST tool, we see

31
00:03:24,080 --> 00:03:28,000
the rule sets, so it's like we create signatures to see if there are any alerts, we create a report

32
00:03:28,000 --> 00:03:31,760
if there are any vulnerabilities, we take metrics and then we secure our code, we try to redevelop,

33
00:03:32,480 --> 00:03:37,840
try to define, redefine the code and so on, okay. So, here, let me see,

34
00:03:39,680 --> 00:03:46,240
you can see the source code is the source code that we have, then we go to the tool

35
00:03:46,320 --> 00:03:52,800
engine that creates the alerts, then we do the vulnerability detection, we see what kind of

36
00:03:52,800 --> 00:04:00,080
vulnerabilities we'll have, so we'll present mostly an SQL injection later, a vulnerability report

37
00:04:00,080 --> 00:04:04,800
that contains all of these vulnerabilities and then the developers should handle all of these

38
00:04:04,800 --> 00:04:10,400
issues on the code and try to resolve them, okay. So, that's the cycle and this is common and

39
00:04:10,400 --> 00:04:17,680
you can think that development is not like most, me as a student included,

40
00:04:17,680 --> 00:04:22,880
was thinking that, okay, I will develop a software and that's it, I will go online and that's it,

41
00:04:22,880 --> 00:04:29,760
but software needs, you know, support, so it's software will require a year,

42
00:04:29,760 --> 00:04:36,000
another year and another year and the support actually increases when you're expanding the

43
00:04:36,000 --> 00:04:43,200
software, so you need developers to somehow resolve tickets, resolve bugs, try to redevelop,

44
00:04:43,200 --> 00:04:50,000
try to redefine, try to modernize code, so it requires actually, you know, a continuous,

45
00:04:50,000 --> 00:04:55,360
let's say integration and a continuous development after the project comes also to the market,

46
00:04:55,360 --> 00:05:02,240
okay. So, in this cycle on the, let's say DevOps cycle, most of us call it like that,

47
00:05:02,240 --> 00:05:09,280
there is a secure DevOps, so it's like how to embed security inside the DevOps, so on this

48
00:05:09,280 --> 00:05:14,800
cycle of continuous integration and continuous development, okay. So, let me go here.

49
00:05:17,040 --> 00:05:21,120
I have multiple slides here, I think that you will get the slides later,

50
00:05:21,120 --> 00:05:26,800
how we do that, like the integration and the reporting, but I will go to the practical things

51
00:05:26,800 --> 00:05:34,720
right now. You will see in new words, how many of you do you know Jenkins? It's not Jenkins,

52
00:05:34,720 --> 00:05:45,760
but okay, you know a lot, not a lot, but okay, quite a few. Back when I was younger, in 2018,

53
00:05:45,760 --> 00:05:51,520
I think I was involved in a project that they somehow wanted to involve GDPR and

54
00:05:51,520 --> 00:05:58,240
privacy issues on Jenkins and so on, I saw Jenkins and so on, what is that? Even the logo of Jenkins

55
00:05:58,240 --> 00:06:05,680
is very old school, let's see, is this already used on the market? Yes, it's used, okay. So,

56
00:06:05,680 --> 00:06:14,080
Jenkins, it's like a server, it's like a web service that it's useful for developers and

57
00:06:14,080 --> 00:06:19,760
for managers to deploy code. So, it's like a ticketing system, so you put what kind of

58
00:06:19,760 --> 00:06:25,280
pipeline you want to deploy, is it a docker, is it a code, is it a Python script, whatever,

59
00:06:25,280 --> 00:06:31,040
and the Jenkins will handle that and every day or every month or every whatever you define as

60
00:06:32,400 --> 00:06:40,400
the manager will deploy code or deploy dockers or deploy automatically something, okay. And it's all

61
00:06:40,400 --> 00:06:46,720
used mostly for large projects from large companies, again, the prices to handle the code, new

62
00:06:46,720 --> 00:06:53,360
code that is pushed and so on. GitLab, most of you I think you know, GitLab, it's the open source

63
00:06:54,480 --> 00:06:59,680
version of GitHub, so what happens is like that, when you develop something, you push code on the

64
00:06:59,680 --> 00:07:05,440
GitLab repository, you put new version, new scripts, new Python scripts, new docker containers,

65
00:07:05,440 --> 00:07:12,480
Jenkins handle that, deploys on the production server and then you handle all of these together.

66
00:07:12,560 --> 00:07:18,240
So, then here it's coming, the thing that I will explain here on the Git server,

67
00:07:18,240 --> 00:07:21,840
how you enable the SAST tools in order to do this code

68
00:07:21,840 --> 00:07:26,560
auditing, let's say, code inspection, code analysis, whatever you call it, okay.

69
00:07:32,000 --> 00:07:38,480
So, there are some strengths and weaknesses that, okay, we can do a penetration testing and

70
00:07:38,480 --> 00:07:44,560
see the flaws and see the vulnerabilities. This is something different. We do security by design,

71
00:07:44,560 --> 00:07:49,760
let's say, we secure our code before that, so we try to resolve viral issues. Of course,

72
00:07:50,560 --> 00:07:56,880
when I do that, I try to think on both sides, so it's like, for my mind on abstraction,

73
00:07:56,880 --> 00:08:02,000
it's like white box testing and black box testing. So, when I do penetration testing,

74
00:08:02,000 --> 00:08:06,320
it's like a black box, I try to define vulnerabilities. When I do code inspection,

75
00:08:06,400 --> 00:08:10,240
it's like a white box. I already have the code and try to inspect and so on.

76
00:08:10,240 --> 00:08:16,400
So, everything is required, let's say, everything is possible. It matters on what is the

77
00:08:17,200 --> 00:08:24,080
perspective, the goals, the requirements of the audit that you want to do. So, there is difficulty

78
00:08:24,080 --> 00:08:29,600
because a lot of companies come and say, okay, I need to secure my services.

79
00:08:29,600 --> 00:08:33,040
And they say, okay, I want to do a penetration testing. And you say,

80
00:08:33,840 --> 00:08:38,800
it's also other things. You can do a vulnerability assessment. You can do a risk assessment.

81
00:08:38,800 --> 00:08:44,560
You can do code inspection. So, there are a lot of different aspects of how you enable security.

82
00:08:44,560 --> 00:08:49,200
And it's difficult for other people that are outside of cybersecurity to understand

83
00:08:49,200 --> 00:08:55,120
these different perspectives, okay? But here are some weaknesses and strengths. For me,

84
00:08:55,120 --> 00:09:01,440
the main strength that is not about cybersecurity on secure code is that learning secure code

85
00:09:01,440 --> 00:09:11,120
analysis eventually helps developers. In my PhD, I use cybersecurity as the main

86
00:09:11,120 --> 00:09:18,960
vehicle to educate other staff. So, I use cybersecurity to learn people about Linux

87
00:09:18,960 --> 00:09:25,840
administration, to learn about logging, to learn about development, to see technical

88
00:09:25,840 --> 00:09:33,200
aspects of networks, for example. So, eventually using secure code analysis,

89
00:09:34,320 --> 00:09:40,880
a developer can learn better development because except the security flaws, we'll see

90
00:09:40,880 --> 00:09:45,680
also some flaws in terms of the design, in terms of the functionality and so on.

91
00:09:45,680 --> 00:09:50,560
So, it's a good way to go on the undergraduate students and try to learn also

92
00:09:51,120 --> 00:09:58,320
some basics of security coding, okay? There are also differences and benefits of SAST

93
00:09:58,320 --> 01:10:05,760
in terms of, you know, in comparison to DAST, to dynamic analysis, but I will not stick on that.

94
00:10:05,760 --> 00:10:10,960
Some basic stuff that I already explored, DevOps, DevSecOps, something similar related

95
00:10:10,960 --> 00:10:18,240
to this module, tools that we will use for continuous integration and continuous development.

96
00:10:18,880 --> 00:10:25,120
There is the software component analysis, SCA analysis. Sometimes you even want to do

97
00:10:26,000 --> 00:10:31,760
component analysis on the operating system level. So, you do a SCA configuration assessment.

98
00:10:31,760 --> 00:10:36,960
SCA is a secure configuration assessment. So, you can go on the Windows server,

99
00:10:36,960 --> 00:10:41,840
on the Linux server and say, okay, do you have password enforcement enabled?

100
00:10:41,840 --> 00:10:47,200
Do you have the firewall enabled? Do you have the DNS, whatever? So, it's like

101
00:10:47,200 --> 00:10:51,360
configuration assessment, okay? And this can be done both on the operating system,

102
00:10:51,360 --> 00:10:56,400
but also on the code. And other things like vulnerability management and other things.

103
00:10:56,400 --> 00:11:00,800
So, I just provide, you know, some terminology, some key words that we use

104
00:11:01,360 --> 00:11:07,120
in order to understand the context of what we're doing here, okay? So, all of them are related.

105
00:11:07,120 --> 00:11:12,720
Also, these things are related, GitHub, GitLab, Docker, okay? Someone can say, okay, it's

106
00:11:12,720 --> 00:11:18,800
Jails, it's not Docker, it's Jails from Linux. It can be Linux containers, LXC, whatever,

107
00:11:18,800 --> 00:11:26,000
so it's Docker. Ansible scripts, Jenkins and the other things that I did not use until now.

108
00:11:26,000 --> 00:11:31,360
And there are also hands-on things like Vagrant. How many of you do you know Vagrant?

109
00:11:32,800 --> 00:11:41,040
Okay, Vagrant is like, you know, how virtual box is like you deploy a VM. Vagrant is to

110
00:11:41,040 --> 00:11:48,720
create multiple VMs with one click. So, it's like a docker, but for VMs. So, you create the topology,

111
00:11:48,720 --> 00:11:54,400
the network topology, you define the IP addresses, how much hard disk space do you need, how many

112
00:11:54,400 --> 00:12:00,240
CPUs used. And with one click, you can run and you can deploy five different virtual machines

113
00:12:00,960 --> 00:12:05,280
with one click. And all of them will be binded together and will be connected and so on.

114
00:12:05,280 --> 00:12:12,400
So, these are Vagrant scripts. Lately, this has been revised in the technology called Terraform.

115
00:12:12,400 --> 00:12:18,320
So, Terraform, it's like an extension of dockers and Kubernetes and they say, okay, we will do

116
00:12:18,320 --> 00:12:25,600
what we'll do for dockers and Kubernetes, but for VMs and they created Terraform. Okay, but these

117
00:12:25,600 --> 00:12:32,880
are mostly used on the cloud services. So, even me, I did not deploy on Terraform. Mostly,

118
00:12:32,880 --> 00:12:41,280
Terraform is used on AWS, on Amazon or on Azure, let's say, on Microsoft Azure on large, let's say,

119
00:12:41,280 --> 00:12:47,680
topologies that we can use. And then there are also Jenkins and so on, which is peculiar. I try to

120
00:12:47,680 --> 00:12:52,960
find material, educational material about Jenkins and it's difficult to find something very concrete.

121
00:12:52,960 --> 00:12:59,280
So, it's a good option. It's like a research or like a thesis, let's say, for students to create,

122
00:12:59,280 --> 00:13:04,960
like, let's say, some educational material and some practices like Jenkins with security

123
00:13:04,960 --> 00:13:10,400
and try to have security DevOps like a practice, like an exercise, like a hands-on lab,

124
00:13:10,400 --> 00:13:16,880
to learn about Jenkins and to learn about security using inside the continuous integration

125
00:13:16,880 --> 00:13:21,280
and continuous development. That's something nice that can be done. I search around, but

126
00:13:22,000 --> 00:13:27,680
it's not possible for me to find something like that. So, things that we will also see,

127
00:13:27,680 --> 00:13:34,240
CVE and CWE, there are some differences on that. Do you know, some of you, what is the difference?

128
00:13:34,240 --> 00:13:41,600
For me, it was also difficult. But can you say, I will go back, just to see the answer.

129
00:13:41,600 --> 00:13:46,960
What's the difference between common vulnerability and common weakness? And there is also CAPEC,

130
00:13:48,000 --> 00:13:52,880
crystal sold, also the CAPEC, which is the attack scripts, the attack tools,

131
00:13:52,880 --> 00:14:06,080
the attack scenarios, let's say. Do you know the difference? It's difficult, I know. Yes.

132
00:14:23,840 --> 00:14:33,440
CWE, correct. You are correct somehow. It's like CWE, it's like an abstraction,

133
00:14:33,440 --> 00:14:38,960
what can go wrong, like an SQL injection? Well, the CVE, the common vulnerability,

134
00:14:38,960 --> 00:14:45,840
is the exact vulnerability that Apache server together with this PHP script

135
00:14:45,840 --> 00:14:51,360
creates this vulnerability that has a specific instance. So, like, CVEs are like the specific

136
00:14:51,360 --> 00:14:58,080
instances of the CWE. CWE is more like the generic flow, the generic, let's say, bug,

137
00:14:58,080 --> 00:15:04,880
the generic SQL injection. So, CVEs are connected to the CPE for the platform, platform enumeration.

138
00:15:04,880 --> 00:15:11,280
On this specific version of Apache, on this specific code, there is the CVE. While CWE is

139
00:15:11,280 --> 00:15:17,200
more like the generic entity. And there is the CAPEC, which is common attack pattern enumeration,

140
00:15:17,200 --> 00:15:20,720
which is actually how you exploit. So, it's the exploitation. So, it's like,

141
00:15:20,720 --> 00:15:26,640
what do you do? Do you apply as an attack to do the things? Sometimes there is an overlap between

142
00:15:26,640 --> 00:15:32,720
CWE and information that you learned on the CAPEC, but this is the difference. We need that just

143
00:15:32,720 --> 00:15:39,120
to see the different results. So, the workflow is like that. You can see, you develop code,

144
00:15:39,120 --> 00:15:47,840
you upload on GitHub, you do the QL language that creates the common flows that we have on the

145
00:15:47,840 --> 00:15:53,120
code. This creates reports and we get a report and say, okay, this code has this vulnerability,

146
00:15:53,120 --> 00:15:59,040
has this issue inside the code. Okay. And let's do the practice. So, we click on security, I will

147
00:15:59,040 --> 00:16:05,600
briefly present here and then I will go step by step to present. And you can do this exercise

148
00:16:05,600 --> 00:16:15,120
also on your side. So, I have a code uploaded. The GitHub repository works with such tools if you

149
00:16:15,120 --> 00:16:21,760
have the repository open on public. So, if you have it on private, you should enable it as a public

150
00:16:21,760 --> 00:16:26,960
repository in order to do the analysis. So, then you go to the security and you go to the code

151
00:16:26,960 --> 00:16:33,520
scanning on the bottom. Where is the code scanning? Then you select what kind of code

152
00:16:34,480 --> 00:16:40,800
you want to use. CodeQL is the most the repository that is used mostly on GitHub.

153
00:16:41,440 --> 00:16:47,040
Then this creates a workflow like that. If you are an expert, you can somehow edit or you create

154
00:16:47,040 --> 00:16:54,880
a personal workflow. It's like an automated script that defines when the alert will happen.

155
00:16:54,880 --> 00:17:00,400
What exactly the alert will pop up? Automation of the response, whatever. So, it's like a

156
00:17:00,480 --> 00:17:06,720
workflow, I think it's YAML file. It's a YAML file that defines what the automation will do

157
00:17:07,440 --> 00:17:12,320
when you do the code analysis. By default, you enable the default, let's say, file of the

158
00:17:12,320 --> 00:17:18,720
workflow and this will work okay. And then the code scanning will pop up with these alerts

159
00:17:18,720 --> 00:17:24,240
and say that okay, you have useless, regular expression, character escape on that line,

160
00:17:24,240 --> 00:17:29,520
number of line. You have incomplete string escaping code quoting on this line.

161
00:17:29,520 --> 00:17:33,520
And this will provide also the risk level if it's high, medium, low,

162
00:17:33,520 --> 00:17:41,600
and will provide also the specific vulnerability like that. So, incomplete string escaping code

163
00:17:41,600 --> 00:17:50,240
quoting, you can see. It's not the best, let's say, presenter here, but yeah, there says,

164
00:17:50,240 --> 00:17:55,840
this replaces only the first occurrence of a dot. And you can see here, sorry about if I went

165
00:17:55,840 --> 00:18:03,600
from the microphone, CWE, CWE, CWE. So, if you click here on the CWEs, you can see actually

166
00:18:03,600 --> 00:18:10,880
the information of this configuration of these code flows. And the same happens here, for example.

167
00:18:10,880 --> 00:18:18,720
And it specifies exactly where your code has a flow like here, you can see. So, it also presents

168
00:18:18,720 --> 00:18:27,360
here information, what this is about. And most of the times it provides also some mitigation actions,

169
00:18:27,360 --> 00:18:32,160
proposals, what you have to do, what you have to change on the code in order to be secure.

170
00:18:33,680 --> 00:18:39,840
And you can see multiple of these like that. I have a lot of vulnerabilities that I explain

171
00:18:39,840 --> 00:18:45,440
here, but we can see it on live. So, this is the exercise and let me check the time

172
00:18:46,400 --> 00:18:54,320
just to see how much time we have. So, I have a repository or, of course, I steal it,

173
00:18:54,880 --> 00:19:00,080
like most of the developers do, from another repository, but you can see the branch, the fork

174
00:19:00,080 --> 00:19:07,840
that I clone. So, this is a course, an exercise that I found on GitHub, and it's very good.

175
00:19:07,840 --> 00:19:12,480
And you can go and step by step, it will explain that, okay, you start the course,

176
00:19:13,040 --> 00:19:17,840
and then you start the course, you click the action points that it has there. So, it's like

177
00:19:17,840 --> 00:19:24,480
step by step exercise. And then, let's say, the magic thing that happens, and I did not know that,

178
00:19:24,480 --> 00:19:32,240
it's like, when you do the steps, and then you refresh the GitHub repository, the readme file

179
00:19:32,240 --> 00:19:38,080
will change after 20 seconds, and it will have the next steps that you will follow. So, that's

180
00:19:38,080 --> 00:19:45,840
nice, that happens, that you can also do that. So, these values, and you go step by step, and you can

181
00:19:45,840 --> 00:19:54,320
try to start the course, the start of the course will let you clone the GitHub repository, and then

182
00:19:54,320 --> 00:20:04,480
you go click by click, and you go and click the security option and so on. Yes. Error 404 on the

183
00:20:04,480 --> 00:20:14,880
QR code. On the link, yeah, maybe it's different. On the QR code, maybe not. Maybe, yeah, maybe,

184
00:20:14,880 --> 00:20:23,760
yeah, sorry, maybe you can, yeah, let me show. You can follow just the, let's say, the repository,

185
00:20:23,760 --> 00:20:33,280
the menu, Ionian CTF, and that's it. That's weird. It's my repository, it should be up.

186
00:20:34,720 --> 00:20:41,040
Maybe you misclicked something. It's capitals. CTF, it's capitals. So, it's uppercase.

187
00:20:42,640 --> 00:20:45,040
The other may be wrong, but yes, it's like that.

188
00:20:47,040 --> 00:20:50,800
But if you click here, it's fine. And if you click on the Google also,

189
00:20:50,800 --> 00:20:56,240
the Ionian CTF Google, you will find the repository. Yeah, QR code, sorry about that. I thought,

190
00:20:56,800 --> 00:21:01,520
with a mobile phone, you can get the link and then write it down. Okay.

191
00:21:04,160 --> 00:21:10,160
Anyway, I leave it just a second for you to see. So, we're going to do this exercise, maybe,

192
00:21:10,160 --> 00:21:15,280
together to see what is the flow and how this comes together. And then I will have some other

193
00:21:15,280 --> 00:21:23,680
examples for you to see. Did any of you enjoy the repository? It's fine? Yes? It's fine for

194
00:21:23,760 --> 00:21:32,000
you? No, it's fine. Okay, thank you. All right. So, let me go. Normally, I don't use slides, so

195
00:21:33,440 --> 00:21:41,680
I will go to directly here. I have already done it as an exercise, but I will try to do that

196
00:21:42,560 --> 00:21:49,440
for you again. So, I will go to the branch, to the main, let's say,

197
00:21:50,320 --> 00:21:57,440
repository, and I will click start the course. Okay, create a new repository. So, this will allow

198
00:21:57,440 --> 00:22:05,200
for me to create, to clone the repository as mine. So, I will have it like that, like number two,

199
00:22:06,160 --> 00:22:13,680
for you provide what kind of repository names you want. I let it public in order to do the

200
00:22:13,680 --> 00:22:18,240
scanning later, and I create the repository. It will require some time. Yes?

201
00:22:20,560 --> 00:22:24,160
No, it's not cloning on the laptop. It's cloning on the GitHub account.

202
00:22:25,200 --> 00:22:30,880
You have a GitHub account already? Yes. It will clone on the GitHub account, a new repository

203
00:22:30,880 --> 00:22:36,560
will be created on the GitHub account with the names that you provide. Yes?

204
00:22:37,040 --> 00:22:44,800
Yes. If you click on the start, it automatically redirects you to fork. Okay.

205
00:22:47,360 --> 00:22:52,880
You can do manually. You can do clone manually, but anyways, it's the same. We just clone the

206
00:22:52,880 --> 00:23:02,080
repository. Thank you. Yeah, I think right now for me it's done. So, you can see skills introduction

207
00:23:02,080 --> 00:23:11,840
to CodeQL too. So, it's like a new repository clones from the main repository. So, it's a fork from the main

208
00:23:11,840 --> 00:23:19,840
repository. And here is the code. So, inside here, you can see server. On the server, there is a code

209
00:23:19,840 --> 00:23:25,840
around Python and web app. So, here is the code that they provide. It's very simple. The code

210
00:23:25,840 --> 00:23:31,520
just for an example. And the web app, I don't know if they have like a web application and a

211
00:23:31,520 --> 00:23:38,000
screen light that connects and so on. So, this is the code, okay. Here, okay. All right. Now,

212
00:23:38,000 --> 00:23:43,120
we don't have it, but let's start. So, enable CodeQL. CodeQL, it's like there are a lot of

213
00:23:43,120 --> 00:23:49,600
software. We'll switch a code scanning tool that has libraries to support JavaScript, Python, Ruby.

214
00:23:49,600 --> 00:23:56,480
I don't remember what are the, are the compatibilities of CodeQL. So, it explains everything here.

215
00:23:57,440 --> 00:24:03,280
It explains how you go there and enable. And it says blah, blah, blah, do and that and enable

216
00:24:03,280 --> 00:24:14,080
CodeQL. So, we go on security. Okay. And then we go on code scanning, like I showed before.

217
00:24:15,040 --> 00:24:25,440
And then I click configure scanning tool. Okay. And here is a code scanning. Of course,

218
00:24:25,440 --> 00:24:31,440
there are other things that are very useful or nice. I always like to search things around.

219
00:24:31,440 --> 00:24:36,960
That's a good way for a cyber security expert to search around things. So, you can see here,

220
00:24:36,960 --> 00:24:42,720
dependency graph. They have also Dependabot alerts. And they have also

221
00:24:43,680 --> 00:24:49,440
dependencies, let's say alerts. So, that's about also dependencies. So, imagine that you call

222
00:24:50,160 --> 00:24:56,000
specific Python library that it's outdated and have vulnerabilities. So, this Dependabot

223
00:24:56,000 --> 00:25:02,080
might create, you know, this alert, but that's not the purpose right now. CodeQL analysis.

224
00:25:02,080 --> 00:25:08,160
So, we'll go here and you can enable CodeQL analysis with a default or advanced. So,

225
00:25:08,160 --> 00:25:14,880
you define the workflow. You define the yaml file that will define the signatures, the time,

226
00:25:14,880 --> 00:25:21,920
the timestamp, when the code scanning will start and so on. We click on default

227
00:25:22,560 --> 00:25:28,080
because we don't know how to do the, let's say, the customers, the advancements.

228
00:25:28,080 --> 00:25:33,120
And this explains that okay, there is Python identified on the GitHub account

229
00:25:33,680 --> 00:25:43,520
and you enable Python, the Python libraries of CodeQL. Enable QL, CodeQL. And then you will see

230
00:25:43,520 --> 00:25:52,640
this CodeQL setting up. It will require one minute. It depends on the, you know, the repository,

231
00:25:52,640 --> 00:25:59,920
how large the repository is. But eventually, after one minute, about one minute, it will stop

232
00:25:59,920 --> 00:26:05,040
and will say finish. Of course, you can close the tab. So, this runs on the background. So,

233
00:26:05,040 --> 00:26:10,640
you can go back and click secure and this will run on the background. So, when this

234
00:26:10,640 --> 00:26:17,200
finishes, you can see here, it will not have results right now. If I configure here, I will

235
00:26:17,200 --> 00:26:22,400
see also that it's still working on the background. So, it should wait a bit. Yes.

236
00:26:22,800 --> 00:26:32,480
It starts from step four. Did you go on the main branch?

237
00:26:35,280 --> 00:26:42,160
You have to go on the main? Yeah, maybe did you click start course? Maybe it's better to

238
00:26:42,160 --> 00:26:48,160
click start course. Maybe it will also, you know, go back to the main repository again

239
00:26:48,720 --> 00:26:54,880
and click on the start course on the green button. Maybe this creates, you know, other stuff as well.

240
00:26:56,880 --> 00:26:59,760
Yes. Did you click on the start course on the green button?

241
00:27:03,280 --> 00:27:06,160
Yeah, you have to go on the main, so let me show you.

242
00:27:08,960 --> 00:27:15,120
Yeah, yes. Yes. Yes, you have to.

243
00:27:15,280 --> 00:27:19,680
So, there is a number one at the number two here.

244
00:27:23,760 --> 00:27:31,840
Here. So, let me show you. You go here or whatever. This is the main repository of me,

245
00:27:31,840 --> 00:27:36,960
of my main repository, and that is generated from skills, whatever. So, you have to go back

246
00:27:36,960 --> 00:27:44,880
and back and back and get to the main repository. You found it. That's a good exercise as well

247
00:27:44,880 --> 00:27:49,600
because we understand the difference between forks and main branch. So, this is the main branch.

248
00:27:50,400 --> 00:27:57,360
Mine starts from four because I already started. So, it goes from four. So, you have to go to the main

249
00:27:58,320 --> 00:28:02,240
fork, the main branch, the main repository, back and back and back here.

250
00:28:03,920 --> 00:28:10,960
Go and see. Maybe I can zoom in a bit too. So, you click here and you go here and

251
00:28:11,040 --> 00:28:20,720
it starts. Okay. So, let me go here. You see code analysis last scan one minute ago. So,

252
00:28:20,720 --> 00:28:26,720
this successfully has been done. How many of you did you already, in the past,

253
00:28:26,720 --> 00:28:36,400
did CodeQL? Is it you? Okay. Other ones? Okay. So, it's good. If all of you already know,

254
00:28:36,960 --> 00:28:46,400
it will be a mess, okay. Fortunately, you don't know it. Okay. So, CodeQL last scan one minute

255
00:28:46,400 --> 00:28:52,080
and there are the workflows here as well. Maybe we can have a small fast, let's say,

256
00:28:53,120 --> 00:28:59,920
tour on that. So, you can see CodeScanning, CodeQL and they have other analysis tools like

257
00:29:00,640 --> 00:29:08,480
FortifyScan or commercial ones, but it's code as you know, very popular.

258
00:29:09,120 --> 00:29:14,160
And there are multiple things that you can check actually.

259
00:29:14,880 --> 00:29:22,640
Sneak security. Sneak is very popular as well. Synopsys is popular, but anyway, some of them

260
00:29:22,640 --> 00:29:29,360
support C, other of them support JavaScript. It depends on the manufacturer. Some of them

261
00:29:29,360 --> 00:29:34,080
are better on a specific language. Some of them are better in other languages and so on.

262
00:29:35,920 --> 00:29:42,400
Yeah. And there are also some scanning tools like KubeScan, which do the risk analysis and for

263
00:29:42,400 --> 00:29:48,560
configuration flows for Kubernetes or for Docker containers. That's another thing,

264
00:29:48,560 --> 00:29:54,800
to do code analysis on the Docker. You call a Docker, you define a specific Ubuntu version

265
00:29:54,800 --> 00:30:01,840
or Alpine version. Is this Alpine version outdated at all? There is a flaw. So, this helps eventually

266
00:30:01,840 --> 00:30:08,480
a lot for people to deploy dockers or Kubernetes data that they don't have the vulnerabilities.

267
00:30:08,480 --> 00:30:14,080
Okay. So, it's like a prevention method that you deploy something that it's already somehow

268
00:30:14,080 --> 00:30:22,080
secure. So, you decrease somehow the attack surface as much as you can. And that's very

269
00:30:22,080 --> 00:30:29,440
interesting. Mobsf, which is for Android version, I had in the past theses which come also with the

270
00:30:29,440 --> 00:30:36,480
research paper for a student that he tested Mobsf in an Android application to check

271
00:30:36,480 --> 00:30:42,000
vulnerabilities and see what vulnerability is the Android application had and try to do the

272
00:30:42,000 --> 00:30:48,960
mitigation actions. And he created an educational scenario how someone can learn Android development

273
00:30:49,920 --> 00:30:56,720
and see the security issues of the Android development. Okay. And this extends also on the

274
00:30:56,720 --> 00:31:04,800
mobile security you can see on the Android or iOS, which is very nice for students to learn.

275
00:31:05,600 --> 00:31:12,720
And the other things, okay, I will not go. Sonar, Cube is also very popular and there are others

276
00:31:12,720 --> 00:31:18,080
and more will come in the future as well. Okay. So, these are supported from GitHub.

277
00:31:18,080 --> 00:31:23,440
Of course, there are others if you want to find that you cannot actually deploy yourself on a learning

278
00:31:23,440 --> 00:31:29,520
system and you do the scan analysis by command line and so on. Okay. But this provides an easy way

279
00:31:29,520 --> 00:31:34,800
for a developer, for a student, for a after-student people after the studies

280
00:31:34,800 --> 00:31:39,440
to do some security analysis on the code. Okay. And it's very simple. It's like two

281
00:31:39,440 --> 00:31:44,640
three buttons. Okay. But it provides a lot of information and it's very nice. Okay.

282
00:31:44,640 --> 00:31:51,360
Let's go to the security. Security code scanning. You can see indication number two

283
00:31:51,360 --> 00:31:56,480
that two security vulnerabilities have been found. Is it working for you? It's fine.

284
00:31:56,480 --> 00:32:03,280
Okay. So, code scanning. SQL query built from user-controlled sources. You can see the

285
00:32:03,280 --> 00:32:10,000
severity level, high, medium or low. And it also explains that it's on server route,

286
00:32:10,000 --> 00:32:17,120
server route. So, the Python script has some security flows. Okay. And if I go here,

287
00:32:17,120 --> 00:32:26,720
it specifically says that number 22 line, it's select star, select everything from books

288
00:32:26,720 --> 00:32:34,160
where author is like whatever character and in the following the author name. So,

289
00:32:34,160 --> 00:32:41,520
if you click JRR Tolkien, I know it's one of my favorites. And then it provides the result.

290
00:32:42,160 --> 00:32:49,200
And there is an issue here. An issue. Who knows what's the issue here? Yes? Maybe you. Well,

291
00:32:49,200 --> 00:32:54,080
you were the first with the greenness. No, you were you were the green. You want to bypass the

292
00:32:54,800 --> 00:32:56,000
Give it to the orange.

293
00:33:03,760 --> 00:33:08,800
Correct. So, it's like you do not have a sanitized input. You don't have a filtering.

294
00:33:08,800 --> 00:33:16,240
It's like the user can actually click whatever he wants there. Dope, dash, minus,

295
00:33:16,240 --> 00:33:21,280
whatever special character. And it's possible for him to put the value there. Yes.

296
00:33:24,640 --> 00:33:34,720
Yeah. Yes. Passwords. Administered users, WP users from WordPress, for example, or whatever.

297
00:33:34,720 --> 00:33:43,680
It will get eventually results from tables that is not allowed to have. Okay. So, okay. Here,

298
00:33:43,680 --> 00:33:48,640
it's mostly focused on this one. The recommendation is about the blind day skill injection.

299
00:33:48,640 --> 00:33:55,360
So, it has a solution, I think. Yeah, it has an example here. And it provides a lot of details,

300
00:33:55,360 --> 00:34:02,720
which is not might not be very related to our case, but it's good to read because it somehow

301
00:34:02,720 --> 00:34:09,360
reflects what happens here. Okay. And have also dropped tables and have other SQL queries here,

302
00:34:09,360 --> 00:34:14,480
which is important for me. And I provide this because it's my PhD, my PhD that I have, and

303
00:34:14,560 --> 00:34:20,880
also my postdoc, how cybersecurity helps other people that they are not cybersecurity.

304
00:34:20,880 --> 00:34:25,440
They don't care about cybersecurity. They don't like, let's say. I met a lot of people that say,

305
00:34:25,440 --> 00:34:30,080
I don't like cybersecurity. It's boring. Okay. I'm into AI or development.

306
00:34:30,800 --> 00:34:35,840
So, what a student can learn about that is that, okay, I met students that are good in some

307
00:34:35,840 --> 00:34:41,200
programming languages. They're not very good in SQL or whatever. They will see this example and say,

308
00:34:41,200 --> 00:34:47,520
okay, this is an SQL query and actually SQL query that I found as an example. Okay. And they have some

309
00:34:47,520 --> 00:34:53,120
other drop tables and drop other it. You find information. You find information because you

310
00:34:53,120 --> 00:34:59,040
have a goal. The goal is to secure our code or to have the code. And going to that goal,

311
00:34:59,040 --> 00:35:05,360
you learn in between other things that are not in cybersecurity Jenkins, for example. I learned

312
00:35:05,360 --> 00:35:11,040
Jenkins because of cybersecurity and not as a developer. And I have seen Jenkins

313
00:35:11,120 --> 00:35:16,880
workflows and pipelines because of cybersecurity. Okay. And that's a nice perspective of cybersecurity.

314
00:35:17,600 --> 00:35:23,600
So, because it connects, it connects a lot of domains together, the cyber. That's how they say.

315
00:35:24,160 --> 00:35:30,000
Okay. So, here is the example. And here is the rule. And if you can click the rule,

316
00:35:30,000 --> 00:35:35,120
you can see the details and so on. And here is the weakness as well. You remember,

317
00:35:35,120 --> 00:35:39,360
weakness is like an abstraction. It's not the vulnerability, the exact vulnerability,

318
00:35:39,360 --> 00:35:45,760
but it's like an abstraction of the weakness. And here you see a lot of information that's

319
00:35:45,760 --> 00:35:52,640
nice as well. And fortunately, the community provides. And you can see here, even a schema,

320
00:35:52,640 --> 00:35:58,080
a topology, how the database is connected to the SQL query. And there's a vulnerable

321
00:35:58,080 --> 00:36:04,960
component that the code works. So this helps to understand codes better, even for cybersecurity,

322
00:36:04,960 --> 00:36:09,520
for security perspective, but also for a generic, like a developer, you understand

323
00:36:09,520 --> 00:36:17,040
more how things work. Okay. And what can go wrong actually, okay. And it's not only security,

324
00:36:17,040 --> 00:36:22,560
it can be a flaw in other things as well. So here it's confidentiality, integrity,

325
00:36:22,560 --> 00:36:28,080
availability, they have this pillar of security. And they say what can go wrong in terms of

326
00:36:28,080 --> 00:36:34,080
the confidentiality of the authentication of the access control of the integrity and so on.

327
00:36:34,080 --> 00:36:39,440
So this provides what bad things can happen actually. Okay.

328
00:36:40,480 --> 00:36:46,320
And here are potential mitigations. What you can do in order to mitigate those actions.

329
00:36:46,320 --> 00:36:53,760
And it proposes not only secure code practices, but also designer or managerial stuff.

330
00:36:53,760 --> 00:36:58,560
That's also important. So you imagine you are a junior developer or a senior developer,

331
00:36:58,560 --> 00:37:03,840
you learn these things, and then you are like, go high level. You go on the manager level.

332
00:37:03,840 --> 00:37:10,160
You see the big picture. And this is good for you for the SAP, because if you are a good developer,

333
00:37:10,160 --> 00:37:17,360
and you also see the big picture, because you see the big picture. And this is something that

334
00:37:17,360 --> 00:37:24,320
the companies they distress about that we need developers, but we need them to have a big picture,

335
00:37:24,320 --> 00:37:30,240
the large picture of what we are doing here. So this helps a lot to build that perspective.

336
00:37:30,240 --> 00:37:35,760
And it helps also the cybersecurity with its own increase. It's like a hype. AI and cybersecurity

337
00:37:35,760 --> 00:37:42,400
increase a lot lately as a job. Positions. Okay. And you can see phase implementation,

338
00:37:42,400 --> 00:37:47,920
other things, Oracle, you can see a lot of things here actually. A lot, a lot of things.

339
00:37:47,920 --> 00:37:53,760
Always they have ontologies behind. Also you can see the ontologies and how ontologies work.

340
00:37:54,400 --> 00:38:00,800
And the likelihood, which is the enumeration, the quantification of security, its likelihood and

341
00:38:00,800 --> 00:38:09,440
impact. So it's high. And there are some examples here, other examples that provide also SQL injection

342
00:38:09,440 --> 00:38:16,240
commands. Like someone can write this and this, A equals to A. Yes, of course, A equals always

343
00:38:16,240 --> 00:38:22,320
to A. So it will get the result and so on. So they provide a lot of details what can go wrong.

344
00:38:22,320 --> 00:38:28,880
Examples and blah blah and whatever. It's like very, very nice, very nice to read actually.

345
00:38:29,680 --> 00:38:34,800
And here it's also observed examples of the CVEs of the common vulnerabilities.

346
00:38:34,800 --> 00:38:40,480
So there are specific vulnerabilities on actual software. I don't know if I can find something

347
00:38:40,480 --> 00:38:48,720
very popular here. Chain, numeric, let me see. Some of them are outdated. You know,

348
00:38:49,680 --> 00:38:57,440
lately SQL injection is not popular nowadays because we use WordPress, we use Joomla,

349
00:38:58,000 --> 00:39:03,760
Drupal, CMS that they provide this filtering by default. But still you can see a lot of software,

350
00:39:03,760 --> 00:39:13,760
not many of them, but here 2023. Still there is an SQL injection in 2023. I know it's funny,

351
00:39:14,640 --> 00:39:22,160
but people make mistakes. So here it's like Trend Micro Apex Central SQL injection allowed for SQL

352
00:39:22,160 --> 00:39:31,680
injection on Trend Micro. It's popular company. But anyway, and they have here the details.

353
00:39:32,800 --> 00:39:37,680
So you can go and if you want to learn more about this, you go to the vulnerability,

354
00:39:37,680 --> 00:39:42,800
you find the information on the vulnerability, you might find the actual service or the actual

355
00:39:42,800 --> 00:39:49,440
code, deploy on the ground, try to do the ethical hacking, the SQL injection, and try to have a proof

356
00:39:49,440 --> 00:39:54,480
of concept as an analyst that is a researcher. You can actually, if you have the code to upload

357
00:39:54,480 --> 00:40:00,400
a GitHub and the code analysis and find the specific code and try to identify things. So

358
00:40:00,400 --> 00:40:07,360
there is a lot of material to learn from your perspective what you want to learn and you

359
00:40:07,440 --> 00:40:15,520
get more expertise on what you are doing. So that's important. Of course, on the industry

360
00:40:15,520 --> 00:40:22,000
perspective, if you have these devices, one of these software running, so you have to actually

361
00:40:22,000 --> 00:40:28,000
take measures and mitigate. But it's good also for educational purposes or research purposes

362
00:40:28,000 --> 00:40:32,720
to do things. You create scenarios. That's my PhD actually. Create scenarios. That's

363
00:40:32,720 --> 00:40:37,040
important. You have a story to tell. When you have a story to tell, people will learn.

364
00:40:37,600 --> 00:40:45,040
Okay. Because we like stories. And here there are other details like SOAR, you can see a lot of

365
00:40:45,040 --> 00:40:52,000
details that are very, we might not know a lot of terminology like that, but you can search around

366
00:40:52,000 --> 00:40:57,600
what is SOAR and you learn. You learn more. And that's very, very good, very good actually.

367
00:40:58,400 --> 00:41:04,000
Fast tester, dynamic analysis. So it provides also what dynamic analysis can we do.

368
00:41:04,000 --> 00:41:08,960
So you see a lot of stuff that it's high level. It's like, you know, very,

369
00:41:10,720 --> 00:41:17,680
like you're going from, let's say, from a simple student to a more advanced, just looking for the

370
00:41:17,680 --> 00:41:23,840
for the terminology and search things around and so on. Okay. And there are other terminologies

371
00:41:23,840 --> 00:41:29,200
like a membership from OWASP and so on. Okay. And mapping here and other things that I don't

372
00:41:29,200 --> 00:41:35,280
know also as well. And there is the CAPECs, the attack patterns that are related to these weaknesses.

373
00:41:35,280 --> 00:41:41,040
So this combines things together. And that's my purpose. We take an example, a story, we have

374
00:41:41,600 --> 00:41:48,320
a code to analyze. And through these analysis, we learn what is the CVE? What are the CWEs?

375
00:41:48,320 --> 00:41:53,920
We learn secure coding. We learn SQL. We try to find the capex. We see how this connects.

376
00:41:53,920 --> 00:41:59,840
So we have the picture, the connection of the picture together, because we have the vulnerability,

377
00:41:59,840 --> 00:42:05,920
we have the code, we have the attacks that can be happened. We have the capex. So this combines

378
00:42:05,920 --> 00:42:11,840
in like a whole and we can see the big pictures. And there is also references here that you can

379
00:42:11,840 --> 00:42:17,120
identify and so on. And there is the submission date and other things like metadata that are

380
00:42:17,120 --> 00:42:23,440
involved. Okay. So you can see this flow, very simple example, just an SQL injection.

381
00:42:23,440 --> 00:42:29,520
And what you can learn from this simple example, how many things you can actually learn and

382
00:42:29,520 --> 00:42:35,920
experiment. And this is not only reading, you actually select hands on. You click, you see,

383
00:42:35,920 --> 00:42:43,280
you click, you see, and you go on and on and on. Okay. Let's go behind and see the recommendations,

384
00:42:43,280 --> 00:42:50,240
blah, blah, blah. It says, okay, let's go on security again. We get a big picture. Okay,

385
00:42:50,240 --> 00:42:56,400
we have these SQL queries that are running, that are very, are not very good. And we go back

386
00:42:56,960 --> 00:43:04,560
here and they read me actually, you know, refreshed and goes from step two, review and triage

387
00:43:05,280 --> 00:43:10,800
code QL alert. So it says, bind things together, combine things together, that are things that

388
00:43:10,800 --> 00:43:16,800
we do right now to combine the knowledge and see what is the result, blah, blah, blah.

389
00:43:16,800 --> 00:43:23,120
Okay, the status of the code QL, if it's running, blah, blah, blah. We have seen that review. We

390
00:43:23,120 --> 00:43:27,840
reviewed the result. We review what's happening. Here is the rule. Here is the tool.

391
00:43:29,040 --> 00:43:35,600
Audit scanning here. And here is something important. Where is it? Scanning.

392
00:43:36,560 --> 00:43:41,680
Oh, it's not here. It's where it is. Here.

393
00:43:44,960 --> 00:43:52,640
Code scanning. Yes, here. This is important in terms of security. I know it's a bit of the

394
00:43:52,640 --> 00:43:59,600
long details, but here, first detected in commits and update one and read me on server,

395
00:43:59,600 --> 00:44:05,040
whatever. So this tracks down the commits and whatever happens. It's like a forensic data.

396
00:44:05,600 --> 00:44:11,120
Status import. This is very important. Okay. You imagine you go on a development team and you

397
00:44:11,120 --> 00:44:16,320
have to see what went wrong. Which commit was the wrong one? Which commit break?

398
00:44:17,360 --> 00:44:22,560
Who created this commit? Because you want to contact and to find the easy that, okay, it was

399
00:44:22,560 --> 00:44:31,520
John that did that commit. Let's see what went wrong. So this is important. And yeah,

400
00:44:31,520 --> 00:44:36,160
always forensic data are very useful. You imagine yourself sometimes you search around and say,

401
00:44:36,160 --> 00:44:42,080
oh, when I did, did I send this message or you go back on the history on the chat and say,

402
00:44:42,080 --> 00:44:47,680
oh, let's go and see the detail. Oh, here is the password. Three months before someone sent me

403
00:44:47,680 --> 00:44:52,640
the password. Okay. Forensic. You go back and so on. Having information and go on the past.

404
00:44:52,640 --> 00:45:03,520
It's nice, you know, and it might save your life. Let's say. Okay. So let me go here.

405
00:45:04,720 --> 00:45:11,520
Here. Okay. It has all these details that I explained about the CW is called scanning the

406
00:45:11,520 --> 00:45:17,760
earth's five and so on. So here is the thing that we did not do until now. So we have to

407
00:45:17,760 --> 00:45:23,440
create an issue. Okay. We have to say that, okay, this is something that needs to be solved.

408
00:45:24,080 --> 00:45:29,920
So here it is this to create the issue. And you can see this means isn't the false positive? Is it

409
00:45:29,920 --> 00:45:37,040
used in this one fix? So this is like a ticketing. You create a tag and you help others to solve

410
00:45:37,040 --> 00:45:42,080
things. So you say, oh, this is false positive or it's not related. Okay, just drop it.

411
00:45:42,800 --> 00:45:50,800
So this is very important. Okay, you know, create a ticket or whatever the issue. You

412
00:45:50,800 --> 00:45:56,400
can also say something like a description. You can help the developers to solve this issue.

413
00:45:56,400 --> 00:46:01,840
So this is more like teamwork. Okay, you can help the other developer, the junior developer.

414
00:46:01,840 --> 00:46:08,000
You can help him to build the code better. So create you push submit a new issue.

415
00:46:08,720 --> 00:46:14,000
And this creates the issue that works for me and so on. It has also the ticketing system,

416
00:46:14,000 --> 00:46:20,320
assignments, no one. So you can actually assign if you want, who wants to solve this issue.

417
00:46:20,320 --> 00:46:26,320
You have a member of people and team, you can actually attach the issue to other people.

418
00:46:26,320 --> 00:46:31,680
If you think that they are capable of solving the issue or you think that it's theirs.

419
00:46:31,680 --> 00:46:35,680
They have also projects you can see. So if you have multiple projects, you can solve the issue.

420
00:46:35,680 --> 00:46:54,960
So, yes, you click on the code scanning and you click on the specific issue on the specific flow.

421
00:46:55,520 --> 00:47:02,400
So here you are here. You click on one of them and then on one of them there is a button here

422
00:47:03,040 --> 00:47:14,480
on the left. Right now it's not because I click, but it's there. Okay. Okay, let's go back.

423
00:47:17,040 --> 00:47:23,840
Step three, yes. And then it continues. Okay. So this was a task to a specific user. The issue

424
00:47:23,840 --> 00:47:28,720
was created. There is a timestamp when this issue was created. So you can track down, say,

425
00:47:29,280 --> 00:47:36,960
this is one month before, no one saw that. It's a mess. Okay. So let's go. Okay, people are going

426
00:47:36,960 --> 00:47:43,360
for holidays. They are not there to solve the digits. All right. So go, go, go. And then

427
00:47:44,160 --> 00:47:50,480
there are details on this readme file right now on the code scanning. You can reopen the alert

428
00:47:50,480 --> 00:47:56,480
and whatever. And then explains that you have to go to the edit button. So it's better to go

429
00:47:56,480 --> 00:48:03,760
on the main code. Let's go back. Click and open a new tab. Okay. And a new tab. Just have it if

430
00:48:03,760 --> 00:48:13,840
you want like that. If I go to the new tab, you can actually go on server and routes. And then

431
00:48:13,840 --> 00:48:19,680
you click edit file in order to edit online. Okay. I know many of you use command line and

432
00:48:19,680 --> 00:48:25,120
you use git on the command line, but anyway, you can do it this on the browsers. Edit this

433
00:48:25,120 --> 00:48:31,120
file and this allows you to edit the file. They have this as a reference here, or I can have

434
00:48:31,120 --> 00:48:39,040
as a reference the code QL results in order to see the things that are happening. Let me go again.

435
00:48:41,280 --> 00:48:48,880
So number 22 and number 16 was read. I don't remember anyway. So let's go.

436
00:48:49,200 --> 00:48:59,440
So we want to fix this vulnerability. So I will add it on line 16 and have this query name,

437
00:49:00,400 --> 00:49:07,280
query editing. So you can see the difference is that this command, instead of having like

438
00:49:08,000 --> 00:49:15,760
percent as, has percent as s. So it's like a dummy filtering like, okay, at least provide

439
00:49:15,760 --> 00:49:20,560
the string there, not something that is not a string. Okay. Of course, there are other

440
00:49:21,520 --> 00:49:28,000
examples that I can show you, but this is something very fast that you can do. Okay.

441
00:49:28,000 --> 00:49:35,680
You copy and paste or you write down. You go on the editing. So it's line 16. And you see here.

442
00:49:36,720 --> 00:49:42,880
This is the command. And it says blah, blah, blah, whatever. It says that, okay, we have to

443
00:49:42,880 --> 00:49:49,440
copy and paste and see like that. Watch out for the quote. So it's select all from books where name is

444
00:49:49,440 --> 00:49:57,680
like percent that string quotes closing comma and then name. Okay. Don't put the dot afterwards,

445
00:49:57,680 --> 00:50:04,000
because there is a dot on the phrase, but don't put any dot. This is the one. And the other one is

446
00:50:04,000 --> 00:50:11,680
I did line 22. So if I go to line 22, I copy and paste. It's always to see the past. Okay,

447
00:50:11,680 --> 00:50:19,680
to see what you are revising 22. Let's go back 22. Maybe I can put it on the bottom.

448
00:50:20,960 --> 00:50:28,240
Okay. It's like it is strong. It's the same. It's similar. Okay. They put the percent on string.

449
00:50:28,240 --> 00:50:35,680
So it's just an S here, I think. And they remove also the other percentage.

450
00:50:35,680 --> 00:50:43,360
It's just to be safe. Okay, here. Okay. I think it's fine. You commit the changes.

451
00:50:44,400 --> 00:50:51,360
You have an extended description if you want that all. I revise the code. I replace the sanitization.

452
00:50:51,360 --> 00:50:56,640
I add the sanitization of the SQL queries. Please review or whatever. Check again.

453
00:50:57,520 --> 00:51:04,400
Okay. So you put here the description that you want. Commit or create a new branch.

454
00:51:04,400 --> 00:51:10,000
I will commit on the main branch of my project. Okay.

455
00:51:13,840 --> 00:51:20,400
So issues. If I go to the issues, there are open issues and closed issues. Okay.

456
00:51:20,400 --> 00:51:29,680
So one open, zero close or whatever. Let's go to security again. Here you can see the indication,

457
00:51:29,680 --> 00:51:37,440
the number one. So there is one issue here still. And it will refresh after refreshing

458
00:51:38,560 --> 00:51:48,000
after 20 seconds here. It will go to step four most probably. Yeah, step four. And if I go to

459
00:51:48,000 --> 00:51:58,160
the code scanning, you can see maybe require some time. Maybe I did it wrong. I'm not sure.

460
00:51:58,160 --> 00:52:03,120
But this will close the, you know, the vulnerabilities will disappear from this

461
00:52:05,440 --> 00:52:17,280
dashboard here. There also has a lot of filters. So feel free to click around tools. If I click tools,

462
00:52:17,920 --> 00:52:25,040
there is also Python that in six files has come. So 100% of the main repository contains

463
00:52:25,040 --> 00:52:32,160
Python files. And there is also a filtering here. So it's language. If it's Python, HTML,

464
00:52:32,960 --> 00:52:39,920
you might have multiple tools to scan the code. So it's per tool, branch, rule,

465
00:52:41,200 --> 00:52:46,480
severity level. So you can actually do the sorting or the filtering upon, you know,

466
00:52:46,880 --> 00:52:53,040
the issues that are created. Anyway, it's not here for me. I don't know for you. Did it work?

467
00:52:55,200 --> 00:52:58,880
Where is the action on the security?

468
00:53:05,360 --> 00:53:08,480
Next to the projects, actions on the actions. Yes.

469
00:53:09,600 --> 00:53:15,680
I still running. Yes, both is still in progress. Meanwhile, I can go to the main repository

470
00:53:15,680 --> 00:53:21,680
just to present you. You can see the folder dot GitHub. So dot GitHub, if you go,

471
00:53:22,320 --> 00:53:30,240
there is the workflows. So here the workflows from CodeQL are here. So enable CodeQL,

472
00:53:30,240 --> 00:53:36,080
somehow here will be the, you know, the workflows. These are the workflows.

473
00:53:37,040 --> 00:53:42,160
If you want to see, it's also the workflows to update the readme and also will be the workflows

474
00:53:42,160 --> 00:53:48,320
from CodeQL, I think. But here is a mess because we have a lot of steps and so on.

475
00:53:49,120 --> 00:53:56,640
But the workflows also will be here, like the YAML files of whatever happens on the automation.

476
00:53:58,400 --> 00:54:05,200
Okay, let's see if action is still working. Yeah, it's done. Two minutes ago, so it required

477
00:54:05,200 --> 00:54:13,280
one minute and 60 seconds to finish. And you go security, code scanning, you can see

478
00:54:14,240 --> 00:54:18,160
two are closed. So the things are resolved. Okay,

479
00:54:18,880 --> 00:54:26,000
zero open to closed. So this closed the issues. Okay, let's go here.

480
00:54:34,240 --> 00:54:36,880
Okay, and this is the next step that we can make.

481
00:54:36,880 --> 00:54:44,720
Review pull request. Okay, it has a review pull request. You can see here with the pull request,

482
00:54:44,720 --> 00:54:49,200
so part of this is another step that we can make. I will not complete it right now here.

483
00:54:49,200 --> 00:54:55,120
So you can feel free and complete it later, maybe it requires some steps still to be done.

484
00:54:55,120 --> 00:55:01,920
And you can see the difference. There is an action point I can directly go and resolve the

485
00:55:01,920 --> 00:55:08,800
issue, but I can do a pull request and then the developer will see the pull request and will say,

486
00:55:08,800 --> 00:55:16,320
okay, is this a good editing? Do I need to push on my main branch or no? So a reviewer should

487
00:55:16,320 --> 00:55:23,520
actually see and check the editing and decide if this is fine for the main branch to be included

488
00:55:23,520 --> 00:55:30,080
and so on. In the past on the previous steps, we directly edited and we accepted and we

489
00:55:30,080 --> 00:55:34,720
done it, but here explains what you have to do in order to see the difference.

490
00:55:34,720 --> 00:55:39,120
And here's the difference. You can see that, okay, this was previously and this was added.

491
00:55:39,120 --> 00:55:45,600
So that's the change and so on. So this is something important in terms of versioning.

492
00:55:45,600 --> 00:55:52,640
Okay, and GitHub has this benefit advantage that has versioning. You can see the versioning going

493
00:55:52,640 --> 00:55:58,080
back and back and back. And if something breaks after one month of the project and say,

494
00:55:58,080 --> 00:56:05,680
okay, what happened? Nothing is working. You can go behind, track down and see what went wrong

495
00:56:05,680 --> 00:56:11,440
and try to resolve it and so on. This also goes for security. This also goes for functionality,

496
00:56:11,440 --> 00:56:18,000
troubleshooting and so on. And there are cases. I was thinking of a research, like a small task,

497
00:56:18,000 --> 00:56:24,000
let's say, with a versioning of GitHub to check if there is malicious code inside the project.

498
00:56:24,000 --> 00:56:30,880
So you can upload the files on the GitHub, the WordPress, let's say, folders.

499
00:56:30,880 --> 00:56:36,560
And if there is a JavaScript running like a malicious JavaScript, then you can see that,

500
00:56:36,560 --> 00:56:42,720
okay, this JavaScript or this line was changed. And you can actually track down malicious actions

501
00:56:42,720 --> 00:56:49,760
or if there is a malicious script running on the WordPress, you can do that comparing the old

502
00:56:49,760 --> 00:56:55,360
version of your projects, for example. So that's a cool way to do that. I have done it in the past.

503
00:56:56,240 --> 00:57:01,200
For example, we had the case where we have a WordPress site that was broken.

504
00:57:02,240 --> 00:57:08,560
Malicious scripts were running there. We did not know exactly what was the issue. We had to go

505
00:57:09,360 --> 00:57:17,200
file by file to see if there is any encoded code inside that is doing something peculiar.

506
00:57:17,280 --> 00:57:24,240
And then I just uploaded the project that we had in the past. Then I added the new files,

507
00:57:24,240 --> 00:57:32,240
the updated files, and then I compared the changes. And then I saw what files, what PHP files

508
00:57:32,880 --> 00:57:38,320
changed in the future. And I discovered there were five different files that were changed.

509
00:57:38,320 --> 00:57:43,520
One of them was fine. It was because of updates. But it was easier for me to find

510
00:57:43,520 --> 00:57:49,760
those five files that has this specific JavaScript code lining running on the

511
00:57:49,760 --> 00:57:55,120
background on the PHP file. So this helps a lot. I know it's a bit of trouble. That's why

512
00:57:55,120 --> 00:58:01,920
some basically it's like hacking. We say hacking because you know, you try to improvise. You

513
00:58:01,920 --> 00:58:10,640
try to create new ways to get your job done. Unorthodox, let's say, ways, peculiar ways

514
00:58:10,640 --> 00:58:18,480
to solve things. So that's a good way to use GitHub or GitLab. GitLab is their private repository.

515
00:58:19,680 --> 00:58:27,200
So that's nice for me. Any questions until now? Any comments? Is it fine? Is it working?

516
00:58:28,800 --> 00:58:34,720
Okay. And let me go. I don't know how much time do you have. It's a schedule. Is it until five?

517
00:58:35,680 --> 00:58:41,600
Oh, it's about five. It's three. So I will check the program just to be sure.

518
00:58:45,440 --> 00:58:52,480
It's until four o'clock. What time is it? Three. Okay. We have still time. Okay.

519
00:58:52,480 --> 00:59:00,640
And let me see. Sorry, sometimes I lost in time. I speak sometimes a lot. So let's go back.

520
00:59:00,720 --> 00:59:07,600
Ionian CTF. I think I have some other things like a repository for these things. So if I go,

521
00:59:08,960 --> 00:59:10,800
where is where is? Is it test?

522
00:59:15,040 --> 00:59:22,080
Yes, I think it's this one. Let me see. Security. It's solved.

523
00:59:24,880 --> 00:59:29,520
Maybe I can show you the healthcare use case. I think it's this one.

524
00:59:30,800 --> 00:59:38,240
Yeah. This repository was from my student of mine.

525
00:59:41,200 --> 00:59:46,800
So she created something like a Python script. I don't know remember what this script is doing.

526
00:59:48,000 --> 00:59:55,440
And yeah, let's go. I just told him, and it's a good option for students or for your colleagues

527
00:59:55,440 --> 01:00:00,480
or for your co-students to propose. If you have a GitHub account, you create a nice project

528
01:00:00,560 --> 01:00:08,480
in C or in Python on Ruby, click and enable security to see somehow what is the nice,

529
01:00:08,480 --> 01:00:13,760
what is good, what is wrong. Okay. And I told him, okay, just give me your repository and

530
01:00:13,760 --> 01:00:18,880
let's see the code scanning. So let's see. Code scanning is already done. You can always

531
01:00:18,880 --> 01:00:25,680
clone if you want. So it's a sec dev. If you go to the main repository, Union CTF here,

532
01:00:25,680 --> 01:00:31,200
you click repositories, all the repositories. There is this one sec dev. So it's security

533
01:00:31,200 --> 01:00:38,240
development, sec dev, security development. This repository, it will get popular,

534
01:00:38,240 --> 01:00:44,800
most of them will get popular anyway. Security here. And you can see use of a broken or

535
01:00:44,960 --> 01:00:57,040
weak cryptographic on sensitive data. Let's see. Okay. So here it is. Maybe I can. Sorry,

536
01:00:57,040 --> 01:01:04,320
some text study in Greek because he's a Greek student. And here you can see down there,

537
01:01:04,320 --> 01:01:11,520
hashed password, hashed, blah, blah, blah, password. So this says that use of a broken or weak

538
01:01:11,680 --> 01:01:20,160
cryptographic hash in gallery. Can you explain what is going wrong? Someone? What's the issue?

539
01:01:21,680 --> 01:01:22,800
I know it says, but what?

540
01:01:28,320 --> 01:01:39,360
Good idea, but I'm not Md5. Md5 is a weak, very weak, worse than I say it's 256 again.

541
01:01:40,320 --> 01:01:45,600
Someone develops in WordPress? No. WordPress development, anyone? There.

542
01:01:50,400 --> 01:01:58,640
Oh, no, it's the SH256, which is a good algorithm. It's also a salt. Maybe it's also a salt.

543
01:01:59,360 --> 01:02:04,000
Yeah, but he put that. He already put that because he's a good student.

544
01:02:04,800 --> 01:02:13,440
He told me, yeah, it's like, I will use a SH256. He also knows about WordPress development.

545
01:02:13,440 --> 01:02:20,880
So WordPress uses Md5 passing. What's the catch that they have this salt? You know,

546
01:02:20,880 --> 01:02:27,280
the salt, you put the level. It's like a prefix text that in combination with the password,

547
01:02:27,840 --> 01:02:33,680
it creates them the hashed binary. So then you have a rainbow table. A rainbow table is like

548
01:02:34,480 --> 01:02:42,400
a table file with passwords, angel, Stelios-133, whatever. And then the hash value, Md5 hash,

549
01:02:42,400 --> 01:02:49,920
SH256 hash, whatever. This is a rainbow table. And you use this rainbow table as a dictionary

550
01:02:49,920 --> 01:02:54,560
in order to do the brute force attack. You say, okay, if this hash value equals to that,

551
01:02:54,560 --> 01:03:00,320
then the password is this one. Okay. But if you have the salt, then it's Stelios-123

552
01:03:00,400 --> 01:03:07,600
plus my salt or whatever complex, let's say, text, and this creates another hash value.

553
01:03:07,600 --> 01:03:12,240
So it's impossible, nearly impossible for others to do that. But the catch is like that,

554
01:03:12,240 --> 01:03:19,920
if someone breaks the WordPress, goes in the salt and do the reverse and creates a rainbow table

555
01:03:19,920 --> 01:03:27,520
with angel-123, Stelios-123, whatever, plus the salt that finds inside the wp-config file,

556
01:03:27,520 --> 01:03:34,400
they will create a rainbow table. They get access on the SQL, my SQL, and then have the passwords

557
01:03:34,400 --> 01:03:52,080
as a clear text question. You sometimes, if you put a security plugin on WordPress,

558
01:03:52,800 --> 01:03:59,360
by default, except if they change it in the later versions, by default, it does not change

559
01:04:00,080 --> 01:04:06,240
by default. So that's a good perspective view on WordPress. You have the plugin, a security plugin,

560
01:04:06,240 --> 01:04:12,320
that will change the salts every month or whatever. By default, it does not do that.

561
01:04:12,320 --> 01:04:16,320
Maybe in the later versions of WordPress, they do that. I'm not sure. Okay.

562
01:04:17,040 --> 01:04:22,640
So, okay, that's the catch. Okay, but that's not the issue right now. It's like the cryptographic

563
01:04:22,640 --> 01:04:26,960
algorithm. It's the selection of the algorithm that they say that, okay, this is a

564
01:04:26,960 --> 01:04:34,880
good algorithm, but for passwords or sensitive data, and this comes from a security control,

565
01:04:34,880 --> 01:04:41,360
let's say, from NIST, you have to use specific arguments that are approved to be good also for

566
01:04:41,360 --> 01:04:51,040
sensitive and so on data. And these are algorithms like Scrypt, or like, how it's called the other one,

567
01:04:51,840 --> 01:05:02,640
Bcrypt, PBKDF2, and so on. So you say, why WordPress does not use that?

568
01:05:02,720 --> 01:05:08,560
And they use only five. Are they dummy? Are they stupid? Why? Anyone?

569
01:05:12,800 --> 01:05:19,920
It's faster. It's the disadvantage of security. You have to spend something. You have to give

570
01:05:19,920 --> 01:05:28,000
something to get the benefit. So you get a better, let's say password algorithm. It might be slower.

571
01:05:28,000 --> 01:05:33,520
And if you have a WordPress, they say, okay, you use WordPress. Maybe a lot of users will get into

572
01:05:33,520 --> 01:05:38,880
your blog, your e-shop. They will have multiple accounts. So every account has to do this

573
01:05:39,600 --> 01:05:46,400
connection. And when you connect, the server should generate the hash value and then compare

574
01:05:46,400 --> 01:05:50,960
to the basic one and then log in and so on. So it will be slow. So it's like a

575
01:05:50,960 --> 01:05:56,160
strategically, let's say, decision that they say, okay, we will use MDIFIRE because it's a

576
01:05:56,160 --> 01:06:03,600
fast algorithm because we want the clients to be faster. So it's like strategy. It's not

577
01:06:03,600 --> 01:06:10,080
that you can actually blame them. It's a strategy that they choose that we need performance over

578
01:06:10,080 --> 01:06:15,440
the security and we have the salt or whatever. And this is the difficult part of cybersecurity,

579
01:06:15,440 --> 01:06:22,320
the decision. What is the decision? And this is difficult. From your life, you lock the door

580
01:06:22,320 --> 01:06:28,800
and you say, okay, should I put a camera, an IP camera? Should I close with multiple lockers?

581
01:06:28,800 --> 01:06:33,920
So it's about risk, actually. You have to choose. You have to decide. And that's the

582
01:06:33,920 --> 01:06:43,120
most difficult part. Okay. So this is the algorithms that we have, Argon, whatever. They

583
01:06:43,120 --> 01:06:49,920
have also these in other cases. They have also here other details, examples, how to use it and so

584
01:06:50,000 --> 01:07:00,240
on. And let me go back. Okay. Okay. So the catch here will be like that. To change this algorithm,

585
01:07:00,240 --> 01:07:06,480
so from SSH 256 to Scrypt or whatever, and this will get solved. Get the world things done.

586
01:07:06,480 --> 01:07:12,800
Okay. Let me go where it is. Sorry. Here on the weaknesses.

587
01:07:15,120 --> 01:07:19,040
So we want, we can just solve the issue if we are in a hurry or whatever,

588
01:07:19,040 --> 01:07:24,320
if we want to learn more, you can see here the use of a broken or risky cryptographic algorithm,

589
01:07:24,320 --> 01:07:32,480
a lot of details and examples and so on. You can see here this. Okay. This is very,

590
01:07:34,000 --> 01:07:42,960
very simple hack. And whatever. Okay. They have a lot of things like PSP code and so on.

591
01:07:42,960 --> 01:07:48,240
Use of weak hash. If you have a hash that it's weak here as well, examples and so on.

592
01:07:49,760 --> 01:07:57,200
You can see also C whatever. I'm not into C. I know C, programming in C. Okay. But if I

593
01:07:57,200 --> 01:08:03,280
was to learn more about C, I will go here and say, oh, what is that? That's interesting. So

594
01:08:04,000 --> 01:08:08,240
again, you can learn things. You can learn things that you want to know. I don't know

595
01:08:08,960 --> 01:08:14,320
to learn C. Okay. You go ahead and you learn PHP. And you say, okay, I will just do the

596
01:08:14,320 --> 01:08:19,040
catch with the PHP or the Python, select the password and so on. And that's it. But if you

597
01:08:19,040 --> 01:08:24,400
want to learn more, you can go here and see more details. That's the thing that a lot of people,

598
01:08:24,400 --> 01:08:29,680
also your fellow students here told me, I don't want to learn to be a master on in C.

599
01:08:30,640 --> 01:08:35,680
I want to be into cybersecurity, but I don't want to learn to be an expert in C. Okay.

600
01:08:35,680 --> 01:08:40,960
It's not that you have to learn everything. Okay. I don't know assembly so much,

601
01:08:40,960 --> 01:08:47,440
but I'm not involved in projects that are a very lower level like embedded systems and so on. Maybe

602
01:08:47,440 --> 01:08:54,000
in the future, I will be better on that. But if I get paid, okay. So it's like you can learn

603
01:08:54,000 --> 01:08:58,480
something because you like, but you have also to see what are the opportunities, are you getting

604
01:08:58,480 --> 01:09:04,560
paid, what are your tasks and so on. So eventually you get a balance and you learn things more

605
01:09:04,560 --> 01:09:10,480
that you are like for sure you should like what you do in your work and then you are getting paid.

606
01:09:10,480 --> 01:09:20,560
So I'm not a game developer. Okay. Because the money was not worth it. I still get this also,

607
01:09:20,560 --> 01:09:24,960
you know, feedback from colleagues that it's not a good idea to be a game developer right now.

608
01:09:25,920 --> 01:09:32,560
Not worth it, let's say the effort. But no, it's nice work, game development. I like games.

609
01:09:32,560 --> 01:09:39,440
So here are a lot of things actually, and it's like even me that I'm in five years now or seven

610
01:09:39,440 --> 01:09:46,240
years now in cybersecurity research. There are things still that I like to learn from this detail.

611
01:09:46,240 --> 01:09:53,840
So it even mentions FPGAs. It was the last month that I ordered for equipment in my university

612
01:09:53,840 --> 01:10:00,800
to get FPGAs to start research on quantum cryptography and so on. So this

613
01:10:00,800 --> 01:10:06,560
is useful information for me. I will see how FPGA is related to that,

614
01:10:06,560 --> 01:10:13,040
to the hashing algorithm and so on. And this will get familiarity. I will get familiarity more.

615
01:10:14,000 --> 01:10:21,600
So okay, if I saw that one year before, I would not care. But now that I have ordered equipment

616
01:10:21,600 --> 01:10:28,480
for FPGA and get some new research, I will get to see how FPGA relates to hashing values

617
01:10:28,480 --> 01:10:35,840
and this will pop up more ideas, more research that I have to learn, more money because more

618
01:10:35,840 --> 01:10:44,000
research projects and so on. Okay, so here it's also details and references and so on. I will

619
01:10:44,000 --> 01:10:49,840
not go. You can also see CVEs but that's very old. I don't know if there are any other CVEs

620
01:10:49,840 --> 01:11:00,160
like very serious ones, but this happens. Why? Why there are no, let's say, you saw SQL injection.

621
01:11:00,160 --> 01:11:09,200
It was 2023. Here are all very old CVEs. There are no new software that has these issues. Why?

622
01:11:10,320 --> 01:11:16,400
Why this happens? Is it because it's simple to solve? The other was simple as well. But why?

623
01:11:17,120 --> 01:11:25,040
Why this happens? It's simple. This one is even simpler than SQL injection. Why almost,

624
01:11:25,040 --> 01:11:29,840
why? Why there are no new CVEs on that? What happens?

625
01:11:37,360 --> 01:11:42,800
The result does not solve the problem. The problem solved because of the selection of the algorithm.

626
01:11:43,760 --> 01:11:50,560
So it's not this. But half of your answer is right. Everyone uses. Why?

627
01:11:51,840 --> 01:11:57,840
Why everyone uses? Everyone should use also SQL filtering. Why they don't use it? It's simple.

628
01:11:58,960 --> 01:12:06,880
Why all the people, all the software companies used better encryption schemes? Yes?

629
01:12:07,200 --> 01:12:12,960
Yes, correct. Regulations and standards, okay.

630
01:12:15,200 --> 01:12:20,400
The heritage also could be GDPR as well. But it was before that that they choose that,

631
01:12:20,400 --> 01:12:29,280
okay, you store a password. It should be. With Warpress, it must not. Yeah, yeah, you're telling me.

632
01:12:29,680 --> 01:12:39,760
Yes, you can. But the standard does not say that you have to use a specific hash guard. The rule is

633
01:12:39,760 --> 01:12:46,320
that. The rule is not that they should not steal the passwords. You know, regulations and standards.

634
01:12:47,520 --> 01:12:53,600
Checkbooks. Did I throw that? Checkbooks. And that's the disadvantage of regulation

635
01:12:53,760 --> 01:13:01,280
and standards. You follow a standard. Are you secure? No, you're not. But legally, you are.

636
01:13:04,000 --> 01:13:09,040
And I say that because it's a good opportunity, you know, because I have seen a lot of presentations

637
01:13:09,040 --> 01:13:16,800
on regulations, standards, NIST, ISO, whatever. And for me, it's like the opposite. We have to

638
01:13:16,800 --> 01:13:23,680
understand the strategy, the regulations from that perspective, from technical perspective,

639
01:13:23,680 --> 01:13:30,720
because then we understand the problem that we have with regulations. And okay, we cannot solve

640
01:13:30,720 --> 01:13:36,160
this. Compliance, you will still need just the compliance, the checkbooks to be done, but we should

641
01:13:36,160 --> 01:13:48,960
know this. That's about the methodology and the perspective. You have to see the regulations

642
01:13:48,960 --> 01:13:50,720
from the technical perspective. That's my

643
01:13:54,880 --> 01:14:00,160
regulations are good and standards. I check the, you know, the least, the huge least and

644
01:14:00,160 --> 01:14:06,000
see these as recommendations, but you have to understand the problem. That's my issue.

645
01:14:06,640 --> 01:14:11,440
And, you know, if you just go and check the checkbox, you still can't do it. And I do that as

646
01:14:11,440 --> 01:14:16,880
well. Just click the checkbox, that is done. But I know the problem. At least I know.

647
01:14:16,880 --> 01:14:23,200
I should know. I should not be confident that, yes, because I have this regulation, it's fine.

648
01:14:23,200 --> 01:14:33,760
But still, the benefit is there. The benefit is there because this happens. At least they use

649
01:14:33,760 --> 01:14:40,400
strong cryptography in Calgon. And that is good. Eventually it's good. The same could happen with

650
01:14:40,400 --> 01:14:47,120
SQL injection soon. Yes, maybe, but anyway. But that's, you know, a conclusion that I had here

651
01:14:47,120 --> 01:14:52,160
on that side. And this is new. It's the first time that I mentioned this. It's not that I prepared

652
01:14:53,280 --> 01:15:00,080
these conclusions. It just came right now. Okay. From my, from my research that we did right now

653
01:15:00,080 --> 01:15:07,040
on these issues. Okay. So you can see that cybersecurity is fine because you create things.

654
01:15:07,840 --> 01:15:12,640
Right now, I did not have this presentation already. I did not have these conclusions. But

655
01:15:13,280 --> 01:15:19,200
here I can see. I can see the conclusion of that. Of course, there might be researches to say that,

656
01:15:19,200 --> 01:15:24,160
you know, there are a couple vulnerabilities that can go to the common vulnerability repositories and

657
01:15:24,160 --> 01:15:30,560
say, see if there are any other repositories there with vulnerabilities like that. Maybe they are,

658
01:15:30,560 --> 01:15:38,640
and this is wrong. This can be a research paper. Okay. Search around and say why and why and why.

659
01:15:38,640 --> 01:15:46,160
And why WordPress is not legally, you know, promote obligated to fulfill this and they still

660
01:15:46,160 --> 01:15:52,560
have MD5 on the passwords. Why? It's a research question. Okay. Maybe someone of you know,

661
01:15:52,560 --> 01:15:57,280
but I wouldn't. If anyone wants a research paper with me, it's fine.

662
01:15:57,600 --> 01:16:09,200
Okay. So here it's one is, so MD5 SH 256. I can go and solve it, but I can try not to,

663
01:16:09,200 --> 01:16:16,000
but maybe I can try. It's Scrypt, let's say, Scrypt, Scrypt. There is no documentation here.

664
01:16:16,000 --> 01:16:20,480
You can see more information here. What is Hashing algorithms and so on. Mathematics is nice.

665
01:16:21,440 --> 01:16:29,680
Okay. Maybe I can cover an example here. So it says 256. Is it Scrypt somewhere?

666
01:16:33,040 --> 01:16:40,320
Either if the, even if there is no, you know, let's say recommendation, you can go Scrypt,

667
01:16:40,880 --> 01:16:44,720
PHP, how to Google stack overflow or whatever. Okay.

668
01:16:45,040 --> 01:16:53,040
Okay. Can I use the Scrypt? Was it a PHP or a Python? It was a Python. Okay. Let's go back.

669
01:16:54,320 --> 01:17:01,360
Scrypt, Python, how to, okay. It has something here, something here. Go search.

670
01:17:02,880 --> 01:17:07,360
They have pip install Scrypt. They have these, blah, blah, blah.

671
01:17:07,840 --> 01:17:12,640
Yeah. And maybe they have also an example here, how to use it.

672
01:17:14,080 --> 01:17:20,000
Yeah. They have, like py script, like this library, maybe I can go and see what happens.

673
01:17:20,720 --> 01:17:26,880
Here is this one. I can go and, okay. It's on the file application py,

674
01:17:27,760 --> 01:17:40,720
application py. And then, where was that? The line. I think it's this one. Where are the lines?

675
01:17:41,360 --> 01:17:53,440
Ah, it was another line. Four? 489. Yes. It's multiple. It's two places. It's two times.

676
01:17:54,400 --> 01:18:00,160
It's two times. Yes. I will go back here. I will import. Oh, come on. Edit.

677
01:18:02,720 --> 01:18:08,240
Yeah. I cannot edit because I go inside directly. So I will go back, check depth,

678
01:18:09,040 --> 01:18:16,560
application py. Let's go. Application py. And then, why happens?

679
01:18:16,640 --> 01:18:25,680
Yeah. It's on the main repository. You're correct. It's like, yeah. It's like I have to fork it.

680
01:18:25,680 --> 01:18:30,320
Anyway, crap. Anyway, I will not solve this right now, but feel free. You can clone.

681
01:18:30,880 --> 01:18:35,280
I think it was cloned, but anyway, but you can do that or you can propose the student,

682
01:18:35,280 --> 01:18:40,720
but I think he already solved it. I'm not sure. Anyway, so here you can see how this works

683
01:18:40,720 --> 01:18:45,200
and you embed this code on your code and you solve the things. You go on the screen,

684
01:18:45,200 --> 01:18:50,640
and you see that it's solved and that's it. Okay. Easy. Easy. Easy way. Easy way.

685
01:18:50,640 --> 01:18:54,880
And that's my purpose. I ask a lot of people, developers, do you develop? Yes.

686
01:18:55,920 --> 01:18:59,920
What kind of languages? Python, Ruby, whatever. Do you know this button?

687
01:19:00,800 --> 01:19:06,080
Have you ever clicked that? No. What's that? I don't know. And they say sometimes, okay,

688
01:19:06,080 --> 01:19:11,600
I want to have more security and whatever. And that's my perspective. On undergraduate

689
01:19:11,600 --> 01:19:18,160
students, I will teach that. Go to the security, click, see. You will be eventually a better developer

690
01:19:18,160 --> 01:19:23,360
because you will learn more things and so on. And this is cool because your code will be

691
01:19:23,360 --> 01:19:29,120
secure and you can promote and say, oh, I know some security development and the practices.

692
01:19:29,120 --> 01:19:35,120
It's important. Okay. And it's nice to have. Okay. Let's go back and see what other issues

693
01:19:35,120 --> 01:19:49,360
we have. Security. Security. Yes. Let's see. Yeah. It's similar to the others that we have.

694
01:19:50,080 --> 01:19:54,320
Okay. It's easy to write a regular expression range that matches a wider range. Let's see the

695
01:19:55,360 --> 01:20:03,520
common issue, a wider range. Someone knows what that is. What should be the issue? It says that

696
01:20:03,520 --> 01:20:11,520
you can have a much wider range. Something better than that. But why? What can go wrong?

697
01:20:11,520 --> 01:20:23,360
Let me zoom a bit here. Oh, what is this? Oh, sorry. Where are you? Here. Sorry. This line.

698
01:20:23,360 --> 01:20:32,560
476 here. You can see strange symbols, search, blah, blah, blah. And it plays here that

699
01:20:32,640 --> 01:20:36,480
it's easy to write a regular expression range that matches a wider range like that.

700
01:20:38,160 --> 01:20:42,320
Does it remind you something about previous examples that I showed you?

701
01:20:44,160 --> 01:20:49,840
What's the difference between this and what's the difference between that? The student did not

702
01:20:49,840 --> 01:20:55,040
know about security. When he saw his code, he said, ah, I know that. The other students were like,

703
01:20:55,680 --> 01:21:01,600
what's that? The student that write the code was like, I know this. I know that stuff.

704
01:21:01,600 --> 01:21:07,440
He goes, you know, immediately in two seconds, he says, ah, yes. That's the problem.

705
01:21:08,320 --> 01:21:15,200
What's the problem? He knew because he wrote the code. So something is different there. A range.

706
01:21:18,080 --> 01:21:23,520
Anyone knows this expression? No. Regular expressions. Regular expressions. Something

707
01:21:23,520 --> 01:21:29,920
tricky. Very, very tricky. Very tricky because I was, you know, I studied a lot. I completed

708
01:21:29,920 --> 01:21:34,880
studies, sorry. And I did not know how to write a regular expression, which is weird.

709
01:21:35,520 --> 01:21:42,080
And then I saw a whole world with regular expressions. What's that? I need four years

710
01:21:42,080 --> 01:21:47,280
more to study just learning regular expressions. Tell me. Yes?

711
01:21:47,600 --> 01:21:54,160
Correct. It's like a range.

712
01:22:00,880 --> 01:22:03,760
Correct. Correct.

713
01:22:07,360 --> 01:22:07,760
Yes.

714
01:22:08,320 --> 01:22:19,920
Correct. You are very correct. Yeah.

715
01:22:20,080 --> 01:22:22,080
Yeah.

716
01:22:34,160 --> 01:22:41,680
Other special characters. Yes. The case is like that. You define statically some

717
01:22:42,640 --> 01:22:49,200
extra additional special characters. Maybe you can go here. All special characters.

718
01:22:50,880 --> 01:22:56,160
You know, a modern kid will not go on Google. They will go on ChatGPT and will write,

719
01:22:57,840 --> 01:23:01,440
tell me all the special characters that are out there. I will click on Google.

720
01:23:03,040 --> 01:23:11,040
Let's see. Yeah, you can see. We think that special characters are question mark,

721
01:23:11,040 --> 01:23:16,320
exclamation mark, or whatever. There are a lot of them, but you can see here this,

722
01:23:17,040 --> 01:23:19,920
yeah, the special characters are many, many, many, many more.

723
01:23:23,520 --> 01:23:28,080
Yeah, maybe there are special characters. I don't know if, oh, I think it's uniform.

724
01:23:28,080 --> 01:23:36,800
I think it, ah, maybe there are. Yeah, yeah. Here. We are special.

725
01:23:39,600 --> 01:23:44,880
In Portugal, Portuguese people tell me that, okay, what's that? You are writing in maths,

726
01:23:44,880 --> 01:23:51,760
like you speak with equations in Greece, because most of the letters are in maths.

727
01:23:57,120 --> 01:24:02,720
Okay, so these are the special symbols, and we do not involve them. Well, when we do that,

728
01:24:03,280 --> 01:24:11,680
like that, we can involve all the special characters except A to Z, or A capital to

729
01:24:11,680 --> 01:24:17,920
Z capital, or whatever. I don't remember your expression. So it's like you define the scope.

730
01:24:17,920 --> 01:24:24,640
You only need letters, letters and numbers, and not whatever else. So you exclude everything else.

731
01:24:24,640 --> 01:24:32,800
Okay, and that's the proposal here. So this is like a search form. So it's like an SQL injection,

732
01:24:32,800 --> 01:24:39,360
because I don't remember what is he doing, but it's like you can have a search form to do

733
01:24:39,360 --> 01:24:45,200
something, to search something about, and then you can put special symbols and run execute commands,

734
01:24:45,200 --> 01:24:51,280
arbitrary commands inside the platform, inside the server, or whatever. This is bad, okay. It's

735
01:24:51,280 --> 01:24:58,320
not only for the SQL injection. And if you go to the CW improper input validation, it's not

736
01:24:58,320 --> 01:25:03,360
SQL injection because it's not an SQL command. It's like a Python script. And this is very

737
01:25:03,360 --> 01:25:11,280
serious, okay, because someone can execute commands inside the search query that is inside Python.

738
01:25:11,280 --> 01:25:19,840
He can take over the server, actually, okay. So improper validation of inputs, you can see

739
01:25:19,840 --> 01:25:26,800
examples here and whatever, implementation, architectural and design, whatever. And there

740
01:25:26,880 --> 01:25:34,000
are also some details here, examples of what can go wrong. And you can see also a C, let's say,

741
01:25:35,600 --> 01:25:43,520
examples here in programming C, and other examples with get or post methods on a PHP,

742
01:25:44,240 --> 01:25:53,040
and so on. There are multiple CVEs. You can see even a CVE on large language models that have

743
01:25:53,120 --> 01:26:01,200
input, let's say, improper input validation. I don't know the standards. I'm not an expert on

744
01:26:01,200 --> 01:26:08,640
standards. My assumption was before that, okay, it's about standards. Unfortunately, we can see here

745
01:26:08,640 --> 01:26:16,160
that there are CVEs nowadays on that side. So maybe standards are not very serious or not. I'm

746
01:26:16,160 --> 01:26:22,880
not sure. For sure, all the standards are on passwords, even myself. When I found a student,

747
01:26:22,880 --> 01:26:31,920
PhD, that she makes a platform for education to learn about Arduino and has a login form.

748
01:26:31,920 --> 01:26:38,320
And she says, okay, I have an Arduino and I know cybersecurity is very important and

749
01:26:38,320 --> 01:26:44,800
try to enable this and so on. She does not know about cybersecurity, even if she is a PhD,

750
01:26:44,800 --> 01:26:51,360
anyway. But then she told me that, no, I don't have any personal data. Do you store passwords

751
01:26:51,360 --> 01:26:56,560
for the login forms? Yes, I do. Then you have passwords. You have to secure your passwords.

752
01:26:56,560 --> 01:27:04,320
That's the minimum that you can do. Even without standards, it was my proposal that in minimum,

753
01:27:04,320 --> 01:27:11,440
okay, there are other issues might have. But a data breach that will uncover a password of your

754
01:27:11,520 --> 01:27:17,680
student will be a problem. The first question actually was, okay, because it's good to ask,

755
01:27:18,480 --> 01:27:25,280
is the passwords that you store in clear text or are in hash? She told me what is hash.

756
01:27:29,920 --> 01:27:35,760
And then I told her, okay, what kind of database did you use? She told me I use Firebase.

757
01:27:36,720 --> 01:27:42,480
Okay, I thought that, okay, Firebase, they might have this by default, because it's like Firebase,

758
01:27:42,480 --> 01:27:49,040
if you don't, anyone uses Firebase? Okay. It's like a very easy database from Google

759
01:27:49,040 --> 01:27:53,360
that you can actually expose the port and expose the database. Do not expose databases

760
01:27:53,360 --> 01:28:00,240
on the internet, please, but anyway. So you expose your precious database on the internet,

761
01:28:00,240 --> 01:28:04,320
but they have all the security controls from Google, authentication, the second fact,

762
01:28:04,400 --> 01:28:08,880
authentication, whatever. And by default, I thought, okay, they will have also

763
01:28:08,880 --> 01:28:13,760
the passwords hashed. And actually, yes, they had the passwords hashed. I checked that they have the

764
01:28:13,760 --> 01:28:19,040
button that by default, they are hashed and so on. Okay, I told her, it's fine, you have the

765
01:28:19,040 --> 01:28:28,960
passwords hashed there. Then I did not have the effort or the mood to ask her if she's doing

766
01:28:28,960 --> 01:28:37,520
filtering of the loading form and so on. So my first question was about that, do you have

767
01:28:38,160 --> 01:28:44,080
the passwords hashed? I did not ask what kind of encryption scheme they use, it's from Google,

768
01:28:44,080 --> 01:28:49,680
it's fine. And that was my first question at the last, because she did not know how she's,

769
01:28:52,560 --> 01:28:57,840
I did not have the time to explain here that, okay, you have also to check that the

770
01:28:57,840 --> 01:29:07,840
form of the login has a PHP filtering. But I can show here, if she was studying again,

771
01:29:08,640 --> 01:29:14,400
GitHub. And I could say to her, okay, go to GitHub, see the results, see the, maybe it's

772
01:29:14,400 --> 01:29:20,720
a good idea to tell her that. Just look for yourself, upload the code, check on yourself,

773
01:29:20,720 --> 01:29:26,720
there are multiple security issues there, you're a PhD, you will find a way. And she will try to

774
01:29:26,720 --> 01:29:36,320
fix her own issues because I'm sure she developed PHP by her own hand, so I think she will not have

775
01:29:36,320 --> 01:29:44,320
any filtering of that. Okay, it's not a production software, but okay, come on, at least do some

776
01:29:44,320 --> 01:29:50,640
basics, I don't know. But it will be a plus, both for her and for me, because her supervisor

777
01:29:50,640 --> 01:29:57,680
will congratulate me. Okay, so sorry about this discussion, but it's like, you know,

778
01:29:57,680 --> 01:30:03,600
it's a result from the experience. And it's important for you to understand the flow,

779
01:30:03,600 --> 01:30:11,920
how this happens. So here it's like that, changing and other things, a lot of software issues and

780
01:30:11,920 --> 01:30:17,680
vulnerabilities in the past on the improper input validation. Okay, so you can execute

781
01:30:17,680 --> 01:30:23,120
commands here, Python commands, take over privileges, so privilege escalation can be here,

782
01:30:23,120 --> 01:30:29,680
I don't know if it's this mentioned here, let me go, privilege escalation, no? No, it's not

783
01:30:29,680 --> 01:30:36,480
related to privilege escalation, but anyway, okay. But things can happen on the Python script

784
01:30:36,480 --> 01:30:43,280
that someone can execute whatever he likes inside this search. Okay, let's go back, security.

785
01:30:43,840 --> 01:30:50,720
Okay, and I think this is all, so two issues here and two issues here. Of course, it's a simple code,

786
01:30:52,320 --> 01:30:58,080
the student is good, at least he used the salts, that was impressive, okay, for sure,

787
01:30:58,640 --> 01:31:05,680
for a student in undergraduate. But anyway, so this was an example, any questions on that?

788
01:31:05,680 --> 01:31:11,360
You can see there are a lot of Python files, nothing else has been provided as a mission.

789
01:31:11,440 --> 01:31:17,920
Of course, it provides a confidence that, okay, we are good, but still, okay, going manually and see

790
01:31:17,920 --> 01:31:23,760
if there are flaws, doing the penetration testing, do the vulnerability assessment in a black box,

791
01:31:23,760 --> 01:31:30,880
this will definitely say that, okay, we are fine in terms of security. It's just an easy way for

792
01:31:30,880 --> 01:31:37,840
us to provide the code analysis and see if there is a very huge issue, let's say on our code,

793
01:31:37,840 --> 01:31:43,920
eventually it will not provide everything, otherwise it will be easy, just run a code analysis,

794
01:31:43,920 --> 01:31:50,160
everything is fixed and so on, because what happens about also the zero day attacks, okay,

795
01:31:50,160 --> 01:31:54,800
there is a new vulnerability that was not discovered before and so on. So you never know,

796
01:31:54,800 --> 01:32:02,160
but this at least provides a baseline of secure code on the development and you understand better

797
01:32:02,160 --> 01:32:06,640
your code. That's the important thing that, okay, you spend a lot of time

798
01:32:08,480 --> 01:32:15,200
preparing the code to do the security. The feedback, the advantage is that you get experience

799
01:32:15,200 --> 01:32:22,160
in terms of development. So I try to promote the students, okay, you don't want to learn

800
01:32:22,160 --> 01:32:29,040
some security, but you will be a better developer. You will get this good benefit, okay. But I

801
01:32:29,040 --> 01:32:34,320
think most of the developers will like to see their code and see off any flows, they don't have

802
01:32:34,320 --> 01:32:39,120
any problem, they like, they like I think this perspective. They might not like other things

803
01:32:39,120 --> 01:32:46,400
like forensics or log analysis or whatever, but I think since they are developers, they like code,

804
01:32:46,400 --> 01:32:52,240
they also like to update their code and have a better code. Okay, so this was one example,

805
01:32:52,240 --> 01:33:00,800
let me go back. I like to provide some examples. And here's another example. It's like,

806
01:33:01,680 --> 01:33:08,240
I don't, I have not used this DICOM server. A DICOM server in healthcare is a server that has

807
01:33:08,240 --> 01:33:18,400
both database and data storage. And they store X-ray images or tomography images. So all of

808
01:33:18,400 --> 01:33:29,920
these images is like, let me show you, DICOM image example. Of course, it's very sensitive data

809
01:33:29,920 --> 01:33:36,400
because they have medical history. And actually, you can see all the details of the brain, for

810
01:33:36,400 --> 01:33:41,360
example, of the human, of the patient. So it's like that, the DICOM image. And it's not like

811
01:33:41,360 --> 01:33:47,920
only an image, they have also meta data inside. So the doctor will go here and highlight this

812
01:33:47,920 --> 01:33:54,640
part of the brain and say that, okay, this has issues here. Or I can see something specific

813
01:33:54,640 --> 01:34:00,400
happening here. And they annotate the image. And this is like a forensic image because another

814
01:34:00,400 --> 01:34:04,720
doctor will go and highlight and then another doctor will go and highlight. They will do the

815
01:34:04,720 --> 01:34:10,400
surgery and then highlight again the part that they did the surgery. And this goes on in the

816
01:34:10,400 --> 01:34:14,880
past. So it's like meta data. So it's like a stack of images that are connected inside one

817
01:34:14,880 --> 01:34:20,720
image. And this is a DICOM protocol. It's called the DICOM protocol. And they are stored in servers

818
01:34:20,720 --> 01:34:30,240
called the PACS servers, PACS servers. So PACS servers store these images. They have a software

819
01:34:30,240 --> 01:34:38,400
like frontend to put the images. They have the database to do the indexing. And they have the

820
01:34:38,400 --> 01:34:44,480
data storage to store the DICOM images. So then the nurses, the doctors will go on a web UI

821
01:34:44,880 --> 01:34:50,160
and we'll see which is the patients. We'll open and we'll see the DICOM images and all

822
01:34:50,160 --> 01:34:56,400
the past of the DICOM images. So this is a server that I found from Microsoft. I have not used.

823
01:34:56,400 --> 01:35:03,680
Mostly I use another open source platform for test beds. So I try to create healthcare test

824
01:35:03,680 --> 01:35:10,720
beds in some of the projects to do the red teaming and to do the attacks on the

825
01:35:10,800 --> 01:35:17,440
web services to see what's going on. So it's like a cyber range on healthcare.

826
01:35:17,440 --> 01:35:23,120
So I have not used this one, but I just wanted to fork to give you an example. So you can see here

827
01:35:23,120 --> 01:35:31,040
JavaScript, 43% of C-Sharp, 38, of course, it's Microsoft. TSQL, which I don't know,

828
01:35:31,040 --> 01:35:38,320
but it's TSQL. I know, but it's TSQL anyway. PowerShell. They have also PowerShell. Maybe

829
01:35:38,320 --> 01:35:43,360
PowerShell they used just for automation. Dockerfile. They provide the Dockerfile HTML.

830
01:35:43,920 --> 01:35:48,640
So it's mostly about JavaScript. If I go to the security, and this I don't remember

831
01:35:49,280 --> 01:35:55,200
when this was done. It's a clone, so it's not a fork, but it's a new one. If I go to the code

832
01:35:55,200 --> 01:36:01,520
scanning, you can see here different issues, let's say. And this is from Microsoft. Okay.

833
01:36:01,520 --> 01:36:08,160
It's not a commercial, let's say, software, but anyway, let's see. Logend is created from

834
01:36:08,160 --> 01:36:16,080
user input. I don't remember everything of the CVEs, of the flaws that I present, but here,

835
01:36:16,080 --> 01:36:21,760
if an unsanitized user input in a written to a log entry, malicious user may be able to forge

836
01:36:21,760 --> 01:36:27,440
log entries. Anyone of you develops in Android, Android development, anyone?

837
01:36:29,040 --> 01:36:37,520
Well, one. Okay. Two. Did you ever see security on Android, any challenges, capture the flag,

838
01:36:37,520 --> 01:36:48,080
or whatever? No? Did you? No. But then you have. Okay, maybe.

839
01:36:50,160 --> 01:36:57,440
Android development. Okay, let's talk about that question. Logcat. Do you know Logcat? No?

840
01:36:58,320 --> 01:37:13,200
Not network. It's the logging system of Android. Logcat. Do you know Logcat? Yes, yes, yes, correct.

841
01:37:13,200 --> 01:37:17,920
You click ADB, you connect to the Android phone, you click Logcat, and you see everything that

842
01:37:17,920 --> 01:37:24,000
happens on the mobile phone. So it's like you touch the screen and this has been recorded on the

843
01:37:24,000 --> 01:37:29,280
log. Everything is recorded on the log. It's cool. It's very nice. You open the camera,

844
01:37:29,280 --> 01:37:33,760
you see the log that opens the camera, everything. Everything is on Logcat. And the Logcat was

845
01:37:33,760 --> 01:37:41,440
disabled in later Android phones on the device. You can only do that if you connect on a computer,

846
01:37:41,440 --> 01:37:46,720
enable USB debugging, and allow the Logcat to run because of security reasons. Okay.

847
01:37:46,720 --> 01:37:54,960
Back in Android 6, not things happen like that, meaning that you click login on an application,

848
01:37:54,960 --> 01:38:01,840
on an Android application, it requires login and password. You give the password, the logs

849
01:38:02,640 --> 01:38:10,880
say that, okay, password A, B, C, Stelios was given the platform, and this log was stored.

850
01:38:10,880 --> 01:38:17,920
So someone takes your mobile phone, gets an ADB, goes on the logs that are stored from the

851
01:38:17,920 --> 01:38:25,120
application, not Logcat. Logcat, it's like a live streaming application. But the service itself,

852
01:38:25,120 --> 01:38:31,680
like that, stores some of the inputs inside the logs. So someone can see the logs and see

853
01:38:31,680 --> 01:38:39,840
personal data inside the logs. So that's something important. Do not store the logs of the

854
01:38:39,840 --> 01:38:46,800
software, usernames, passwords, and so on. That's also a serious issue on the development side.

855
01:38:46,800 --> 01:38:52,560
You're in development cycle, you have the debugger open because you want to debug everything.

856
01:38:52,560 --> 01:38:58,000
And then you publish on whatever, on the client or on the internet, and you forget

857
01:38:59,120 --> 01:39:05,520
to close the debugger. And the logs are still kept there. So someone can go on the logs and

858
01:39:05,520 --> 01:39:12,160
find the data and so on. So debugging, it's like you have to be careful. It's like serious issues.

859
01:39:12,160 --> 01:39:17,600
Okay. So this is the issue here. Log entries created from the user input. So they have some

860
01:39:17,600 --> 01:39:25,600
log entries that are created that they have inputs. Specifically here, it says if unsanitized

861
01:39:25,600 --> 01:39:29,920
user input is written on the log entry, a malicious user may be able to forge new log

862
01:39:29,920 --> 01:39:34,880
entries. So it might be able to create new log entries, but it's different. Okay, it's different

863
01:39:34,880 --> 01:39:39,760
than the thing that I explained before, but it's on the similar, let's say context.

864
01:39:39,760 --> 01:39:46,400
Example, they have an example of sanitation and so on. So what we learn again from this, logging.

865
01:39:48,160 --> 01:39:54,160
How many of you have you seen logs? One, two, three. How many of you have you seen

866
01:39:54,160 --> 01:40:02,480
logs from debugger, let's say? Okay, how many of you have you seen logs from the operating system?

867
01:40:03,440 --> 01:40:08,000
I'm quite a few. How many of you have you seen logs from Android?

868
01:40:10,640 --> 01:40:11,520
Still the user.

869
01:40:19,120 --> 01:40:31,120
Oh, okay. That's nice. That's nice. It's not by default on Flutter. The logs, okay.

870
01:40:32,000 --> 01:40:39,760
Good. For ones that they have not seen a log, I do that on the undergraduate students a lot.

871
01:40:40,640 --> 01:40:48,400
I go here and you see logs, Windows logs. If I go here, it's like the operating system logs.

872
01:40:49,440 --> 01:40:55,200
We'll get loading. Okay. So here is everything about security logs of Windows,

873
01:40:55,760 --> 01:41:04,000
application logs. So if I have the Apache server running or MariaDB running on my operating system,

874
01:41:04,000 --> 01:41:09,200
the logs will be here. Anyway, they will load somehow. And if you go back, back, you will

875
01:41:09,200 --> 01:41:14,560
eventually see also on the kernel side, when the computer was first opened after the format.

876
01:41:15,440 --> 01:41:18,960
They track everything on the operating system. This one goes from the Android.

877
01:41:19,040 --> 01:41:26,800
Android is nice. It's even better than this because Android, it's like a very complex system.

878
01:41:26,800 --> 01:41:33,040
Everything is recorded because you have a GPS, you have a touchscreen, you have a microphone,

879
01:41:33,040 --> 01:41:40,160
you have all the metrics and the sensors it might have. It has a lot of battery, whatever,

880
01:41:40,160 --> 01:41:44,800
but they have a lot of sensors on Android. If you can see that real time, it's very cool.

881
01:41:44,800 --> 01:41:48,640
And you can learn a lot and you can take a lot of data from analysis later.

882
01:41:48,960 --> 01:41:52,160
So you can imagine you come and have a smartphone and you can actually

883
01:41:52,160 --> 01:41:56,400
use it as a sense of device to do whatever you want, like an experiment.

884
01:41:57,520 --> 01:42:04,000
So here the logs will actually present. For cybersecurity, logs are very important because

885
01:42:04,000 --> 01:42:08,160
that's where alerts are happening. You take the information from the logs and you create

886
01:42:08,160 --> 01:42:14,880
the alerts and so on if there is something happening bad. They have other details like that,

887
01:42:14,880 --> 01:42:19,200
affected buds and high level. Let's go back and see what other details we can have.

888
01:42:21,760 --> 01:42:25,280
The same goals for the controller, view controller, so it's the same.

889
01:42:26,240 --> 01:42:28,240
Most of them I think it's the same. Let's go.

890
01:42:30,160 --> 01:42:36,960
Client side URL, the redirect. They have a URL redirect. When they call maybe

891
01:42:37,840 --> 01:42:44,560
someone can say what can be happening. I don't want you to think you don't

892
01:42:44,640 --> 01:42:50,480
want to say the correct answer. Just an assumption. What can that be meaning? What can go wrong?

893
01:42:51,600 --> 01:42:56,480
On client side URL redirect. Anyone? Yes, yes.

894
01:43:00,080 --> 01:43:04,400
Okay. It could be happening. So it's like a login form and when you log in,

895
01:43:04,400 --> 01:43:12,400
this will go to a direct page to another website and you click something there and you are

896
01:43:12,400 --> 01:43:16,640
getting some details on the website that is not supposed to be. Of course,

897
01:43:16,640 --> 01:43:21,280
you can see that it's redirected to another website, but the other website would be another one.

898
01:43:21,280 --> 01:43:27,840
Oh, no. It can be a clone of Facebook. Someone can clone the Facebook main login page and

899
01:43:27,840 --> 01:43:33,440
you think, okay, I have to log into my login screen of Facebook. You click the details and

900
01:43:33,440 --> 01:43:49,360
you are getting the details. It's a good answer. Another one? Yes.

901
01:43:49,360 --> 01:44:01,280
Correct.

902
01:44:01,280 --> 01:44:04,160
Is there nothing in the page? Correct.

903
01:44:05,680 --> 01:44:13,040
In an iFrame? No. Yes. Correct. It's two different approaches. One is the output.

904
01:44:13,040 --> 01:44:17,840
You click something and it redirects to another page. So it's the output. The other is the input.

905
01:44:17,840 --> 01:44:24,720
You can use the redirection for input to have something on the page that you try to infect.

906
01:44:24,720 --> 01:44:29,040
You put something on the header and this calls something bad. So you can see here,

907
01:44:30,080 --> 01:44:36,080
here, it has this URL. It calls JavaScript from outside the world, from the internet.

908
01:44:36,080 --> 01:44:40,560
So you can put here another JavaScript or your own malicious JavaScript.

909
01:44:40,560 --> 01:44:45,280
And this will be included here. And we'll do the action point,

910
01:44:45,280 --> 01:44:50,640
a different JavaScript that we'll do something else. So that's something that we can assume.

911
01:44:52,160 --> 01:44:57,040
Let's go redirecting to URL that is constructed for parts of DOM that may be controlled by the

912
01:44:57,040 --> 01:45:02,880
attacker can facilitate phishing attacks. That's nice. The thing that your colleague mentioned.

913
01:45:02,880 --> 01:45:06,960
In these attacks, unsuspecting users can be redirected to a malicious site

914
01:45:06,960 --> 01:45:11,600
that looks very familiar to the real one and so on. In other words, can be controlled

915
01:45:11,600 --> 01:45:18,880
by the attacker. Recommendation, untrusted URL. It's advisable to avoid putting user input directly

916
01:45:18,880 --> 01:45:23,120
into redirect. Instead, maintaining a list of authorized directs from the server,

917
01:45:23,760 --> 01:45:29,520
then choose from the list based on the user input provided. And they have some options here.

918
01:45:29,520 --> 01:45:34,080
I'm not an expert to resolve this one, but you can see here the proposal.

919
01:45:34,080 --> 01:45:39,360
You can read the recommendation. Then my approach is always go to the CWE,

920
01:45:39,360 --> 01:45:44,800
see what happens on the cross-site scripting and so on. And maybe here and maybe here.

921
01:45:44,800 --> 01:45:50,080
And then try to find the solution, try to rewrite the code and so on. So that's a common approach.

922
01:45:50,800 --> 01:45:57,200
If we did... Who has been done penetration testing in the past? Did you do it? Oh, you have.

923
01:45:57,920 --> 01:46:05,200
Okay. If you do an NMAP scan, not NMAP scan. I don't know the tools. An XSS scan

924
01:46:05,200 --> 01:46:12,000
to see if there's a cross-site scripting. Okay. Which one? Zap. Yes. You can do...

925
01:46:13,120 --> 01:46:18,480
Maybe using Zap or whatever else. You can find the vulnerability. So the vulnerability of that

926
01:46:18,480 --> 01:46:26,080
will be the XSS exploitation, most probably. Okay. Because this is the code. This is the problem.

927
01:46:26,080 --> 01:46:32,400
If you do the black box testing, most probably will retrieve, will respond with...

928
01:46:32,400 --> 01:46:38,960
This mostly should have an XSS exploitation, XSS vulnerability there. Okay.

929
01:46:41,280 --> 01:46:46,800
Yeah. So that's nice. And it's an approach. I tried to do that with my student of mine.

930
01:46:47,360 --> 01:46:54,720
He created the code. He deployed the component, the software. Then he did that analysis and then

931
01:46:55,280 --> 01:47:01,200
went to the vulnerability scanning and validated this that we told. Is it an XSS exploit? Yes,

932
01:47:01,200 --> 01:47:08,000
it is. So this was the problem. And he did this life cycle to overall cover all these,

933
01:47:08,000 --> 01:47:13,280
let's say, subjects, all of these. And it's a cool project. You can see a very simple project.

934
01:47:13,280 --> 01:47:18,800
Very, very simple. You try to do the security analysis code. Then you do the exploitation

935
01:47:18,800 --> 01:47:23,280
from the other side, from black box testing. You wrap it up like a report and you say,

936
01:47:23,280 --> 01:47:29,120
okay, I have a report. Then you go to the market for a job hiring and they say,

937
01:47:29,120 --> 01:47:34,320
okay, what do you know about cybersecurity? I have done this. I do security code analysis.

938
01:47:34,320 --> 01:47:41,840
I did the exploitation. I saw that they had the XSS on this service. And this is my report.

939
01:47:41,840 --> 01:47:48,080
And you can see, okay, you know some stuff. It's nice. Come to work with us. And this

940
01:47:48,080 --> 01:47:53,600
happened in the past on a student of mine, okay, with that, that exercises. And he got

941
01:47:54,160 --> 01:47:59,440
inside job on a cybersecurity phase very easily. And it's actually, you know, it's not that

942
01:48:00,400 --> 01:48:06,000
he actually understood a lot of stuff because of all of these exercises. It was just a thesis.

943
01:48:06,000 --> 01:48:12,400
But during the thesis, he did all of that. And actually, it got a lot of benefit on that.

944
01:48:13,600 --> 01:48:20,000
Okay, let's see two examples more and then we're done. Here, prototype pollution function.

945
01:48:20,000 --> 01:48:27,040
I don't know what's that. I don't even know. It's a, yeah, most problem. It's a class here,

946
01:48:27,040 --> 01:48:34,480
so it can be object oriented issue. Inclusion of functionality from untrusted source again,

947
01:48:34,480 --> 01:48:40,560
cloud for, okay, they use like that. So you can see an overall, let's say go back,

948
01:48:40,560 --> 01:48:46,080
security incidents here. And yeah, we have to close all of these entries or whatever.

949
01:48:46,080 --> 01:48:51,600
Most of them are the same, but here's provides an overall, you know, issue of what can go wrong

950
01:48:51,600 --> 01:48:58,720
on a diagram server that holds x-rays and so on. Okay. Any questions or comments?

951
01:49:01,760 --> 01:49:12,080
No, okay. All right. So I am, let's see where this I am done. Here is my email. If you want to

952
01:49:12,080 --> 01:49:20,080
find me, of course, you can write LinkedIn, you can always ask me. I am trying to be as much

953
01:49:20,080 --> 01:49:25,200
of a responsive as I can to the students or whatever people they want to learn or discuss.

954
01:49:26,240 --> 01:49:31,920
I like sharing information and my expertise. So feel free to contact whatever you need.

955
01:49:31,920 --> 01:49:34,720
And thank you very much for your attention. Thank you.