The Application Security Training is a 3 Hour training. This Training is intended for those who are interested in making a career in the Information Security domain. This training involves real world scenarios that every Security Professional must be well versed with. It involves decompiling, real-time analyzing and testing of the applications from a security standpoint.
This training covers understanding the internals of web and mobile web applications, Real-time testing of web applications and android applications and a strategic approach to analyze applications for OWASP Top 10 vulnerabilities (Web) security issues such as Injections, Cross Site Scripting (XSS), CSRF Attacks, Insecure API’s, Insecure logging, Insecure communication, Insufficient cryptography, Insecure authentication and Poor code quality and many more.
Learn to defend by learning the hacker mindset
Transcription
Hi, everyone. Good morning, good afternoon, good evening, wherever you are. Today, we're going to be talking about Web App end testing. And there'll be some hands on some of the things that I will be sharing why I did not give a requirement because I wanted to make sure that we understand here and then go back and try it. If you want to try, you can just post your questions in the chat box and I'll make sure that I help you out in setting it up. So there will be a few things that I'll be using. So I'll share those things here. Now, a bit about myself, I'm working as a security relations leader at sneak. I'm also one of the global board of directors at OWASP. So this is how I look. And I'm also a speaker trainer at DEF CON, Black Hat. I've spoken at Black Hat Asia, USA last year. I'm also speaking at a few other conferences. Now, I'm also on the review board for Grace Hopper India, US, and some of the conferences and even Black Hat Asia. Okay, so today we're going to be talking about basics because I wanted to start from the very basic, how exactly an application behave, what are the things which are there, how exactly we can enhance the awareness about the applications and what are the 10 basic principles to mitigate application security risk, which will be revolving around OWASP.10. OWASP is open web application security project. It's one of the security community around the world, which started with the motive to have something around application security. But then there are so many projects to chapters to whatnot, which is there. So we'll be discussing about that as well so that you can also contribute. You can also learn from there. So here, as I mentioned, we will be learning about what is a web application, have you used one today? So all of these questions, we'll try and answer. But before that, we need to understand the CIA trade, which is about confidentiality, integrity, and availability. Now, while we talk about that, there is one important thing which we have with any application. Now, confidentiality, integrity, availability is all fine. But then there are more things which are getting associated with it, which is around authentication, authorization, and whatnot. And that also needs equal attention when we talk about security or cybersecurity. Now, if we look at this image, what do you see? Like there are a lot of people who are together. There are people from different age groups, different colors, different walks of life. Now, what this picture says is that, or I would say it depicts more of a cybersecurity, because cybersecurity has so many domains, so many frameworks and whatnot. And the most important aspect here, what cybersecurity deals with is that it connects all people, because cybersecurity is not just for the people who are working in cybersecurity. It is for everyone, literally everyone. If I have to say, I security, that was one thing that I did. So anyone can be part of cybersecurity, we deal with cybersecurity day in and day out. And one important thing that we do is understanding and taking care of things. For example, right now, you must have a phone. Now, if you have a smartphone, and you have a passcode or something, which is taking your apps or pictures or chats or phone calls or whatnot, that means you care about the security. And you want to know more about it. And especially if you are at this session, you want to understand more around application security or software security. And here, when we talk about that, it's not just the application that you see on the screen, or when you log into any of those external applications, that it's just that, oh, this is the only application that is there. There's so much more. There is a backend, there are firewalls, there's a whole network which has been set up. And at the same time, we also have legacy servers, custom code, we have open source code. And think about how much of open source code that we use. Literally think of it. So when you have an application, the image that you have in your brain, only 10 to 20% of the code is written by us, rest all is open source code. That is like 80 to 90% of the application code is open source code. And that's been mentioned by many, many people. Now, while I say that, there is the piece that we need to understand how much of open source is actually eating up the whole internet a lot, a lot. But can we stay away from it? No, we can't stay away from it. We have to deal with it. We have to make sure that we understand the whole architecture. And especially when we are working towards application security, we need to understand the underlying principle. For example, when you hit google.com on your browser, it just doesn't open up. There are many underlying work or if you know about OSI model. So this OSI model actually has seven layers. So it travels through the whole seven layers, go to the server and come back with the information in like fraction of seconds or milliseconds. And that's how it goes. And while it does that, if it's a corporate network, then it will go through the firewalls and app servers, web servers and hardened OS and whatnot. So this is like a simple architecture that I could show, but then there are multiple hopes that happens. And this is an old architecture of SDLC. So earlier, we were using SDLC, which is software development lifecycle and what used to call it as a waterfall model. But over the years, that has shifted its ways, moved its wings or opened its wings to agile devops. Now, while I say agile, it's trying to fail fast and see what are the things that actually fix? What are the things that fix and right? Earlier, when there used to be development and then after the release, people used to go for parties. And I remember going for a lot of them, but then the things have changed. If you wait for a year or six months to graduate an application, what will happen or to put the application to the production? By that time, things will be outdated. There are so many new technologies that have come in. There are so many new things that have come in. And at the same time, it also talks about that how we are shifting things to automation. We want application to go live as soon as possible, the feature to go live as soon as possible. How many releases are we having in a month, in a week, in days or in a day? I know there are companies who are having like over 70 releases in a day. Do you have time to think of anything where you go slow, you have this, you have that? No, you don't have. And at the same time, when you talk about security, oh, that's another nightmare that you have to deal with. So while you're dealing with that nightmare, there is one important aspect that you have to deal with especially. It is web application, pen testing or security. And that's like a big challenge. You have everything right. But suddenly you say, you have to do this, you have to do that, you have to understand that if you don't do the security right, you will be breached. How many people do we have here? And wherein we say that, oh, you have to take care of security, and especially to developers or testers. When you are supposed to test the application, whether it's looking right and or not, or how exactly it is, can you say that you have to look at security also? You have to do the pen testing. Now you must be thinking, what is pen testing? Similarly for developers, they have been doing the development and then on top of it, what more has come in cloud native environments, containers, kubernetes and what not has come up and ever changing technologies. Technologies are changing with a lightning speed when that is happening. So what do we really need? We need to understand these key concepts, client server architecture wherein there is a client like me who's sitting on the laptop or desktop and then try and speak to you or communicate to a server, could be TechJS Summit, could be anything else. So there is a request that I send and there is a response that comes back. So there is a communication which is happening. Now, when we talk about HTTP conversation, those conversations are generally stateless and that's when, or I would say insecure, more of that insecure. So that's when we start talking about HTTPS. So for any communication that you have with any of those applications, you will see a lock sign. Now, why is that? Especially that is there in the browsers, like if you open Chrome or any other browser, you will see that yes, there is a lock symbol. Now, what it does, it actually makes sure that your connection is secure, your information that you're trying to have with anyone is secure. Think of bank account. If you have a bank account, you're transferring money to someone and suddenly I come in between and start removing the money from your account or start transferring that money to myself. Would you feel comfortable? Absolutely not. Why would someone get to know that I'm transferring money to someone else and what is my username, password, what I am dealing with? Nobody needs to know. And that's when browsers are also enforcing these SSL or TLS communication, to be very precise. Earlier, it used to be SSL. Now, over the years, those communications in the browser have changed and most of the organizations are enforcing TLS communications for their applications. Browsers are enforcing that you should only have communication over TLS. And even for that matter, when you talk about the ranking on the search engines, they are also very much dependent on TLS connections as well. If you don't have a TLS certificate or proper certificate, your ranking will go down. It might be a push enforcement, but I think this is a good one, which is keeping ourselves secure. Then I'm sure most of you are aware about it, but I always speak about the web servers and the training so that people get to know. There are many people, especially for the beginners, they don't understand what are the web servers. So the primary function or the main function, it is to make sure that it delivers the web content or response to the requests which are coming from the client. So it supports the server-side languages and at the same time, it helps the application server. Now, what are application servers? The primary function for those application servers is to make sure that there is dynamic content that is processed. It also connects well with the web server software and takes care of the content which is dynamically coming. So now we have databases connected so that the data can be saved somewhere. data can be saved at a backend which can be fetched at the later point of time. So I will not spend much of time on this, but then databases are very, very important while we talk about front-end, backend is equally important. For example, you have some data which you are storing somewhere. You have pictures, you have movies, you have your username, passwords to what not is there and suddenly someone changes the content or someone deletes your content. Would you like it? I wouldn't like it. So that's why we need to secure databases as well and that's when there is one important aspect that comes into picture. These web servers and web application servers which are there. Now with web servers, we can handle those web pages, graphic files and what not. An application server would majorly take care of those code data and what not and there are different architectures which are there. Now the most important is which I wanted to show is html. We tend to undermine the capability or we tend to not look at html content but this is very, very important. So it was started all for creating a document sharing system but over the years we all know that this has changed. Now we are dealing with the sharing communication to what not and then what it supports or what supports it, what supports an application programming languages like PHP, Java, Perl, node.js, Python, what not is there like Go code or Golang which is there. So there are so many things which are there and it has now when we talk about an application there are two things that deal with static content and dynamic content. Now what is the static content which does not accept anything from the user. So if you look at my website infosec1nr.com it is just to inform you about something like what I am doing, what I do, what are the things that I am taking care of all of those things but then there are applications like Facebook, Twitter, Instagram, your Gmail account and what not. It has dynamic content they accept information from the users they try and fetch some information from the user and that's how dynamic code works and that's when all of these vulnerabilities come into picture and that's why we are here and talking about them. So there are many web frameworks which have come and the beauty of these frameworks is that we don't have to write a lot of code. It helps in hosting the codes, managing all those extensions, beautifying the applications so they have their own pros and cons and why I say cons as well, while it helps there are certain vulnerabilities or flaws that comes with it. There are certain things that come with it because if you have you're using Django, you're using wordpress but then you have an outdated plugin that you're using. Would you be secure? Oh absolutely not. Look at wordpress website and the kind of advisories security advisories that they are publishing because people are reporting the bugs and they're fixing and then updating but if you are not updating that means you are vulnerable and on top of it what we really need to do is this whole architecture which is there which we need to oh okay all right so let me just show it to you already. Let's go ahead and start so this is the client-server architecture wherein we are trying to communicate with the server and then you send a high package or a send package and then there is an acknowledgement that comes from there and then you again send the acknowledgement. Now this whole communication is called client-server architecture. That is the key in any of the application transactions that are happening and today we're not just going to be talking about applications but we are also going to be talking about the third party APIs, the third party issues that can be there, the issues that can be there in any of those applications. Now while I say that this is a kind of conversation that is happening. So here I have a browser, I have a web server but do you see any sort of discommunication? I am sure no we don't see that. So this is the conversation that I have picked up from a web proxy so that anything that is happening on my system with the server any communication that is happening I can intercept, I can modify. Why? So I'm from security team so my brain works in a different way like it all works in a reverse way. So I'll tell you a funny story which is not so funny but then this is what my friend did. Now there was a new movie that came in and this person wanted to watch movie and what this person did that there obviously there is an interface which was there to book it and this person put in a proxy and thought of checking what is going to the server, what is coming back from the server. So there was a ticket price that came in as 10 bucks. What this person did is that this person changed the 10 bucks to one over the fly. Now when it went to the server and response cam came back from the server that pay for one dollar and it's like how this is happening or why this is happening. That means there are some parameters which are only getting tested on the client side but not on the server so that means we can make all the changes, we can change those HTTP headers and whatnot. So now what is an HTTP header? So HTTP request so what we send to what response that comes back from the server it is like two-part thing and in that itself we have a header and a body. In the header there are some parameters which are there called referrer, cookie, user agent, ex-forwarded for and many more that you will see. Now I have not installed proxy on my system I am going to do that with you so that I can showcase to you what I am talking about. So this is the basic header. Now in the header there are communications that happen via different methods. So there is a get method, head, post, put, delete options. Some of it you might have already seen some of it you might not have seen at all but then these methods are there and the interesting portion of it is that when you deal with these what you call it as methods they work in a totally different way they work and behave in different way. So here comes the important piece wherein if let's say I am using get and post it is like the most common method but then suddenly I use delete I use trace to trace the information about the server or on top of it I use connect so I can connect to the server and then I use delete wherein I can delete some of the methods some of the files some of the resources from the server. Would you be comfortable you have a website and I start deleting some of the files because I know the location and delete method is enabled you would not see the applications having it turned on. Now another most important aspect is that while I say everything has a different way of working so it also emphasizes that yes you need to look at the security of it you need to look at a point wherein how exactly those methods are handled. What I am doing here is explaining the very basics of it you please keep posting your questions in the chat box so that as and when I see the chat box I will pick them up and while we are doing the demo or when we are discussing about the different vulnerabilities I will open up the stage for everyone to ask questions everyone to put up any questions that you might have but I know that it's more of a webinar style wherein I'm speaking and you're just on mute but then I would request that you keep posting your questions in the chat box so that I can pick it up and there are a few things that you might want to add to it so please feel free to post those questions as well here in the chat box so that like or sort of discussion that you might want to have around anything that you have in mind. Now let me go ahead and tell you something important like when we talk about the methods get and post are the most common ones now why they're most common ones because we are trying to get some information from or fetch from the server and at the same time we are also trying to make sure that we have some information which is actually getting posted to the server so if you want to deal with just get most of the things generally would go in the header but then we want some information to go in the post as well like if you are communicating with any of the server for the first time and your username and password will also go there so with the username and password you don't want that information to go in the header so that means you need to have it separate you need to make sure that you are sending it in the body part and another important thing to remember any confidential information should not go as part of the url because url can be fetched by anyone now we don't go to cafes but then if you remember back in like a few years back we were going to the cafes and dealing with all of this now while we were dealing with it there would be somebody else who would come and sit after us so they would try and fetch all the information that we traverse through or that we actually accessed i'm sure you must have seen that those were the major concerns and we didn't have an internet at home or a slow one so we made sure that we just go to this cafe and then chat speak to the people email all of those things now so what we really want is that this communication to be secure and that's why we're talking about https only not http now this browser deals with certain content which is on the client side so it deals with client side functionality there are some things which are on the server side so server deals with that especially around java files or php dot net go core or the coding languages those are running on the server side but then the scripts remember the scripts run on the client side and that's why we are we're going to be exploiting some of the scripts as well here what happens when there is a communication between client and server we put a proxy inside and it is toxic to be burp suite that could be zap it could be any proxy that you can think of so there are many in the market but burp suite and zap zap is their attack proxy by ovas which is i as i mentioned open web application security project and why i keep mentioning because it's a security community it's an open community and it has resources which people should look at now before coming to ovas top 10 let me go ahead and show you something let me you're ready here let me go to ovas.org and actually show you what it is so that you can go back and look at that you can take help from all the projects which are there i started my applications security career with ovas wherein my mentor told me that there is ovas top 10 that you should look at and ovas web security testing guide so this is a security testing guide so if you're totally new to security testing this is one of the place to go for like one beautiful place which is like which has everything that you can think of here why i'm giving you all these resources and why i'm talking about it because the motive of this workshop is not to just show you how security can be critical how security can be scary but at the same time you can go back and learn from the resources which are there there are many wonderful blogs and youtube channel that i'll be sharing with you all so that you can look at them you can understand what they do and if you as i said if you have any questions please keep posting and the session i think is getting recorded so probably you would be able to go back and check but i'm not sure when it'll go live like when it'll be shared with you so here under the repository you have github repository there are multiple templates which are there you can actually check all of the details here so it's going to be like a checklist which is there and a pdf and whatnot which is there so this deals with the whole testing guide so if you see that their latest version is 4.2 and you can look at the testing guide here so it's on the web and then now why i was saying see if you talk about session management testing how you can do session management testing especially as a testing community it is very very important to understand how to test for a particular bug and the funny fact is that if you are testing any of the vulnerability and suddenly or there is someone who has raised a bug for you and you don't know how how to deal with that bug this is one great place to look at and it will give you all the information okay this is how this bug is being this is how you should take care of privilege escalation or this is how you're going to be taking care of certain things so this is very very important and that's why i'm highlighting here and now another important thing that that is there is that that when i started i looked at it i created my own checklist do you like using checklists like we do love test cases right and by looking at it there's so much so many things think about HTTP methods that i was talking about strict transport layer security like TLS i was speaking about so here these are the methods what they do what is the testing objective and how to test all of this everything is listed so you can go back and check now there will be certain things that i would be sharing so you can learn on the go but then i might not be tell you each everything which is part of it so here how to test it what to test all of the things are there and i will also share some of the links for vulnerable web applications because it is important if i give you the information but i don't tell you where to test you don't want to test it on the live application if i'm not wrong right so you would want to secure your own environment and you want to be safe while you're dealing with all the security bugs and the most important aspect when you're testing your own application you should have a reference point so this is it and then i'll tell you the story wherein while i was dealing with this web app and testing guide oh i started creating an excel sheet because i wanted to remember each and every test case and it took me good week or so to prepare one because i was making is exhaustive and whatnot and suddenly when i went to my lead my leads i realized that they were like why did you have to work so much on this right i thought this could be very useful to me and for everyone in the team but then they said have you ever looked at a cheat sheet called oasp asbs and i'm like no so oasp application security verification standard is basically this is basically a checklist which if you look at here there is a csv file oh my god okay uh let's go ahead and download it but okay so here i am opening in a word format okay so it opened up in my monitor and let me go ahead and shift here okay i hope you all can see so here this is application security verification standard p so if you want to deal with password security what are the things that you should do set passwords for at least 12 characters now it says 12 characters but i was working on one of the environments which was dealing with the application security or which was dealing with cloud security to be per se now while we were dealing with cloud account cloud accounts how strong the password was eight digit a lot of times now over the years we have seen the trend is changing it is more secure password people have started to use vaults people have started to use more secure passwords and have you okay do you use brush i'm sure we all use brushes so our passwords are like toothbrushes when we don't share our toothbrush why do we share our passwords it is very important not to share all of the practices are listed over here so you can go back and check or if you want links i can share it now while coming back here top 10 why are we even talking about it so top 10 are the top risks which are part of the whole ecosystem and what it deals with is it talks about the references it talks about the top 10 risks not in bad likelihood or vulnerabilities it talks specifically about risk which we can have to our application and people say it's a standard top 10 is not a standard but it's more of an awareness document which organizations take it as the standard but it is more of defining the risks now what it tells us that it we need to look at these risks for sure without a mess like sets of baseline and at the same time how frequently it is released it was first released in 2003 then seven ten and every three to four years it is released the last one was supposed to be it was in 2017 and then 2020 but we know that last year was not so easy on everyone so the team could not get all the data from the organizations and then now the update has come into 2021 so September the new version came up and that's why we are here talking about the latest one now while i was working on this workshop we were we were planning to have the older version workshop but now it's going to be hybrid where we will be having some content from the the 2017 one as well apart from the top 10 that we are going to be dealing here and who are going to be part like who can get benefited out of it developers lead developers architects to testers to people who are working around the program management and professionals who are actually consulting to vendors to anyone who wants to understand about the top 10 risks in the applications and it's nearly 20 years that wasp hasn't into picture so injection was one flaw if you've heard about sequel injection that was like topping the chart or injection of different sorts they were topping the charts even accesses which is cross-site scripting which i'm going to be discussing in detail what are these but i thought of just giving you some brief history about it so here i am and now it is more shorter by design so that you understand how you have to deal with these top 10 risks what is how exactly we can view it at different platforms because earlier it was like a bdf and that's all now there are multiple versions of it you can open it on kindle to mobile to anywhere like read it anywhere and now it has also changed a lot because now it has adopted the whole appsec programs how different organizations deal with it and it also talks about how exactly a vulnerability can be exploited there are new categories which are part of it now earlier okay injection and this and that were there but then now new things have been added including insecure design of an application server side requests forgery and now and there are many steps that have come into picture now people have a lot of questions if you know about wasp top 10 i am sure you will have these questions because i know people asking these questions to me so how exactly dot 10 comes into picture or these top 10 risks an application comes into picture so first we start with oh i use this i use so a lot i'm sorry um data collection first the data is collected how by the industry survey and reaching out to different organizations vendors and who not then the data is analyzed understood that what are the top 10 risks which are there then there are write-ups which are prepared because it is not easy to create a whole list with explanation to remediation to everything then comes the review part review it comes to the community they they look at it they understand they vote upon and after that it is shared with people and at the same time there are translations which are done in different languages english hindi german french all of those languages then there are multiple formats that are created from web to mobile version and then we talk about pdf and developer post that it is there for people now comes the most important part the first vulnerability broken access control now what is broken access control while you're dealing with broken access control there is one very important aspect that is that we deal here and that we take care here so if you try and understand like from the name itself it's access control which is broken there are things in the access control itself which are broken so it also says anyone who's not authorized to access the application they have access to it so access control basically what it deals with is that it enforces the policies that users cannot act outside of it for example when when we talk about pegger's summit and there are people who can attend certain workshops there are people who cannot attend and suddenly you see that there are people who are not supposed to have access to it but then they are trying to access it they are trying to work with them and at the same time they're also they're also trying to violate the principles now what are those i am a developer do i need to have access to the production environment no but suddenly i switched the teams now i have access to production so do i need to have access to the development environment no those kind of access should have been left back there when you switch the team and there are people who can bypass these access controls how multiple ways by modifying the urls i have seen cases wherein in the url you have a username and suddenly people are able to modify those urls and access anyone's content that is not happening anymore but then that used to be there and that's what is changing now people are understanding that if it's an html page there are things in browser those things are restricted and you cannot you cannot view someone's account or you cannot edit all those unique identifiers another important aspect is that apis which has missing controls like put pause delete we can go ahead and use these apis and can elevate our privileges now we are dealing with tokens especially if you talk about json tokens so i am able to temper those tokens or modify the cookies or i am able to manipulate the sessions so that i can get access to the system which i am not supposed to have access what it does now it oh it's just a very very major it has a very major impact on the privacy now we are dealing with gdpr ccp and whatnot so it talks about that your data should be secure but then i have access to hundreds of different accounts because access management is not proper so what i can do so access controls is basically only effective in trusted server-side code if i say i can modify the client side like if you remember the movie ticket one wherein my friend was able to change that that means the server-side proper validations are not there and i need to have right set of technology i need to have validation in place at the server side as well and then i put in some business logic testing wherein i limit the requirements and i limit the access then i log the access control failures or if there are any changes that are happening and now important another important aspect to about is that let's say if i have an application that is dealing with all of these sort of things but then i tend to not look at access control i tend to just avoid that or i tend to miss out on the like access issues which can lead to major data breaches literally major data breaches so i'll tell you where one website is it's called have i been pond here are you now what this website is if your application or your email let's say this is my email or let's say demo.com has been found part of any of the breaches let's see no you haven't been born but then there are multiple other websites that i have like on my own domain name let's see no so you can try any other website let's say or okay my another email i keep changing my passwords so frequently so but then i remember being part of one of the breaches once see my email address was part of two data breaches now what are those data what exactly is there now i don't know which all breaches but then this website can tell you that yes so anytime you see that you've been part of the breach your you will be listed over here make sure you change your password and another important aspect is that do not keep the same password for multiple applications why i say that because if you know about the recent recent issues that that happened with the colonial pipeline attack right what was the issue what was the hack all about now in america it was all on the pipeline and then the whole issue started where one password actually allowed attackers to disrupt this whole colonial pipeline so this is all that i've read on the internet i have understood what they've mentioned as the whole history of it now what happens where there was someone their password was bleached or their password was lying as part of the one of the breaches and somebody malicious attacker you can say or an attacker they got access to it now they started playing around and they realized that this could lead to something very informational to them and they started using it so but what happened beneath that the credentials found were part of a legacy VPN or virtual private network like we think that VPNs are secure they are but then people were using the legacy VPNs and there was no multi-factor authentication which was enabled now while they were dealing with it think of somebody gets your password access it and then starts playing around and that's how the whole ransomware piece came into picture they encrypted the whole files and asked for money now fbi came into picture they paid the money like or the ransom and after that what happened they gave the software or the key now the key helped in decrypting but then the major portion come into picture that it was so slow that they had to back it up from the backups that they had then came the nightmare even after paying so much there are issues so can we recommend two-factor authentication can we have can we do better at security hygiene and that's what this broken access control talks about and then it also talks about multiple CWEs CVEs now CVEs are common vulnerability exposures now every vulnerability has associated CVE number so broken access control has 19k CVEs so many that means it has occurred many many times so one vulnerability has multiple things under it multiple agendas under it and on top of it how do you test it there are many ways wherein let's say for example let me show you actually then you will have a better understanding understanding let me go ahead and share my other screen as well are ready where did it go here if you see what it says username what could be the username I don't know what could be the password I don't know so let's try generally if I get to any application I'll say admin admin admin password now there are some applications which has super admin and super admin and already oh see it is all there am I logged in as a super admin I am do I have an insecure password I do have so these are the things that actually create issues now you must be thinking which application is this so I am using damn vulnerable python web application and let me just give you the link in the chat box so that you can host it on your environments and you can test it out I'm going to be using SQL injection I'm going to be using this application for SQL injection as well so I'm going to just send it to everyone and I'm going to open it and I'm going to show it to you here as well so here this is damn vulnerable python web application you can run it on your docker container so I'm running this on a container I have a container running on which I am running this app so this was the easiest way to get into any system but if you look at the whole security piece there are many things which are there and even the checklist this checklist ASVS talks about a lot of things this scares me now another important aspect is that authentication errors so sometimes we don't look at the authentication errors in an application I still see a lot of applications give these these errors like oh your password is incorrect or your this is incorrect or your is the issue now think of if we don't have a generic error will it be a problem absolutely there will be problems how would you get to know about these information right like this particular information has to be dealt with this way now remember one thing never to have weak passwords never ever have passwords which are dictionary passwords which are easy to remember have a big one maybe a passcode sorry passphrase and another important thing is that for application owners or the people who are dealing with these negative test cases remember that these error messages which come as part of the application should not give any any information now I'll tell you something more let me close this scary thing and then show you so I have another application which is running which is called a security knowledge framework so I hosted it on my kubernetes and I am running with rabidmq and whatnot so here I can log in so here I don't have a login local host set up so you can't get to it but then you can set up for your own thing now why I talk about this because it has the whole framework which I totally love for you for you to go go back and check it has a dashboard which gives all the information different code base checklist knowledge base escape knowledge and then it also talks about managed projects if I have a project which I want to deal or I want to create a new one and then codes examples let's say I want to know more about XML injection prevention or I want to know more about password storage so I'll go ahead and read about it and I can see how exactly I can set up my own code for that and not just that if I have to whitelist certain characters what I need to do I can just go ahead and read here about that what what kind of code that should be there if you look at the whole pattern how exactly I should be auditing it what are the functions that I need to call how what is allowed here all those things and then the most important aspect is that if I need to prevent session hijacking what I need to do all those things are here and that's why I recommend you to just go back and check the security knowledge framework if you want to download it now let me go ahead and show you so over spark and I'm going to I'm going to give you the url so that you can take a look at it projects and under the project there is security knowledge framework you can go here and okay here I can go to the repo which has all the details like how you can set up what are the things that can be done so let me just keep it in the chat box so that you can take a help from it help from it so this is called security knowledge framework so the one important aspect why I'm sharing all these resources because if you know from my like the way I speaking you understand that these are the things that are there but then you don't understand that how to how to exploit it then it is a big problem because security talks about exploiting and how you fix something and in the knowledge base everything is there like from web application to mobile and then you create your own custom checklist for certain bugs that you get to know which is only coming in your code or there are labs which are there let's say I want to know more about cross-site scripting so let me go ahead and start the lab oh yeah yeah so let me tell you one thing when I am using this lab it has multiple attacks like literally multiple attacks are there so you have to you can actually go one by one and enable specifically let's say this is the deployment URL I'm going to go here I am going to click here and I'm going to open it so if you see there is a live demonstration that has opened and this is for xss now I'll say javascript alert xss it might work it might not work because not all the time xss works that's very common and not all attack vectors work so let me go ahead and click on this if you see it is just posted over there but then what more I can leverage from here let me go ahead and understand what are the things which are there and how exactly I can exploit it now I might want to try something interesting here let's see script alert 123 script submit button so it might work it might not work so what I should do should I leave the hope that it will work or what should I do so there are cheat sheets which are available so I am going to go and xss cheat sheet I'm going to go and do that so this is what security people wherein they look for cheat sheets for every vulnerability like for this one I'm not sure if it's going to work and secondly I'm running on local kubernetes so sometimes the things are slow but then when you run it on a good speed and server it will work and then in the cheat sheet I have like this image scripting tag there are multiple tags which are available so remember one thing that when we are dealing with these test cases some of them might work some of them might not work so it depends similarly let me go ahead and close this and then enable another cross scripting one so that I can show you how attributes work here see did it work no but then there is something which is breaking on the web application which might work so let's go ahead and see if my lab is open already so I'm going to go ahead and open here three zero three two zero seven one and here I'm going to use this and see if it works it says it needs a color so I said red and then on mouse over alert one three three seven okay so let's see if it works or not but then meanwhile here you see so there is something which has been which has come on the screen so let's see what has come on the screen I hope it works because before coming for the session I tested these labs and it worked so I'll show you something I'll just show you a screenshot wait did something happen live demonstration did it come it's still coming so let me post a screenshot here so if you see this this was the lab that I was working wherein it alerted local host on the board this alert one three three seven so this is very easy alerting so that I can make you understand and not every time xss will will actually give you a pop-up pop-up is easy because script run and it gives me the alert but it might print some attributes it might work in href it would work wherein there are certain characters which are blacklisted and try I'll try and overcome that for example there was once what happened is that I found an xss and after finding this cross scripting somebody fixed it but then after a while when I tested again it was there why it has to deal with input validation and that's when you're oh no no no why we have tested the user authentication we have tested all of these things and the most important aspect that comes input validation wherein we need to have we need to have an understanding of what are the inputs that we are giving to our application okay why it didn't come let's see let's see let's see I hope it works okay while it's happening let me go ahead and tell you so for example you are dealing with database and I start sending some malicious input to the database like database expects some input from the user but then we put like a sql statement in that am I supposed to provide sql statement no I am not supposed to provide any sql statement so what do I need to do here let me close this and then show you something interesting so here I have this now while I'm dealing with this what do you see on the screen like it's just sql I have a super admin account and I'm dealing with users so under students I can add a new student so which could be one then which could be anyone but instead of that I choose to add something else I choose to add maybe a vector wherein it shows it's like a sql statement so should it accept sql statement or no think about it I'm sure it doesn't and especially if I add the statement with the name Robert drop table student cascade and I'll say save oh what happened that means some information do you see it gives me some juicy information it tells me that it's a system oh could be a system it could be a python package it could be an issue with such lines so all this information that I was able to get now I might want to modify with something else or I might want to have a sql query embedded to it wherein I drop tables so this will be very very helpful for me so would you want your so this happened with one of my friends wherein one of my friends wanted to check this check the results for her daughter and she was looking at it and she realized that there is some issue which database was giving her so what she started doing is she started playing around with the application content and what happened next there was a table that she could find that yes this could be a problem with the table itself can I delete the table what next the table got deleted interestingly the very next moment the application server went down because the back end started behaving in a totally different way so what was the problem wherein we did not have appropriate validation in place and that's what it led to sql injection wherein application is not supposed to accept this drop table or it is not supposed to take these information wherein I can remove the users from the table itself is it supposed to no it is not supposed to and that's when the problem occurs that when we take all the inputs and we don't handle it well that's when it starts creating all these issues on top of it if I'll say okay let me see you try and say okay so it is giving me all of these errors and let me go ahead and go to sql and see play around with some more courses now do you see student section is not there anymore wherein it has started to give me errors why because I have started to play around with a server first I was able to log in via broken access control to the application and then I started deleting the content because server was not validating then and that this is how I landed it to it now if I come back to my presentation here it says input has to be validated so sql injection is like one important thing that has been there in web applications for a very long time or injection and that will be there people have been like have been there for ages in the ecosystem and they are able to find these vulnerabilities why because new and newer things are coming up but we don't tend to understand the whole concept I don't know each and every application I don't understand each language and I start working on something and suddenly it starts to crash why and then there are certain issues which are there at the database side we don't know about each and every database and it starts accepting the things which it's not then how would you deal with the cross-site scripting now scripting happens so this is actually on the client side now it is not part of a vast top 10 but it is important so I'm talking about it so when we inject malicious code into the vulnerable web app server idly does it supposed to accept it no but then we are sending a script to the server so now this is specifically a case of a blog like blog is vulnerable and now people go to blogs to read something I have posted us like a vulnerable script there anytime anyone comes to that page they see a pop-up they see their information getting somewhere similarly if this script says that send the cookie anyone who comes to the server all the cookies should be sent to a third-party server will it work absolutely it worked so that's how it can give all the information to the attacker web server now anyone who would be dealing with it like intercepting with the proxy they would be able to have access to it they will be able to take care of it or they will be able to play around with it now fuzzing is something when we deal with a particular parameter or when we are dealing with any of those applications which where there are hidden parameters and I start putting some random characters and try and bring down the application or modify the application this is more or less about input validation please let me know if you have any question in the chat box okay now like while moving to insecure design earlier it was not part of the ovas top 10 but now it has become part of ovas top 10 now why we are dealing with this top 10 or what it talks about so insecure design the name says itself that it is insecure design of an application and while taking care of that it actually impacts the whole application it also actually deals with a way that the design which is more of a broader character category but it has different weaknesses wherein think of as a design flaw or implementation flaw which leads to giving you access to anything now the main requirement and negotiation here is that it actually impacts the availability confidentiality and integrity and at the same time authenticity of the data sets here when you are dealing with secure design it is more of a culture you understand oh how how secure is our application or while we are building an application what are the things that we should keep in mind a lot of times we don't tend to look at that aspect and what happens next there is a design flaw oh there are people who are able to bring down the application there is a denial of service attack there is this attack there is that attack so which becomes more common and we are not able to have the maturity that we need for our own application and that's when we try and talk about we need to have maturity modeling we need to understand where do we stand what are the components that we're using as part of the applications what are the tooling available and how we threat modeling an application and what are the things that we can do for this like how do we even test it and the most interesting portion here is that it helps in integration testing that wherein we have an application which is connected with like front end and back end so how exactly we can prevent these flaws we can have a secure development life cycle wherein we evaluate the design and security of these tools we establish and understand that what are the secure design patterns which can be there what are the components that we're using as part of the application and how to keep them secure another important interesting aspect is that threat modeling now threat modeling is performing security checks early in the life cycle understanding what are the risks which can be there for our own applications understanding what languages do we use and what user stories that we have what test cases or the unit or integration test cases that we need to validate for the critical flows which are there which are which can impact an application we need to compile all those use cases and misuse cases for each tier of our application and segregate each of this understand what are the resources that are used what are the resources which are consumed by the users or services now while we talk about that attack scenarios can be there wherein think of wherein we are trying to recover a password which has question and answers now which is now prohibited by by the organizations why if i if i am your friend or if i am your acquaintance how difficult it is to answer some of the questions it is easy that's when the security questionnaire is trying to be removed from all these things such code should be removed and replaced with more secure design code another thing is that the i was talking about the cinema chain right which allows group booking discount like we have a book my show here which has like mixing you can you can have a max of 15 20 tickets that you can do but then i understand the flow i tried tested and i start booking more than that or while i can book one ticket for 10 bucks but then i'm able to book it for one and that too if i want to book the whole hall movie hall i would book it similarly while we are like for example while we are buying on e-commerce sites especially time of sale and what happens is that i can modify the cart value how good that would be or i would i'm able to modify the price so there are so many cves associated here and it all talks about understanding how to have security early threat model the application testing these applications and another important aspect is that security misconfiguration now what is security misconfiguration you just talked about insecure design can we have security misconfiguration absolutely now it talks about the application might be vulnerable to appropriate security hardening or the stack itself is not secure the permissions to the cloud services is not secure and now while you are you have cloud accounts you have your applications in the cloud but then the anyone has access to the root account and they are able to play around anyone anyone is admin on it but there are certain people who are admin and then suddenly leave the organization but they still have access to it unnecessary features like different ports are enabled services are enabled pages are enabled accounts are enabled am i supposed to see that no those should be closed completely default accounts and passwords they should not be enabled we just saw today super admin super admin i was able to log in would you allow that absolutely no and then there are there were errors that came as part of the application would you want that no and the most important feature if you don't have the right kind of libraries used then there'll be a big problem now let me show you a demo here okay so i will say java so this is another app that i'm hosting on herco cloud but then this will help you understand more around the security validations why am i i am actually emphasizing on all of this and the next vulnerability vulnerable and outdated component does actually just lead to that so here this application will take a few seconds a few minutes to come up um and now because uh yeah it's here now for every applicant conference or anything i make sure that i create a new account so i'll say tech tech js and demo then tech tech js at demo.com and then some password always use a long password don't share it with anyone i don't nope i don't want to use your i'm not i did not save the password to my password manager because i am just using it as a demo so here if you see i have my account then in my account i have some details then it says so this application is is about to do list and i am a huge fan of to do like i totally love it why because um it helped me in remembering things another important aspect is that i can track what i need to do in the coming few days like i wanted to do this uh this workshop so i actually collated multiple demos here now i'll say tech js the due date is is december 12 oh sorry december second and i created uh the to do list then i create another to do list is a hacker okay i created it i'll click on create and that has been created now if i try and modify if my brain works in a total different way like so what i should do understand more about the application okay so i can see that there are options to upload the files and all the files would be seen in the public folder interesting what else i can see about generally things that you see here in the about section you might not be able to see it and like in all the applications so here the information like struts spring hibernate these are frameworks or banner grabbing so you would not be able to banner grab it easy generally you would see in the http response so here comes the most interesting aspect if i try if i know what is wrong here so the wrong thing is here the struts version which is used here it is one of the vulnerable version i'll show you here struts.2.3 and here if you see i can see the release but then it has struts.2.3 there is an exploit which is available what do you mean by exploit that there is a vulnerability that is available which people can leverage and this is the same vulnerability which was part of the Equifax breach when we had sleepless nights so we could see that there are remote code execution and whatnot that could happen here right now i know it what else i can do let me try and create a to-do list with cross site scripting i would love that okay let me create something interesting here i create my to-do list i create a due date i'm not sure if it's going to work but let's try it didn't work let me try something else okay here accesses there is accesses for derivation let's see generally it doesn't work but you never know oh see it worked yes yes yes so i can actually fetch a lot of information oh see but then there is one now interestingly i want to upload some malicious files so i'm going to go choose files i'm going to go here desktop i'm going to go to my goof all righties i'm going to go to my java goof like any malicious person or attacker i have some exploits so i'm going to use this zip folder which has my exploit and i'm going to upload it here oh there's nothing which has been uploaded so what interesting fact is there let me create a to-do list oh nothing happened my exploit did not work but it said it is using an older version might be something else so i'd say vanna is a hacker i'll use it to date or create it accesses is coming accesses is coming but i am looking for this one so do you see that there is something that which i wrote which vanna is a hacker did not come here something else came here let me create another to-do list vanna is not a hacker it might like it here oh okay so accesses will keep coming up because it's it's stored now but do you see it has accepted the remote code execution which i did so remotely i put in a code and it is accepting it the fun fact it actually works here so if i'm using an outdated version what things can go wrong you can look at here and things can go wrong in a very very weird way and that's when we talk about vulnerable components that we should not have these vulnerable components and we should not have this side effects that that are there we should always test our application before putting to production okay okay okay prevention done here my favorite one which is more talking about that what are the things that should be there now if you don't know the versions of all the components that we use like both from the client side and the server side it can create a lot of chaos if the software is vulnerable like i just showed you or unsupported or out of date this can include the os web application server database management server applications apis and all components runtimes environments and libraries it can be very tricky so you we have to scan for all the vulnerabilities regularly and understand what are the things that we have in our environment those are the things very very important not to miss them and if we do not test the compatibility of updated and upgraded softwares or patched libraries we can be in trouble now let me show you an api which can create an issue while we are talking about it okay let me go back here okay so i have my system running over here okay let me make it a bit bigger yes now i'm going to go to my desktop and then on desktop i have my goof which is running and then we have so many things i'm going to run a cd express node index.js now if you see that this is an index.js you must be thinking what is there in the express so let me go ahead and show you here our readies cd express ls only a javascript file is there nothing else like literally nothing else no application i've been showcasing applications but here it is running on localhost 3000 now when it is running on localhost 3000 there is an interesting factor that means it's an api it's a javascript file which is calling some apis and running somewhere so i want to play around with it like literally play around with it okay so it has some features which are there and now what i really want to do here is i want to open it up here okay okay here this is the common thing do you see anything here in the browser i have some excesses but then it is not reflecting there is a string which is here which is going in the name now i create an array here do you see an excess is getting replicated the most interesting aspect is that application is considering string and error separate even though the application is sanitized it is bypassing it and that's a problem with one of the apis or a reg query which is part of the express framework and anyone who's using that they are vulnerable to it they are vulnerable to cross-site scripting so this particular request or request query even though you are sanitizing it you are creating a lot of concerns you are creating a lot of issues for yourself and never ever use a library which can be a tricky one if you see it is reflecting here in the browser it was taking it as a string but here now it's taking as an object now if i want i can have multiple let's say they put in a something for an array so i will double array so it might not work but i might want to try something else which might work so similarly we keep trying all of this if you see here i have double arrays but and i want to play around with it or i might want to see something more i keep adding things and it will work so it depends how our application is taking but then this particular express api is basically vulnerable to cross-site scripting now this was with what single api right uh let me just go ahead and start that or it's going to eat up my whole system okay control z i don't want it okay okay here uh let me come here that's why we say that when we recommend the third party components that we're using we should not be using the outdated outdated components beat anything beat your browser beat a framework beat a web server beat application server beat any dependency third party dependency like so many dependencies that are part of our code sometimes we don't even know about it and then comes the interesting part wherein there are many threat agents which can be there we have to spot as early as possible understand the technical impact business impact or these kind of known vulnerabilities which will exist in our environment and will keep creating concerns for our application that's when we need to understand identify the authentication failures also now what is that now why are we dealing with it we've been talking about all of the other things so here uh we need to understand who the users are when they're trying to access the application so authentication and session management is very very critical here to understand around any authentication related attacks we need to permit permit automatic but like we don't want to permit any automatic attacks or attacks which will lead to password trying so if somebody knows your username and they keep trying it and they might get to your credentials it can happen so that's when what you need to do is we need to make sure that we are using um account failures or lockout when we have these applications and another important aspect is that when we are dealing with this we need to make sure that we are not permitting brute force or automated attacks and then plain text or um encrypted passwords or um hash passwords are handled properly we are not missing out on multi-factor authentication it is very very important we should not expose the session identifier so right now you're able to log in to any application the first time you use the username and password and after that what happens you don't use a username and password but instead you use uh like a session token but if i get to your session token and i'm able to replay those things would you like it i'm sure no you don't want your session to be logged in as me so people are using instagrams twitter like i'm super active in twitter so you get my twitter account would i be comfortable no absolutely no so we should be making sure that especially for testers we when we are testing these cases we need to do a negative testing for these session identifiers these session identifiers should not be never ever be reused and there are sessions which are invalidated properly wherever possible let's implement multi-factor authentication to to actually prevent these automated credential stuffing brute forcing attacks we should also make sure that we are using uh we're implementing a check for weak passwords and we need to make sure whenever somebody is trying to put a simple insecure password we tell them that there are issues which are there and then server side attacks that we can avoid as much as possible now comes another important aspect of software and data integration data integrated failures now all of this that i'm talking about these are all ovas new ovas bugs new bugs which are part of the whole cacd pipeline or security list so software and data integrity failures relate to code and infrastructure that actually does not protect themselves or themselves against the integrity violations what are integrity wherein something which is stored somewhere and people are able to modify that so example of this would be wherein there are plugins there are third-party libraries modules which are there from unstructured sources or content delivery networks now and there is the whole pipeline which is set up but then there are components which are insecure and that's how data integrity failures happen so what we can do is we need to use certain tools which can help us in understanding that what do we have in our environment we're using maven we're using jenkins we are using so many tools so can we have them can we actually have security as part of the whole ecosystem can we have a review process for the code can we make sure that the configuration which is there which is checked properly we have we are ensuring that our cacd pipeline has proper segregation configuration check and access control making sure that the integration of the code is is appropriate now many home routers settle boxes device firmwares and we don't verify the updates we just go ahead and start using it so unsigned firmwares is basically a big issue or unauthenticated upgrades so there is a major concern many times that there is no mechanism to remediate those fixes so the latest version is vulnerable the older version is all good or you have updated you have updated from place where it came up with some malware with it think of solar winds now it was a nationwide issue or the worldwide issue wherein there was something happening with solar winds there was a dependency or a dll file which was part of the whole software base which was the main cause behind it and that was shipped to everyone they were able to support but then for several months the firm distributed a highly targeted malicious update for more than 18 000 organizations out of which hundreds were impacted this is one of the most far-reaching and most significant breach in the nature of the history oh god that was so big similarly we need to understand what we are dealing with because if we don't know what we are dealing with we will have these issues now server-side requests forgery the most interesting one now ssrf has been there for a very long time and when we are dealing with this there are like challenges which are there which we need to take care of and we sometimes tend to forget about them so what what happens next if we are not dealing with ssrf which is like impacting the server so uh let me go ahead and show it to you basically and if i can go ahead and show you give me one second so there was one beautiful website which had the demo which i'm trying to give you so that you can also try give me one second i'll show it to you i'll actually ping you that url so that you can actually that url so that you can actually try that so there was one beach breach which happened on capital one which had server-side request forgery it deals with wherein we are trying to get some information from the server and we are able to successfully get all the server information and we are able to play around with the ssrf i think i have it all ready so let me go ahead and ping you here in the chat box and put you on the screen also i have no idea while i just change my browser or while i search something it behaves in a real way um okay now so this is the capital one ssrf it is an online one so i really like showcasing here now let me give you a brief introduction about it first so that you understand more about oas top 10 um so ssrf so ssrf is server-side request forgery so these flaws happens when application is fetching a remote source without even validating could be scanning a scanning the internal network and give you all those details what it does is it allows the attacker to understand more about the application and they can craft a request for the unexpected destination and modern firewalls may not be able to detect it so it can impact network layer to what not and where is the contra okay here now while it is talking about it let me go ahead and click on next so you can actually try it yourself now this is the capital 10.com because it's a just a demo i'm going to go ahead and paste it here i'm going to hit here it is asking for a username and password so i'm going to put username and password i'm going to sign in now it has account services so i'm going to go hit my account services i can change the credit card image now here i should put some card right just the basic card but then instead of that i am able to go ahead and wait i am able to update a png image upload and preview fine next next but do you see there is a url here in this on the screen it it provides the location of this image where it got stored interestingly very amazing that information is with me so let me go ahead and close this what happened to it okay now let me copy it now here i'm going to go ahead and change the url and see if something happens here it is taken from anywhere if you realize so here when it took from there it actually gave me some back end code wherein i can do some exploitation i realize that i can put in from third party pages instead of uploading from my system i can give a url so here if i start analyzing the code there is a method for rendering which is used there are there's a url that that has been taken and then i can take this query string i can load it because there's a load method which has been used here unfortunately there's no input validation which is there because if you remember i just pick up the s3 bucket page and then change that bit to something catsman so there is no url which is being validated now here i could see cats theme right now let me go ahead and put a different url so this is a unique url basically which fetch the metadata from the aws account any aws account here this is known everywhere so now what i wanted to understand about metadata it actually gave me the metadata if you see here interestingly i have that information now i i know about the structure so this is a structure for getting the security credentials so let me go ahead and fetch security credentials if you see here i can actually figure out a role here and then i can try and create i can try and fetch more information about this role so interestingly it gives me some more information already okay sorry here now it tells me nice information what is that it gives me access id and secret id do i just need that to log into the account absolutely yes here if you see i'll put in this access id i'll put in this code and what else i need so here i'm going to go ahead and fetch the details anything and everything that i need i have the information so that's what ssrf does there are many exercises that you want to try so you can go ahead and try from command command injection to xml entity so this is one great website that i like for training people and especially ssrf is one beautiful one which is listed over here so that people understand that how the third party urls can fetch the information from the server you can scan the server altogether you can actually play around with the server which is there at the back end so server-side request forgery is a big problem in many applications even if i talk about the security knowledge framework it also has it so let me go ahead and start the lab and show it to you so if you want you can try all of these exercises yourself and you can set up your security knowledge framework as well which which i am enforcing because you should try these labs yourself then you understand better because instead of me telling you what it is how it is and how you prevent it if you have if you have mechanisms which are available for you to understand it becomes easy so i can just go ahead go to my lab view let me remove this and in the lab view i have everything possible fine here under labs there are many labs which are available right so i have server-side request forgery as well so i can go ahead and start it and it will take some time and we'll be started i have graph ql in introspection to xss to capture bias paths to database schema bypass everything possible that can be there now let me come back here now what are the next steps we need to understand the code for the issues understand what can lead to denial of service attack or memory concerns and at the same time we need to understand how big these issues can be for example if i talk about the ovas top 10 so it's just the minimum list i would say which is the entry level upset program it can be very good but then you need to understand it that there are more things attached to it there are more issues which are attached to it and at the same time there are more features that we need to understand in our own applications so it is very very important to understand all of these things but not to miss out that these there are proactive controls which we can do we can have properly defined the security requirements we can leverage these security frameworks and libraries but then let's use a responsibility responsibly and then encode and escape the data understand where we can have proper input validation where we can have the whole validation in place and the most important aspect let's have proper access controls which are enforced handle all these exceptions errors properly use application security verification standard wherever possible understand how these frameworks can can lead to bug classes very very important and last but not the least understand that we need in se we don't need this insufficient logging and monitoring we need to log everything this is when what happens when we don't have the proper tooling mechanism proper mechanism where we can record understand these things we need to log the errors understand where the falls are happening because if we don't understand that it will lead to issues the breaches that are there and most breaches studies show that it will be over 200 days to detect a breach typically detected by external third parties then internal process on monitoring process so how critical that can be these are some of the resources that i totally love that you should look at but totally as i said look at security knowledge framework there are labs which are available that can be helpful there are filters which are available and yes the most important of all is that was top 10 so let me go ahead and give you the url so that you can go back and check it i'd leave we kept it for three hours but i think we're almost done with it and i'm going to just share these information so that it will be helpful please pick it up everything from the chat box