The Scene
On May 2nd, the people of Surevine gathered for our quarterly get-together. Tradition states it needs to be somewhere we haven’t been recently, and given the recent influx of staff from Nottingham (4 in the last 18 months, including yours truly), everyone swarmed to the home of Robin Hood for a day of fun and knowledge sharing.
For those not familiar with remote-working, an RLM is a Real Life Meeting, where we can be in one place at the same time as our co-workers rather than spy into their homes via Slack.
The venue was Wollaton Hall, famous in Nottingham for its local history, but famous globally for its role in The Dark Knight as the home of Batman, Wayne Manor.
Session Zero – The Intro
Surevine’s CTO, John Atherton kicked us off with a quick tour of what’s going on in the wider tech world, including some insight into Aurea’s plans for the foreseeable future. This led to conversation about on-premise vs cloud installations, cloud vendor tie-in, and cloud vs private cloud – a topic that we and our clients are pretty interested in!
John moved us on to the agenda for the day, starting with a lofty goal. An Engage Process Reboot. The Engage Process is the Surevine standard practice that we use when executing projects. It covers risks, tools, quality, governance, the lot. John wanted to ensure that we weren’t carrying legacy in the process or doing things “because that’s the way it’s always been done”, and proposed a brand new update of this. This would begin with everyone consuming every written word on good practice in cyber and secure development, from other SMEs to the NCSC, from ISO 27k1 to GDS Principles.
We spoke as a group about how we balance this work with our existing and future commitments to clients, be it through co-opting some existing time spent on professional development, reserving some time one week in four, or slightly reducing our weekly availability. This wasn’t to be decided immediately, but as corporate initiatives go, I was chuffed that it was already being considered!
For the rest of the day, two guest speakers from 6point6 had been invited to provide us with some technical training, followed by a Q&A with the CEO for the last hour. I’m in my second year as a citizen of Surevine and in that time, we hadn’t attempted external training previously – colour me hyped.
Session One – Hack The Insurance Company
Dan from 6point6 talked us through some exploits against a fake insurance company site running on a VM.
He spoke about different types of attack (XSS vs CSRF vs File Inclusion, etc), about the level at which an attack can occur (TCP vs HTTP vs Rich Content), and about the target (web server vs database vs other users).
Dan demonstrated a number of attacks, from little JavaScript alerts, to reverse shells, then chained some attacks to establish a full shell to the intended infrastructure with complete control.
He demonstrated how to detect those vulnerabilities using BurpSuite and Kali Linux, their risk and impact, and resources for learning more.
Not only is BurpSuite more than a passive scanning tool, but once you’ve found a potential vulnerability, there’s a wealth of scripts and utilities freely available to help you assess the risk. A scanner like BurpSuite isn’t enough to know that you’re secure – it’ll tell you that you’re either “insecure” or “not obviously insecure”. This has an interesting parallel to Accessibility Testing, where a computer can’t determine a site’s usability by users of varied abilities – it can only tell you when the site does something that demonstrably hinders that usability.
One interesting question raised: does a company care about compliance with a security standard, or does it care about not being caught as non-compliant? Is it about being secure, or about not being publicly known to have been hacked? Is there a real difference?
Session Two – Threat Modelling
Sam from 6point6 took the spotlight next, leading us through a more process and governance talk on threat modelling.
He began with the basic process that many should take:
- What are we building?
- How could it go wrong?
- What can we do about it?
Sam talked through some of the benefits of performing Threat Modelling and reiterated the NCSC’s Security Design Principles. He then moved on to discussing the benefits and trade-offs of performing Attacker vs Software focusses modelling, whereby an attacker focus is great for early in the project and for modelling larger systems, but while software focus is more thorough and repeatable, it could generate so much information that it can be costly or overwhelming and requires some in-depth knowledge of the environment.
One great question Sam raised: Would someone use a hitherto unknown zero-day vulnerability (which they then couldn’t use again) to gain access to the goal?
We moved onto different ways of using STRIDE, defining what we mean by APTs, scoring our attack trees with DREAD or one of the other patterns, then moved onto how to address the threats we’d collected (similar to risk matrices – Accept / Mitigate / Eliminate / Transfer).
Sam took lots of time for interruptions and questions from the team, and a lot of us came away with a great energy to continue improving our skills. The biggest part of security testing isn’t the nerdy tools. It’s the thought that goes into where to look.
Session Three – OpenSpace
Surevine runs a fortnightly meeting called OpenSpace. It’s a place for updates from the board, demos from the team, and general Q&A. Being able to run this in person was a great novelty – we’ve not found the time at previous RLMs. After the normal humdrum of business policies and new starters, we moved onto a great discussion about CPD and training. Some people have taken courses recently, others are using Pluralsight.
One of my self-set CPD objectives is to be better at blogging, and to do it more regularly, both for Surevine and on my own blog. Even if this isn’t the best blog post ever written, I’m as pleased with this progress as I was spending a day in Wollaton Park learning from our excellent guests from 6point6.