 -.     
 


.      
       ,       -      -.      -       .        ,     ,        .

  a4.pdf   .





 

 -

    



Alice and Bob Learn Application Security

Tanya Janca  2021 by John Wiley & Sons, Inc., Indianapolis, Indiana.

All Rights Reserved. This translation published under license with the original publisher John Wiley & Sons, Inc



 ..,    , 2023

 .   , 2023


* * *




  

   -.     




   .           , DevSecOps   .       ,      !

 ,   The Web Application Hackers Handbook,   Burp Suite



      !       .       ,  : ,   ,    .          .        ,  ,   ,     ,      ,      .

 ,   The Unicorn Project,  The Phoenix Project, DevOps Handbook  Accelerate



    .             .

 ,  - Have I Been Pwned?


       : , ,   .  ,        ,      .  ,      ,       .







 


 ,     SheHacksPurple,   We Hack Purple, -,    ,          .      WoSEC: Women of Security,   OWASP DevSlop   OWASP Victoria.        I   .       ,   ,         (Microsoft, Adobe  Nokia).    :   ,  (,     ),    ,        .   ,    ,         .   ,   ,      .




  


         ,         ,      .         .    (      )              .  2011       OWASP,       ,        .      ,        ,   .     righettod.eu.



        ,    .      OWASP         .              .    ,      ,       Security Journey,     ,    .          .  ,           ,         (, ).      Twitter (@7hunderSon)   GitHub (thunderson).         eliesaad7@gmail.com.







         ,     ,     ,     .         ,     ,           .         .                  .    ,        ,   .  ,       .







           .          :   ,       ;    ,       ,      -  .

                   .            ,           .

       .

           ,      ,   .          ,           .       ,       ,    , , - ,         .

 ,      -     ,         ,       ,       .          .       .   ,   ,    .   ,    ,      ,     (  )     ,       !  ,  ,    ,    .

 ,     ,   ,                .



 ,          Manicode Security








   ?    ?   ?      ?

      , , ,      .      ,   : ,     , ,     .  , ,  ,           , -    26  40%     (Verizon Breach Report, 2019)[1 -      2016, 2017, 2018 .].       ,  ,      ,     .

           (  ),   (         )    (       ).               . ?

      ,    ,     ,     .    ,     ,     ,     ,    .

,  -   ,        .     - ,    ,      .  ,     ,            ,       ,       ,     .

   .

     ,   (  )    ,       .         ,      ,   ,          .          ,   ,          ,    ,    .

  ,  ,   ,   ,     ( ,   )  ,       -.       ,      .

     ,      .     ,    Microsoft Windows Server 2008 R2 PS2  ,        .            ,           .       ,    ,  ,         .      .     ,    . ,    ,        ,        .




 


       (. System Development Life Cycle, SDL)  . .1,  ,        .   ,    .   ,    Agile, Waterfall, DevOps       ,   ,     (),   (),   (), ,          (),         ().






. .1.    



                    .    ,      ( )   ( ),          .

     -. ,      .     ,     :       .       : ,    ,     !     ?     ,     .      ,    ?    ?           .                 ,             .         .

      :              ,    .   . .2      ,        .   ,    .






. .2.  






 


       ( AppSec,  . Application Security),   ,     .    ,    ,       ,  ,       (      ,     ).

  ,         ,    .     .          ,      .        :             ,   ,     ,  .

  :     ,        .           .      ,  .               .




,    


      ,      :    (IR),    ,  ,  ,  ,    ,     (IAM),  , , ,  ,       ,      ,   .        ,          .       ,    .







     ,        .       ,     .     ,     -,         (   ,       ).  ,     (  ),  (  )    ,     .

          youtube.com/shehackspurple           ,      .     ,     ,        .

      ,    newsletter.shehackspurple.ca   SheHacksPurple,      (     ).

       .   , ,            . ,   .




 I

,     ,     



 1.  

 2.  

 3.    

 4.   

 5.    




 1

 



      ,     ,  .   ,      ,  ,     .                  .  ,  ,     ,     .




   : CIA


     I-    ,       ,   ,    .                ,            ,  ,   .      ,      CIA (confidentiality, integrity, availability  ,   ) (.1.1).






.1.1.  CIA     I-



         .    I                .     ,   ,          .           IoT.



. IoT  Internet of Things   .   ,   .    ,   ,   IoT.








     ,    Fortune 500.     ,   ,      .          ,        ,    .    ,        ,        .  ,             ,     ,   .                      .         .






.1.2. :   



, ,             .       ,            ,             .          (.1.2).



.        .    ,    .   :       ? ? ?    .     .








 (.1.3) ,    ,   .   ,        :    .      ,  ,   ,   .






.1.3.   



    , ,       CIA:         .   (     )     ,   .  ,         ,    .

 CIA       .                ,    ,  ,  .







         - ,    ,        .         ,         (      ),        .           ,      .

        ,     ,     .             ,              .  ,               ().

              .   ,          .



.  ,  ,   ,     .    ,         ,    .              .     ,         .       : 10-                 .





.1.4.   



.          ,     (  )            .    .1.4,   ,          .


     ,       .    ,  ,        .        , ,      .




 


   : ,  ,  ,      [2 - time.com/3404330/home-depot-hack.].        ,     ,   . ,  ,    ,       ,  -     ,   , ,     .

         , ,      , ,      , ,    ,          .        :       ,   ,      ,  .             .        ,   ,        .

     :       .

         .     ,            (,   ,   ,       ,      ..).              , , ,         . ,          .         ,      .        ,          ,          .

        .                .         .       ,  ,        ,  .       ,      ,       ,  API  ,         API,     (   )               .         ,  ,      ,        .       ,            .

        ,              (Bug Bounty),   ,  -          .

 ,  廠    ,           ,       .

    Bug Bounty.             .    ,    .




 


    ,  ,      ,    (     ),         CIA.     ()  .


        CIA

      ,  ,      ().

            ,       ().

   ( )        (  ).

             ().

   ,    ,     (  ).

     ,       (    CIA,     ).


        CIA

     ,         (   ).

    ,      ().

        ,        (,   ).

   -  ,      (Dynamic Application Security Testing, DAST),      ,      ()     ().       ,           .



.      -  DAST   .     -, -        .     -  -                 .   DAST       ( )       .           - .





 


        ,     (.1.5).          ,   ,           (       ).

     (       ,       ), ,     (  ,  ,  ),    (    ,      ,       )  ..






.1.5.    ;   



     .

   :   ,   ,     ,     ,  ,        ..         ,     .

 :  ,   SIEM (Security information and event management        ,           ),   IPS/IDS (Intrusion prevention/detection system      ,         ),    .      .

 : ,  , , , , ,  ,  ,   ..

            ,     .      ,   (,  ,    ..).              -     ,        .



.     ,    ,       .    .  3.

 SIEM     ,       .

     (IPS/IDS)  ,          .





  


            ,      .      ,         (   ),        . ,                   ,    . ,  -    ,      ,      :  , ,    .. ,            ,     . ,  , ,      ,     ,       .

     .

                 .

     .

      ,                  .

                 ,       (Database owner, DBO).       ,     ,     .                    - ,        .     .



.            ,    .     ,     ,   ,      .





  


 ,    ,    .      ()    (, , ,   ..).   ,            .     , ,    , ,   ,       (        ).

    .         ,       .   , , , ,   ,      ,      .      ,    .            . ,   ,  ,    . ,         . ,  ,    ,       (  )      .  .1.6  ()      ,          .






.1.6.       



       ? ,   ,   ,  ,    , .      ,    .      ,        .      ,   ,      .   ,  ,    .

        :     ,      ,       ,    (API)        ..  ,           ,        ,   .  ,    2040%    [3 - www.infoworld.com/article/2626167/third-party-code-putting-companies-at-risk.html.] (,      ),      ,   .           ,   . ,         ,        ,        ,      .

  ,       :    ,    ,    ,   .             ,        .   (    )    -       .          ,        .








    

 2018   Node.js       event-stream    ,      .  ,       NPM (Node Package Manager      Node.JS),           Copay,     event-stream[4 -     : www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets.].







                 ,        ,     ,             .   ( )     ,       .

       ,     ,       ,  (  ,   )     .   ,           .




  


    ,   -   ,      ,        .     :         ,        (         ).      ,    ,          ,      .



.    -    .         ASCII, Base64  Hex,       -.        .      XOR ( )          .    ,    .


        ,   SSID/Wi-Fi (          ),   -     ,     .      ,        - .

      ,  ,           ,  ,          .             .             ,    ,         (,      ..),           .

             , , ,             .




  


     :  , ,   .   ,    .    10      ,  20   100 .   ,      ,   .

        ,    . ,     ,    ,       ,        .             .        ,    .



.          .         .


  ,       :          .   -,        .     Bluetooth,      Wi-Fi.             -  .        .         Bluetooth      ,     SSID  .




 


            ( ,   , API  ..). ,     -   4 + 4,  Enter     8, ,  , ,   .     5 + 5   Enter,       8,        .

      ?  :       ,  ,    ,     (,   API,   ..). ,     ,        .      ,   ,    .

         (  ).         ,       ,  ,      .




  ,  


        ,     :         .     API, ,    API        ,    .       ,    ( ,    .     ,  ).              .         ,    , ,            .     (,   ,    )    ,    ,       (   ).  ,    .     .



.      ,        (Cross-Site Scripting, XSS)   ,   .  XSS    ,            XSS-   .      ,   ,     .        , ,  ,    ,      .


           -  . ,    -     .    (  ) -   API (#1),     API (#2),     .       ( )   API   API (#1)          API,    .       ,        API #1,    API #2.            API #2,  ,     ,       (.1.7).






.1.7.   API     



  .

-    ,          .  -  ,    ,     .

-       ,   API.   ,  API     ,        (  ),    API       (     ),    .

        ,     ,  .      ,   ,       . ,      , ,         ,    .       (   ,    ,      ..)          .           .




  


         ,         .        ,       ,  .     ,        .

      .  ,           ,         .         ,      .

    .

   ,              .

    (   , ,      ..)      (  ,     ).    ,    ,         .

    ,   ,      100+       .

      .

        (,     ,   ,    ,   ).

   ,    ,   . ,    ,    ,    .

 -   -,    .

     ,   ,   .

        ,        .         90 ,   ,       ,   _.




 


      ,     ,  .       ,   .       : -,    , -,    ,  -,   .

,    ,   , ,    . ,     .

,    ,    ,   ,   .    .

,   ,   ,  ,        (   ,    ,      ).     ,       .

     ,            .           .         -     .         (multi-factor authentication, MFA),   (two-factor authentication, 2FA)     .     MFA.



.    .         ,       (OSINT, Open source intelligence      ).            :     .


  ,    ,   ,      (   ).      ,    .  -        MFA    (       ), ,   ,      .          .

  MFA.

:     ,            .        (,   ),        (,   ).

 :    .        :    -,   .         .

 :     ,      .    : -  .

:  ,     .



.         ,       SMS ( )  -   MFA,     SMS    .  ,       ,   .             ,   SMS-.








      ,    .    ,    : ,    .       .         ,      .

       ,      ,     ,      .        (   /),       .



1.    Wi-Fi        Wi-Fi.      ?

2.  ,     ,   . (    ?)




  .


   .

   ,     (https://www.litres.ru/book/tanya-yanka/bezopasnost-veb-prilozheniy-ischerpyvauschiy-gid-dlya-nachinau-69351946/)  .

      Visa, MasterCard, Maestro,    ,   ,     ,  PayPal, WebMoney, ., QIWI ,       .



notes








1


     2016, 2017, 2018 .




2


time.com/3404330/home-depot-hack.




3


www.infoworld.com/article/2626167/third-party-code-putting-companies-at-risk.html.




4


    : www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets.


