On May 18th and 19th, Sébastien Gioria, chapter leader OWASP for France, gave a training in the premises of Agile Partner on safety awareness in the applications.
As an appetizer, we reviewed recent attacks of different magnitudes and different means used. From these examples, we learned that any information system is vulnerable in one way or another. Contrary to the popular idea, "successful" attacks are the result of several vulnerabilities put together (for example, a misconfigured server that leaks information about the architecture allowing the attacker to identify software vulnerabilities). The impacts of an attack can be varied: financial, criminal, loss or theft of information, the most serious being often the attack on the brand image.
In the majority of cases, a computer attack is based on a weakness of software (user input or poorly controlled system calls, incorrect parameterization, ...).
We can distinguish two families of programming languages with their own weaknesses:
- Managed languages that are pseudo-compiled (Java, .NET, Flash) or interpreted (PHP) to be independent of the hardware platform
- Compiled languages (Assembler, C, C ++) strongly related to an architecture
For managed languages, we encounter flaws SQL injection, XSS (Cross-site scripting) or execution of arbitrary code, while compiled languages are sensitive to memory corruption or unexpected system calls.
The discovery of a fault can result from the work of researchers, software publishers or anonymous and may represent a significant market value. A flaw becomes truly dangerous only when there is a program taking advantage of it.
Any software (closed source code as open) has an attack surface. It is therefore essential to maintain all elements of the information system (operating system, web publishing service, application). On the internet you can find all sorts of tools to identify unprotected systems (for example shodan.io which allows to find all kinds of systems connected to the internet) and professionals whose job is to find and / or exploit flaws (Zero Initiative Day, Zerodium).
Currently, web software is the most widespread and their security is the biggest challenge.