In this interview, TechWell speaks with Mike Benkovich, who's been a business owner, database administrator, developer, author, and evangelist. At STARWEST, he had a presentation titled "Testing Application Security: The Hacker Psyche Exposed."
Jennifer Bonine: All right, we are back with another round of interviews. We have a couple back to back here for us, and I'm here with Mike. Mike, thanks for joining me.
Mike Benkovich: Well, good to be here.
Jennifer Bonine: We just figured out Mike and I are actually both from Minneapolis, that area, so we're both in the same area and know a lot of the same things, probably. Why don't you give, for folks out there that haven't had a chance to meet you before, your background. It's not your traditional tester that you see running around.
Mike Benkovich: I do test, because I build software, but I'm more on the building side. I'm a developer. I've worked for a number of years for Microsoft doing evangelism around cloud and around Visual Studio, and all the tools that are part of that. Lately, since I left there, I've been building connected mobile apps.
Jennifer Bonine: Very neat.
Mike Benkovich: Doing a talk later today on hacker tricks.
Jennifer Bonine: Hacker tricks. For those who don't get to see that one, unfortunately, because it's not broadcast, what are some of the sneak peeks into what people get during the hacker tricks session this afternoon?
Mike Benkovich: It's kind of a fun talk, because what we do, we start out ... we get a volunteer from the audience, we steal their credit card, buy thirty thousand dollars' worth of stuff, and ship it to my house.
Jennifer Bonine: That's awesome.
Mike Benkovich: Oh, yeah. Then we show you how to prevent that from happening to you. We really go through and have a lot of fun with it. There's this OWASP, which is the Open Web Application Security Project, that has the top ten exploits. You're able to go out and see what kinds of things are coming at you, and it's sort of like, if you're—to use a sports metaphor—in football, if you don't see the guy coming from the side and get blindsided, it hurts.
Jennifer Bonine: It's not good.
Mike Benkovich: OWASP is all about educating and informing people about what kinds of exploits are out there. My talk goes through the mechanics of how does it actually work, instead of just reading about it. We actually sit down and do it, and show you the mechanics of, okay, this is what it's doing.
Jennifer Bonine: I bet that's a scary realization for some people when they sit down and see how easy it actually is for hackers to come in and steal credit cards, and get stuff taken from them. Identity theft has become so huge. I know it was a big deal when the head of one of the organizations gave out his personal social security number, and everyone was like, "Wow, why would he do that?" It was for Lifelock, I think, was the one that did it, saying, "I'm confident we'll protect my identity." That was scary for me—for him.
Mike Benkovich: Whenever you've got people who are trying to throw out a bone, and it's like, "Okay, well then you're going to bring in the people to give it a try," that's a pretty gutsy thing to do.
Jennifer Bonine: Yeah, because there's a lot of people out there that love a challenge, and are looking for that.
Mike Benkovich: Oh yeah.
Jennifer Bonine: Any tips for people out there—just in general, thinking about this—in terms of when you do ... Because a lot of us now buy on the Internet, so we are not going into stores anymore, and very few people are using cash or checks anymore. A lot of it is credit card-based, or bank card-based, debit card. Anything to watch out for, for people knowing if you're going onto a site, to make sure it's one of the ones that's been tested appropriately, or isn't one of the ones that's probably pretty vulnerable?
Mike Benkovich: I think when you're looking at that kind of stuff, from a personal perspective, if I'm going to be buying something, I (a) want to make sure I'm running SSL, which is running https, because otherwise the traffic could be sniffed, and that's bad. The other is that the domain names remain consistent with what you think they should be.
Jennifer Bonine: They're not switching.
Mike Benkovich: In other words, it's not switching to something that's some Netherlands, or—I'm not saying the Netherlands, Netherlands isn't bad—but saying that there's some odd kind of a thing that you don't expect. The other part is just a blind faith of, "Well, I'm putting my credit card out here. Someone, hopefully, they aren't storing it and then using it later on."
Jennifer Bonine: Exactly.
Mike Benkovich: It used to be, you'd call up because you could talk to someone, and then you go to the call centers, and you realize they're just sitting at the same page and typing in your numbers.
Jennifer Bonine: Doing the same thing you're doing.
Mike Benkovich: It's like, "Okay, so ..." It's a reality.
Jennifer Bonine: Yeah. Of what you have to worry about now and having some of that protection, because everyone may not be testing it well, or using it well.
Mike Benkovich: You know what I did? I turned on, with the credit card company, a thing so I get a text message whenever a charge goes through.
Jennifer Bonine: Yes.
Mike Benkovich: That has been really nice.
Jennifer Bonine: That is a really ... I noticed that even here, at Disneyland, that American Express, I use American Express a lot, and I literally as soon as the credit card left my hand, I would see it come through on my mobile app, to say, "You were just charged," and how much it was. It's so fast. The speed of that is amazing to me. You're not waiting, and you're not having to go to a website, scroll through transactions.
Mike Benkovich: Or, finding out at the end of the month, "What was I doing twenty-nine days ago?"
Jennifer Bonine: Yeah. "Did I really do that or was that someone else?"
Mike Benkovich: "Fifteen hundred dollars for tires?"
Jennifer Bonine: Exactly, exactly. So, in your talk you'll kind of talk through some of those hacker tricks and stuff, and how that stuff happens.
Mike Benkovich: Just kind of get down that path and have the conversation about what kinds of things should you be thinking about, because we're not going to be able to say, "Okay, these are all the things that are going to happen." It's a, "Here's the top things." All we can do is just take what we know, and ...
Jennifer Bonine: Raise awareness for it. We were talking about ... It's interesting when you look at the history of some different, varying types. There's more specialized testing, so to speak; it's like it's the Holy Grail of, like ... I'm kind of afraid to dabble in that because I don't know what to do, so getting people into things, like, "It's okay, here's some things to think about for security," that are pretty basic, that you should be checking on your apps and your websites that have payment forms, and all of that. I think it's great, because a lot of people are kind of like, "Well I don't know what to do, so therefore I'm just not going to think about it, because it seems too complex, or it seems outside my realm or scope."
Mike Benkovich: That's one of the things ... I was walking around the Expo here, and there's all kinds of vendors. There's a lot of things out there that can automate some of this penetration testing, and these different kinds of exploits. Like for cross-site request forgery, that's an attack where they send you a phishing email—you're already logged into some site, and by virtue of already being logged in, this other thing can send a request that uses your credentials, that stored state information. That's kind of a bad thing. But there's tests and things that are out there, and these suites and tools to automate scanning your software to find those kinds of things and point out what it is you need to do.
Jennifer Bonine: And automate kind of that manual testing effort of what's going on around it, as well.
Mike Benkovich: When you build software, it's so much componentry now. I'm going to go out and download this component, and put jQuery, and put Backbone, and Ember, all of these different things, and (a) it's hard to keep up with all these different names. The other thing is, some of these have known vulnerabilities. There's a couple of them, I think Spring and there was something on Apache, something CBG, which is like a service sweep, that had known exploits, or known vulnerabilities, but still there's twenty-two million downloads and embedded in the application. That actually made it on the OWASP list, is using components with known vulnerabilities. There are things out there you can use to say, "Okay, don't build, or break to build if it has that stuff going on."
Jennifer Bonine: So you can identify it and quickly deal with it, versus ignoring it.
Mike Benkovich: Try to, yeah.
Jennifer Bonine: From a mobile perspective, because mobile is huge, and you said kind of component-based, and leaving things more open so things can get in, and you can plug into a lot of different options with the Internet of Things and everyone talking about how you have to leave everything open. What is that creating for challenges, obviously for people like you who are more on the build side? I want to keep it open, but at the same time I don't want it vulnerable.
Mike Benkovich: Right. If you look at all the different devices that are out there, it used to be, you go to work, you log in with your work PC, and your work PC has all the work data. You go home, you have your home machine, and the two never meet. Now people are bringing their own device, they're connecting up at Starbucks some, you know, anywhere coffeehouse.
Jennifer Bonine: Anywhere.
Mike Benkovich: They're downloading and working with all of these things. How can you protect that stuff, and make sure that ... It is interesting that the types of exploits that have come across on the mobile devices hasn't been worse than what we've seen so far.
Jennifer Bonine: Really?
Mike Benkovich: I feel like we've been lucky going along to this point, where there's an incredible number of devices out there, and making sure that when you do those transports, when you're putting the data services out, that you are starting out with this security in mind and really building from the ground up on, "How do I keep that?" It's sort of like, you build a system, and as long as you've architected it with that in mind, it's easy to extend it, but adding it after the fact ... There's a process called threat modeling, where you can sit down and identify all the different locations where information is coming and going, and the thing about this is it's not saying, "We're going to try to remove every possible threat or exploit that's out there." But, it documents it.
Jennifer Bonine: At least you know where the potential ones are.
Mike Benkovich: Right, and you say, "Here's all the assets I've got; here's the places where it's being read from and written to; here's where it's stored." Then you make a list of all of those things, and you list out the types of exploits that could happen on it. It's actually a methodical process, and you end up with a spreadsheet that's got a list of all these things, and it's got a score; you multiply it out and say, "Here's the ones that are most likely to be exploited, little impact but multiplied by a billion users, okay, that's bad."
Jennifer Bonine: That would be a great thing for people to have, because it's data. It says, "Here's your potential risk." I think a lot of people just get scared in the unknown, of, "Well, I don't know, it's scary." Then they're like, "But I don't know how scary, really." It helps you quantify the level of what you're dealing with.
We are out of time. It goes so quick. This is such a great topic. If people want to get a hold of you after this, or have more questions—because I'm sure we probably just piqued their interest on a lot of these items—what's the best way to contact you?
Mike Benkovich: I've got a website called benkotips.com, and you can follow me on Twitter @mbenko, and you can also send me an email, [email protected]. Look at that, I just gave out my email address.
Jennifer Bonine: I know, right?
Mike Benkovich: If you have questions or whatever, I've got presentations, I've got notes, I've got links.
Jennifer Bonine: That would be great.
Mike Benkovich: All kinds of stuff on benkotips.
Jennifer Bonine: Perfect.
Mike Benkovich: Downloads, too. Presentations, and information, and I'd be glad to help out.
Jennifer Bonine: Awesome. For all of you out there listening, that's how you're going to find Mike and be able to get more information on what we just scratched the surface on here today. Thanks, Mike.
Mike Benkovich: Great to meet you.
Jennifer Bonine: I appreciate it.
Mike Benkovich brings it all—energy, laughter, and a contagious passion for coding—with him. In a career that has taken him from minion to business owner, from database administrator to developer, from author to evangelist, Mike has seen it all. In more than twenty-five years of working in the technology industry, he has been part of the latest waves to sweep the industry. Whether delivering MSDN events live or webcast presentations, on the developer resource site BenkoTips or his blog, Mike brings enthusiasm for tools and an energy for the search to find a better way. Follow Mike on Twitter @mbenko.