In this interview, Mike Benkovich of Imagine Technologies sits down to talk about his upcoming presentation at STARWEST 2014, the thought process of hackers, and his thoughts on the recent security breaches, and he gives some tips on how you can better protect your software.
Cameron Philipp-Edmonds: All right, today we are joined by Mike Benkovich. He's giving a presentation at STARWEST titled, "Testing Application Security: The Hacker Psyche Exposed." Thank you so much for joining us.
Mike Benkovich: Hey, good to see you Cameron, how are you doing?
Cameron: I'm doing well, thank you. Can you start us off by telling us a little bit about yourself and your role at the company?
Mike: I'm a former Microsoft evangelist. I've spent a number of years helping people understand what's possible with technology. Going through everything that has been released on the tech stack from building websites, to building Windows applications, to building services, to working with the cloud. I left Microsoft a couple years ago and started a company that does consulting and building connected mobile client applications.
Cameron: OK. Now what led you to the idea of your session?
Mike: This is a session that we did at Microsoft a number of years ago called, "Hacker Tricks." It was talking about what developers need to know to be able to protect their applications, and just to be aware of what are the most common exploits. It seems like with the current technology that stuff is going on with the exploits on credit cards at different retailers, not to name anyone. There's some things that developers need to look at, that just the fundamentals, just to keep busy with knowing how to prevent those kinds of exploits from happening. This session is designed around showing what those exploits are, and then going through how do I prevent them, or understand how they work and then make sure I'm coding using secure coding practices.
Cameron: OK, yeah. It's definitely a hot topic right now, there's definitely a lot of people who were affected. Again, not to name any names. With so many data breaches in the last year, do you think that hacking is more prevalent, or are we just becoming more aware of it?
Mike: I think it's a couple of things going on. One is that it is happening more. I think it's that developers need to get back to the fundamentals of writing secure code, because there are things you can do, but because you use the technology, or the framework, or the stack, you can still write ... It's just like technology. We now have the ability to go out and do stupid things a lot quicker with these faster processors and everything else, and so we need to figure out how we can be aware of what those exploits are again, and just get back to the fundamentals.
Cameron: OK. Now in your presentation, you're going to show attendees how the top exploits work, and ways to test for them. Can you identify some of those exploits for us?
Mike: Some of them are going to be working with insecure direct object reference. That's where you use a predictable code or something like that, and then the URL you can find ways to hack into it. I'm going to show some injection attacks, both sequel injection that work either with, wherever you're taking input from a user and then applying it inside of your program. Also, cross site scripting. That's a real dangerous one, because it allows people to go out and hijack a session, and just basically do some bad things. You need to be sure that you're looking at, make sure you're checking the input and the output, validating and encoding stuff correctly.
Cameron: OK. Now, what exactly is an injection attack, and what exactly is cross site scripting?
Mike: What exactly is an injection attack?
Mike: It's where the input you get from a user's not what you would expect it to be. If you are looking for malicious things, like certain kinds of passwords or whatever, where you've got a list of what is dangerous, they call that "blacklisting," as opposed to using a whitelisting, which is where I define what a correct input looks like. For instance, on an email on a form where you're submitting it for more information, if that field that you're typing in and pressing submit, and it pops up a thing saying, "This email is not valid," and it displays that email, if you put in certain characters or try to take over that, there's ways that hackers can exploit that.
Cameron: OK. Now you also mentioned security misconfiguring and broken session management. What exactly are those?
Mike: Session state management is where someone tried to replay a session by capturing and then using the state information. In some types of applications you've got data that's used to make the session appear to have information about the current state of things. Replaying that, or to prevent that from being replayed, you need to have things that will go through, make sure the timestamp on when that session state was created is valid, that the server that it was created on is the same one that is decrypting it, and there's ways of ensuring that token configuration.
Cameron: OK. Now we covered just a couple different methods of how people are hacking and these exploits that they're using. Is there one area or process flaw of security testing that a lot of software is being exposed to?
Mike: I think it's just a common thing to do for hackers is to try to go through from the ground up, the very basic things where you have a developer who assumes the framework is going to protect them just because they're using store procedures, for instance. They may just code in things that are going to have unintended consequences. You have to come to the talk to find out all of this stuff is going to work, because I'm not going to give it all now.
Cameron: I understand. The technological landscape today is really evolving quickly, so is having the fundamentals of producing secure enough code enough, or is the software industry in general going to have to really step up their game if they want to keep up, and is there going to have to be broad sweeping changes across the landscape?
Mike: I think it's going to be a combination of both stepping up the game, but also paying attention to the fundamentals. Some of these exploits that are happening are old exploits that have been around for years. There are new developers who are coming into the industry, maybe haven't been burned by it like the old dogs that have been around, and so they are getting burned by the same things. We need to learn lessons from past experience, but we also need to be thinking about future exploits and paying attention to it. That's why going through the list of what are the top exploits as published by OWASP, which is the Open Web Security Consortium.
They each year will go through and asses what are the top exploits and give you, as a developer, something to look at so that you don't get blindsided. It's like in a football game, if you're running with the ball and you don't realize someone's coming from the other side, and you get smashed, it's not a happy thing. Knowing what you're defending yourself against is going to be key.
Cameron: OK. Now for a lot of people, developers are kind of the dream job. A lot of people go to school for software development, not software testing. Is that something that's going to change because of these hacks?
Mike: I think that the testing part of it is occurring because the thing about software in general just the entire lifestyles and the roles that the different groups have, the developer is going to build code presumably using the best practices and is using secure coding techniques, but the testing side of it, you need to know what kinds of tests you need to try to run. Things like denial of service attacks, things like intrusion attacks, things like all of those cross site injection attacks. When you look at all the inputs and where all that stuff can happen, you need to be paying attention to what's going on.
From a testing side of things, we need to look at it and think about it, how do we create those kinds of tests, and then automate and then provide ability to go through and scale those and run them against our environment.
Cameron: OK. You talked about really expanding the knowledge here for both developers and testers, and you also have a developer resource site called benkotips.com. Can you tell us a little bit more about that?
Mike: Benko Tips is a website I created a number of years ago that originally had a bunch of links from the presentations I was doing, and I would just include things on there that you can download and check out how code works. Today it's got I think 150 webcast type sessions that I've either participated in, or that I've archived and curated to give developers some resources to work with. There's also the blog on there that I maintain, the Benko blog, which is now called, "Confessions of an Evangelist," or an ex-evangelist. I have some fun with that.
The last couple blog posts have been around the hacker tricks and the security exploits. For instance, yesterday I published a post about how an email phishing scam came across my inbox yesterday. Where it looks like, "Hey, you have an Outlook voicemail, just click this zip file to listen to it." Well, what does it do? It goes out and installs a virus, and it's not coming from Outlook at all, but some place in China and I'm like, "OK." Well, people need to know about this stuff. Yeah, I use it for a variety of different things.
Cameron: All right, fantastic. Now you've also spent the last 25 years in the tech industry, and you've gone from sort of the minion to business owner. You're also and author, and as you said, an evangelist, so your career has seen a lot. What does the next 25 years look like for yourself?
Mike: The next 25 years? Yeah what was it, I was talking to a friend of mine whose Dad just turned 92, and I said, "Well you're halfway to 184." To which he said, "Oh my God." 25 years from now, if I'm still in the tech industry that'd be great, but I think it's going to look like more and more consulting, more and more as the industry shifts towards building interesting things, I'm a developer at heart. I like writing code, I like building apps, I like working with companies that have great ideas and helping them go to market.
Cameron: OK, so kind of as the internet ...
Mike: I guess I'll be, the inner geek will continue. Yeah.
Cameron: As the Internet of Things really takes over and technology really takes over everything we're doing, you see yourself more as answering the questions that a lot of people are going to have.
Mike: Mm-Hmm. (affirmative) I want to be in-tune with what's new, what's coming out, keeping up with ... I'll be at conferences and talking to people about what they should be paying attention to, and helping understand just the flood of information and ideas coming into the world.
Cameron: OK. Like you said, you're going to be giving presentations, and at your presentation you're going to be covering a lot of things that's really interesting to a lot of people. Is there really one thing you'd like attendees of your presentation to take away from it?
Mike: From the STARWEST presentation that we will be doing, I think the main takeaway is going to be to test for these security exploits, be aware of what they are, and go out and make sure you're checking everything you're doing. All users are evil. All evil is corrupt. As long as you keep that golden rule in mind, you'll be fine.
Cameron: Is that a quote I can put on your epitaph there? "Mike Benkovich says all users are evil?"
Mike: I think that would be great, yeah. Then we'll just kind of ... The perfect, safe, secure software is the one that has no users or data, and it's fine.
Cameron: OK. Now is there anything else you'd like to say to the delegates of STARWEST before they attend the conference, and before of course they come to your presentation?
Mike: Come with your eyes open, and let's have some fun exploring what's going on with security and with data exploits and really thinking about it.
Cameron: All right, sounds great. I'll look forward to seeing you at the conference. Once again, this is Mike Benkovich, and he's giving a presentation at STARWEST titled, "Testing Application Security: the Hacker Psyche Exposed." Thank you so much for speaking with us today, Mike.
Mike: Sounds great. Good talking to you, Cameron.
Energy, laughter, and a contagious passion for coding—Mike Benkovich brings it all with him. In a career that has taken him from minion to business owner, from database administrator (DBA) to developer, from author to evangelist, Mike has seen it all. In more than twenty-five years of working in the technology industry, he has been part of the latest waves to sweep the industry. Whether delivering MSDN events live or webcast presentations, on the developer resource site BenkoTips.com or his blog, Mike brings enthusiasm for tools and an energy for the search to find a better way. Follow Mike on Twitter @mbenko.