• Executive Offense
  • Posts
  • 🔴 Executive Offense Issue #10 - The Big BAD Source Code Issue pt.1

🔴 Executive Offense Issue #10 - The Big BAD Source Code Issue pt.1

The Big BAD Source Code Issue pt.1

EO is a security newsletter that focuses on the intersection between offensive security and security strategy. Sometimes hacker-ish, sometimes CISO-ish. Very blazer over the t-shirt type of vibe…

/ The Big BAD Source Code Issue pt.1

Alright, this week is a bit of a remix, but I think it'll be worth it.

This week's newsletter is all about security and source code.

Whether you are on offense, defense, or attempting to uplevel your security program as a security leader, protecting your source code in the realms of application security and product security is a must.

This week, we're going to go over a bunch of my favorite free resources for secure code training.

With these resources, you can uplevel your whole organization. Code literacy is a superpower.

/ Why security code literacy?

First, we're going to discuss offensive practitioners. This is for all of you pen testers, red teamers, application security engineers, and more. When I started doing offensive security many years ago, I was not code literate, and it led to years of confusion and toil when assessing web applications and associated technologies. Eventually, when I landed at Fortify Software, I was exposed to secure code scanning. I jumped headfirst into understanding some of the paradigms that lead to vulnerabilities. Now, this didn't mean I had to become a full-stack developer. By studying the types of vulnerabilities code scanners use and how they occur, you can start to develop a sixth sense for just auditing code, even without being a full developer. Once I started to learn how to assess and read code, in my later career, I noticed that my pen tests, red teams, and pretty much everything else started flowing a bit smoother. It's by no means mandatory, but like I said, it can be a superpower in a lot of situations.

Now, for blue teamers and purple teamers, it doesn't matter if you are in the SOC, in threat intelligence, in detection engineering, or some hybrid role that does purple teaming. Knowing how vulnerabilities present themselves in code will absolutely come up in your job at some point. Not only knowing where vulnerabilities are but just being code literate is extremely important at the higher echelons of any of these disciplines. The sooner you can get some familiarity, the better.

Lastly, for my leaders out there—and this one is an important one—many security programs have one foot still stuck in an era where we didn't have great education or tools to do application security. Rewind five or six years ago, and we were still dynamically scanning everything, and the tools themselves were just starting to reach maturation for code scanning. We didn't have as many developers in security as we do today, and frankly, the frameworks weren't as difficult to find bugs in. Today, pretty much the inverse of all of this is true. And if I can give any security leader one piece of advice, it is to try and cultivate a culture of engineering and code literacy in your security program. Some of the best moves I've ever made as a security leader were to encourage my teams to build and fix things rather than just break and point them out. These teams helped build stronger cultures with our developers and IT and were always appreciated with fewer squabbles between security and any other group. Encouragement like this to build a program like this comes from leadership, and it is your job to make sure that your team is heading in the right direction for you to have an Engineering First security program.

This weeks Executive Offensive Newsletter is brought to you by:

Issue Note: This on is very relevant for this issue. I LOVE Appsec Engineer personally. It’s some of the freshest content out there for security engineers. Unfortunately they don’t offer a free trial anymore.

Hands-on Full-stack Security Training for Security Engineers

Learn Cloud Security, Kubernetes, DevSecOps, and more. 100% hands-on.

We guide security engineers, architects, and developers to get new skills in AppSec with over 1000+ interactive and hands-on labs. Get 10% off with code “HADDIX10“

/ The Goods

10 Free Resources for Secure Code Goodness

#1

Snyk's Academy

Has a free academy which has over sixty vulns and lessons on remediating them in Java, JavaScript, PHP, and Python.

#2

Secure Code Warrior

Offers a no obligation 14 day trial to their platform. Even after that has free vids on many topics.

#3

Codebashing by @Checkmarx

Codebashing offers a free unlimited trial. 41 Lessons on discreet CVE's to code level OWASP Top 10 vulns.

#4

Hacksplaining

Hacksplaining offers several lessons (and has a print book by No Starch).

It covers more of the theory of an attacker side but then does have fix code snippets at the end of every lesson.

#5

Contrast's Developer Central Secure code Lessons

Contrast has published lessons and mitigation annotations in 1-pagers for security people and developers.

It's less interactive but still great, with a few videos in there to spice it up.

#6

Avato Dev Sec Training

Avato offers several free exercises before you sign up. Content looks very modern.

#7

Veracode's Security Labs Community Edition

Veracode offers dozens of free resources in their community edition Security labs.

#8

OWASPs Secure Coding Dojo

This one is a self hosted learning platform with 34 lessons hosted and and insecure app to fix.

It’s dockerized for convenience.

#9

Kontra by @securitycompass

Kontra by securitycompass offers many of the OWASP Top Ten Exercises free and has a free trial. I like the innovative platform!

#10

Gitlab's Secure Coding Guidelines

GitLab give a great wiki-like reference page that is thier secure coding standards. While some of thier internal trainnig is blocked off, which is a bummer, they offer several libraries to deal with common security issues. Rails focused but has a bit of everything tbh.

/ To be Continued…

While this issue contained what I would call platforms and interactive learning tools, there are many more resources in video and text format that I want to include. So, in the next issue, we'll go over the top-rated application frameworks and my favorite free resources to look at each. To be continued!

Contact Jason at Arcanum Information Security — [email protected]

Take my full 2 day course for pentesters, bug hunters, and red teamers!