by Leon Rosenshein

The Juice Shop

I didn't get this posted during security awareness month, but it's timely nonetheless. Security is everyone's business, whether you're building a robot, a two sided marketplace, a shared infrastructure, or an online juice shop. Lots of things to keep in mind, and it's more than just "Who has access to what data?". What and how you deny access to something can tell an attacker a lot about your system and the protected data. Then there's the internal side, where good logging and ease of debugging are in direct conflict with keeping the data secure. And don't forget data combining. If you have a enough "innocuous" pieces of data you can put it together into PII.

There are lot's of don'ts when you think about security. At the top of the list is "Don't roll your own encryption". Instead, ask for help. Knowing you don't know is more than half the battle. Other little things like don't trust user input, don't assume good intent, and don't assume your API is only used internally.

There are also things your should do. At the top of that list is "Design security in from the start". Ask for help, Do threat modeling. Make your security model granular enough. Admin and non-admin might be enough, but do you need more? Make sure you maintain and update your systems as vulnerabilities are found (you do have a configuration based, repeatable, verifiable deployment system, right).

One way to play around with security and pen-testing is the OWASP Juice Shop. If you want to try it out and see what vulnerabilities you can find check out the opus link. Just set the User and Job Name fields then hit "Create". Follow the link that will show up in the top right of the screen, go to the details page of task 0 and click on the "http" port in the top right of that page. You should see your own little Juice Shop website to play with. Try it out and see how many vulnerabilities you can find. There's also a CTF version, which might be a fun little exercise for the group at large. If anyone is interested in getting that set up let me know.