Web security as a starting line in my cybersecurity projects.
This month’s blog will hopefully cover the following question. “Why start now?” To that I ask “Did I ever stop?” Technology was certainly at the forefront of my every day delivering food with platforms like Doordash, my line of gig work. In my free hours in the week, I’d be tinkering with AWS and Microsoft services in my own home. While a delivery job holds a responsibility to make sure food gets to customers safely, which is an important job during a pandemic for sure, infosec related problems continued to distract my thoughts on the daily. In this moment of history, cybercrime is up 600% [1] and corporate extortion with via ransomware attacks demanding cryptocurrencies is an incredibly pressing issue. Being in the right place at the right time last December was a message as subliminal as Johnny of Cobra Kai watching his life crumble while LaRusso’s marketing continued to rub it in.
(Image Credit: MediaPlayNews. https://www.mediaplaynews.com/cobra-kai-moving-to-netflix/)
By January, I started attending the classes on Tryhackme.com[2]. During the labs, I’d end up stuck for hours, pondering how to go about the “smart” way to understand familiar tasks. In the past, this meant anything up to compiling a Linux distro from scratch (no relation or use of the book[3]) vs a pre packaged image.
Somewhere in those hundreds of google searches for knowledge, I stumbled upon a website called openbugbounty.org (or OBB for short)[4]. This was like an epiphany to my mindset. The automation the site offered, with techniques on display to show off the examples made web testing appealing and much easier to understand for someone without a previous history writing disclosures than any class had showed me. OBB’s brand of testing, finding cross site scripting errors, felt right in my background, familiar in my most recent finding, and gave me the path of least resistance to start studying further. This is the area I should strive to specialize in, and I’ll start right now!
One of the most important communities involved with web security I came to recall was the Open Web Application Security Project (OWASP)[5]. While they’ve had a bigger presence on the west coast, I’ve always known their name, local presence, and their yearly top 10 exploited web vulnerability list. I can recall during my internship with a bank many years back, I presented their work and awareness to the company’s CISO equivalent. He praised my knowledge, specificity, and told me by the end of the internship “you belong in a SOC for sure.” If that type of encouragement doesn’t ignite like a gasoline reaction in the engine of a security-minded student, then combustion is a myth.
Apparently, I wasn’t alone in this revelation. Baracuda networks report than numerous attacks, automated and scripted, have increased in the past few months [6]. Security researchers of all kinds, some unfortunately wearing different hats, ended up following a similar direction, and are upping their skills against the open web. Now more than ever, awareness is key.
My current project involves instructing site owners in my hometown with loose affiliation to my local OWASP chapter. My current findings are suggesting that our community is falling behind in informing the public of this pressing issue. The endgoal of this plan is to to educate others on how to institute better webapp security practices in our geographically local dot-com-community. This would allow our members to best inform organizations of the current importance of patching practices and methods for responsible disclosure of vulnerabilities. It remains to be seen in an initiative like this would be successful, but hopefully our group can take shape this idea to suit the project’s need. Action comes now. Wish me luck, and
Stay safe.
Links:
[1] https://abcnews.go.com/Health/wireStory/latest-india-reports-largest-single-day-virus-spike-70826542
[3] http://www.linuxfromscratch.org/lfs/
[4] https://www.openbugbounty.org/
[6] https://blog.barracuda.com/2021/02/04/threat-spotlight-automated-attacks-on-web-applications/
Image:
