A common issue in cybersecurity is the false sense of security that arises from having a system built by experienced engineers. Even the most seasoned professionals can overlook significant security vulnerabilities. The Elevation of Privilege (EoP) card game offers an engaging and systematic approach to identifying these hidden threats
Consider this case described by Mark Vinkovits during his AppSecCali presentation.
Case Example by Mark Vinkovits
In Mark's case study, he talked about a notable discovery which involved a component designed for distributing files across a network. This component was part of a SaaS platform offering automated processes for server maintenance.
What were they building?
The component allowed an admin to upload a file or patch to be deployed on their own network. The SaaS platform accepted a URL, downloaded the file from that URL and arranged for distribution to all the connected servers. Engineers initially believed the risk was low because the admin user already had network-wide permissions and the server management software had been developed by highly experienced engineers.
What could go wrong?
The component operated within an internal firewall segment operated by the SaaS provider, not the customer’s network. If a customer’s admin user provided an internal IP address, perhaps intended to grab software produced by their own team, the system would inadvertently retrieve files from the SaaS provider’s network and distribute them to the customer. This oversight presented a significant security risk, as it could be exploited to extricate sensitive data.
What did they do about it?
The discussion focused on the validation of the file URL submitted by the system admin. Many URL styles and destinations were acceptable – IPs, different kinds of host, exernal software distributors, cloud storage etc. While the initial thought was that validation was unnecessary, it was identified that the URL should not point to the internal network, to prevent the onward transmission of data out of the SaaS provider’s network.
After a session, it is crucial to triage the identified items and discuss their importance with project managers from a business perspective. This ensures that the most critical findings are incorporated into the ticketing system for remediation. This type of validation was a small matter of programming, so could easily be scheduled. The challenge was to identify the problem in the first place.
Conclusion
This finding was particularly striking because it occurred despite the involvement of highly experienced and security-conscious engineers. In fact, they were operating at the Principal or Fellow level and the game had been organised with more junior staff. It was certainly a challenge for these engineers to criticise this software without a safe and playful environment.
The EoP card game created this environment and facilitated the discovery of this vulnerability, demonstrating its value as a tool for enhancing threat modeling processes, leading to the identification of critical vulnerabilities that might otherwise remain hidden.