Vivek J Purkayastha

Hello, everyone. So my name is Vivek. I have a total of 7 years experience in, Cybersecurity. I started level 1 with level 1 security that was providing support solutions when I was working for IBM, and that was for 2 2 and blur 2.5 years. After that, I moved to entity data where my work life is more into verbal teaming. It was a combination of SOC, SIEM, SOC audits. So, basically, it was all that, so I was working on that. And after that, I developed my interest into application security. So there, when, uh, COVID hit us, uh, at that time, I had some time to do self studying. So I did my training, and I got mass like, my master certification done on red teaming. And after that, I moved to moved come like, my my work was moved from, uh, SOC to application security. Here, uh, I was I joined Accenture, And my focus was completely into application security where my main things my main daily routine involved, like SaaS, DAST, uh, pen testing, and building CICD or, like, uh, doing source code reviews, threat modeling, Everything depending on client requirements. And, uh, yes, after that, I thought of, uh, once I was comfortable in this role and I had, Got few achievements on that. And, uh, once I was really comfortable and I saw that I need more challenging role and I wanted to move to a product based company, I joined Sprinklr as a security lead out here. And here, my main, uh, day to day activities is Starting the complete security posture. I'm doing like, putting automation in place, uh, building a stage out here, a security staging where the complete security checks will be done. So that is it. That is all about my work.

So the key, uh, yep, so the key considerations when performing penetration testing on a high transaction system are that, uh, first, we need to check what is in scope. Uh, when I'm when I'm, like, asking in scope, there are certain client requirements or customer requirements, and based on that, penetration test testing will be done. There are certain criteria that is needed for performing penetration testing before we, like, directly dive into it. So, uh, the first thing is understanding what type of application it is. Basically basically, when I come when I'm seeing that type of application, there are different type of, uh, like, web pages, web applications are there. Right? So, for example, there is ecommerce site. There is directly banking site. And, um, and depending on other things. There are sometimes b to b sides. Some are normal, uh, not, uh, that critical functions will be there. So depending on that, uh, we start our approach first. Like, when we move forward, we will be checking first with the authentication part. So when there are authentication, like, uh, first is for authenticated users and unauthenticated users. So based on that, we will start our testing depending on the scope of what the requirements are. So based on that, first, we check the authentication, then we move on to it. We move go to the main system. What we do the checks? What are the necessary checks on the main hosting hosting environment when I say hosting environment, the domain once the first page of first phase of authentication is started, then we see what are the function functionalities in the application. Based on that, we move further down the line, and we check what are the type of users, um, what are the users, what the page involved, what is the main application doing, what is the main uh, purpose of that application, and based on that, we move, uh, we cover the ground. So according to that, uh, the application penetration testing is done.

Okay. So to manage dependency vulnerabilities with a build pipeline so right now and I'm, like, mainly focusing on, um, the pipeline, that is, uh, the CICD phase. Right? So, uh, first, for the dependencies, we are, uh, we are looking into how our code is being read. So when, uh, when building a pipeline, there are certain phases of testing. There is SAST and SCA. SCS, software composition, and SAST's static analysis of the source code. So based on that, we make our, uh, pipeline in such a way and the staging ground in such a way that, first, it would, uh, like, when I'm building the pipeline, the code or, uh, it should be checking the code from, for example, from the Git or from Azure DevOps. So from there, it should do the necessary checks. 1st, for example, SAST SAST with static analyzers is done. Here, it will check the entire source code. And according to it, it will check the vulnerabilities. It will give us a SAST analysis of that. And according to that, if it passes, then it will go to the next phase. SAST and SAE would be done together, uh, for example, depending on the type of applications we are using. SAST for Fortify, generally, I see there are certain applications, like Snyk is there. And then there are other, uh, tools, uh, OVAIS. For example, let's take a basic OVAIS dependency. So it will check all the dependencies, all the libraries related, what are the vulnerable libraries being used, if it is being flagged, uh, 1st first, let's talk about SaaS. When it when the source code, if there are any vulnerabilities that is flag that needs to be triaged, so the build will fail at that time, and it would need it would intimate the engineering or the developers that, for a certain phase, the build has failed. And now for clarification, the security team gets involved and understands what are the issues, what are the why the why for what reason the build has failed, what are the vulnerabilities in it? And according to that, once it is fixed, again, it will go to the same the DevSecOps what we say the DevSecOps part. It will again check. It will run those tests. And if it passes, and then it'll go. Same thing happens for the SCA. The old the vulnerable libraries will be detected. And once, uh, those vulnerable libraries are fixed then only. So, basically, SASS and SCA would be done. And for that, uh, generally, we need we need to make a make either we do when we build when we build it, we need uh, right now, I'm working on Jenkins. So building the source code through the gen Jenkins. And out there we will pass the parameter which will do the necessary checks, and then it will be deployed the pipeline. So it will only deploy there are parameters that it will only deploy once the check passes. For example, I make the checks as it will only pass if critical highs are there if, uh, it will not pass if the critical highs are there. Depending on customer, we would, uh, work on that. So that is

So the measures, that we would take preventing data leakage during, uh, destructive techniques is that it should be hosted in a controlled environment. Uh, what I mean to say in a controlled environment is that there are certain environments that need to be worked out for penetration testing. So there are requirements when we do uh, penetration testing. So, uh, destructive testing, um, if I have to be clear, then that would be the penetration testing in. Uh, so based on that, an environment needs to be created. And, uh, depending and based on that, based on that requirement, we have to understand on what is the type of testing and which parties are involved in doing this penetration testing. For example, uh, there are certain vendors. When we play uh, when we work in our product base, there are certain third party penetration teams. Right? So when this is done, it should be done in a controlled environment, are and depending on that, the environment should be paced in such a way that when doing any testing, it shouldn't be uh, like, with multiple, uh, access or multiple, uh, we have to place certain criteria for for that application to be tested, there is certain challenges for a for a credit card base. We will not be asking for a for, uh, like, you can understand. We wouldn't ask be asking for credit card numbers or anything. Right? We have to move with the dummy flow. So based on that, uh, when the testing is done, it should be done in a certain environment, for example, QA, and only uh, on a only on the testing side, not on the production environment. So that is it.

When we are talking about thread modeling, thread modeling if it is outdated, then how would we adjust and update the thread model? So, uh, yeah. So based on this decision, threat modeling, uh, threat modeling is updated on a It is actually the very initial phase when the planning when we have low level designs. Uh, that is the time when we sit with engineering or sit with with developers and work on this threat modeling. But, uh, for example, there are certain requirements by the customer or by the clients when, There are certain functionalities being introduced in a certain phase. So, at that time, when we're going ahead. We have to understand, uh, again, we have to understand the type of applications, uh, the type of application we are handling. And based on that, our threat modeling should be updated. So generally, we follow there are multiple frameworks which we follow. So I I had worked with stride method logic. So, moreover, I would just give a little bit of background. I was involved into automotive security where we would be doing Tara assessment, so that's threat analysis and risk assessment. So based on that, the car it it It influenced actually, it influenced the automotive parts. So it was based on a connected car services. So every time, there are certain functionalities which would keep on getting updated. And it was a complete manual approach. We were not using tools, But I have, uh, used certain tools for doing this. So there is IrisVision. There is Microsoft Threat Modeling tool, But it all works on the same principle. 1st, we need to understand the low level design. Now whenever A feature or whenever a functionality is being introduced, we need to understand and identify which part of the application it is influencing, for example, if it is in if it is, again, if it is majorly to do with an authentication part, that is the part which we need to figure it out. Like, uh, we can understand our trust boundaries. We make the trust boundaries between applications. For example, a user logs in user system, and then there is the server. So we have to picture it in such a way that we can understand which part of the application, which part it is actually influencing. And according to that, we we update our threat model. For example, how is the functionality is being from the main system to the server, or else there will be another server server to server, how it is communicating, what type of files it's, uh, like, transferring, or how it is interacting with that application. So based on that, we would update our threat model and understand the type of attack, uh, which can be done an internal or an external. So there are various factors that would, uh, like, uh, we have to take into consideration when we are updating our threat model. So it is threat modeling isn't it is completely based on an assumption. Right? It is based on an assumption when I I'm saying that because Right now, we have to understand. We have to assume that these are the types of attacks that's going to happen within in an application. So this is the role where, uh, we have to do the strengthening of the application. So according to that, we would, uh, like, update our, uh, tread modeling. Based on the functionality of the application, we we need to make the checks, the type of the application, the type of the data is being transferred, the type of data that is being stored, and, uh, what are the functionalities, what are the user inputs, Every checks we have to we need to make in order to, uh, uh, correctly perform this threat modeling.

So, uh, whenever we are doing a penetration test, uh, there will be certain results. Uh, we need to make a detailed report on that. And how and in order to communicate that, first, our report needs to be up to the mark. Right? So when we are making a report, the report should have the all the criteria of what we are testing, what is the type of attack it should have all the details on how we have made this attack successful, what is the type of data that what are what is, uh, the type of vulnerability, what type of data we were able to store, or what is that explored, that succeeded, and then we may we need to make a detailed structure of that report. Uh, sometimes it should be detailed, and sometimes when it's being internally worn internally worked, uh, that time, we need to just, uh, like, show the type of attack, what is the type of vulnerability, and, and how it needs to be mitigated, so what are what is that it needs to be introduced in order to fix this? So that is a short answer of, uh, first, how we make the report. And in order to communicate to the relevant stakeholders, first, if this attack is successful, we mark down the points and that report will be shared share it to the stakeholders. And when they come back stating, okay. Um, as we have the entire evidence, we have marked that. So I think that would clear that out. And if there is anything that is missing, we need to perform generally, when, uh, when I'm saying anything is missing in order, that there are certain fixes, sometimes a fix has been made at that time, but there are there is a chance that a single thing might be missed. For that reason, we have to check and work accordingly and make a proper report and share it with the stakeholders.

So, here, I can see the class singleton. The instance out here is given null. So, there should be some instance because here, if an instance ID cannot be null, what I am thinking, because And then it would return that instance. So There should be some instance ID in order to identify the type of instance it's running, or else it will it will not make the necessary checks And it would be, uh, for which it would be which is looking vulnerable, and And it would. So there's and there is a That is what it answers because there should be some hashed key in because when we are talking about private and public static, So there is I guess, the key plays apart, so this cannot be null. It should generate some random in order, uh, for it to be secure.

Given the code

The process of integrating thread model updates with agile development practices. I would say agile Agile steps in, like, in a very the most accurate way of moving forward in the software development life cycle. Because in every staging in every stage sprint room, there will be certain sprints. So in every sprint, Uh, if, uh, based on because the application will be broken down into certain parts where it's being fixed, tested, deployed, Uh, those are the sprints. Right? Because in the waterfall method, what happens is you make something, you break, and you go to ground 0. But in sprint, uh, in the Agile way. If something is broken in the 1st part, you fix it, and then you go to the next phase. So in this Process of integrating, uh, threat model, what happens is we break down the application depending on the timeline, depending on the scope, and depending on the type of application it is. For example, let's talk about a basic it's a B2B application which deals with exporting. So, uh, first, uh, when we break down the application so here I will just give you an example. What happens is the user logs in. Uh, user updates all the export labels in it. There is a machine learning system which reads the label, and it Assigns accordingly on in, uh, what type of export it is, uh, and then it, It, uh, it checks the record. And according to it it, uh, like, according to it, it is, uh, you can say, For example, there are certain export materials. So depending on that, it understands the type of goods that needs to be go ongoing, and segregating those goods. So, uh, so, uh, let's divide this application into 3 parts. First is the authentication part. And, uh, when we are looking at the application, it's not doing any major, uh, major major, uh, transactions. Right? It is more of a b to b application. So we check the authentication part. We break. Uh, we fix What type of authentication? Uh, once we log in, there is a part which handles session management. We will check all the session management, the type of functionalities, what What, uh, like, uh, the user has access to what type of inputs. We check on the main page, the main, uh, host the main, like, the landing landing page on that, and then we check on the other parts. So the application is broken up broken down. And based on that, we Design thread model in such a way that first when, uh, in the first part, we check the authentication. The middle part, the type of app the type of user input application, the type of user input it is handling, what is the functionality of that, and the third part, when it's exporting, is it documenting any information that will that would jeopardize the company if breached. So those are the ways we have to Consider, uh, when we are going for threat modeling.

So there are certain, uh, whenever we do penetration testing, so there are, um, many times that it discovers that there is an SQL injection is possible. So what happens is, uh, how how we generally address This vulnerability is, uh, when, uh, for example, when we pass a query, right, uh, how it is done, Like, when we pass a query, if it gives us some result, for example, which the application is not supposed to like, it not supposed to give us if it go gives us those results. So our SQL injection works. Right? It's a it's a way of getting those information, Or it is a way of, uh, like, taking those taking that vulnerability And, uh, moving forward in the application, for example, uh, when we are check checking the part and application is displaying certain products, Right. Uh, how would we pass, uh, pass this query? We would pass it in the search field. And if it succeeds, it would show us some of the contents that the page is not supposed to show us. So when we see that this is happening in an application, this is a vulnerability which is marked, And it is a critical vulnerability which should be removed, and the steps which we would take to prevent these vulnerabilities are the query should be parameterized. When I'm saying parameterized query is that, uh, for, like, the query when we are passing, for example, Uh, get user, uh, like, user equals to equals to space and from admin or something like that, search admin. So it should be it shouldn't allow us to do that. The query should be parameterized, and it should, There, uh, like, uh, for example, uh, the query should be parameterized in order to address this vulnerability.

In the event of discovering a significant iterative law during productive part, whatever our course of action may it's, I would say it's a question that, uh, first, we need to understand the type of security flaw. When we are thinking of designing, generally, the developers design it, and then it comes to security. So once it is designed, we have to understand, Again, the main thing is understanding the application, how it's working, what type of, uh, deep what type of information it is handling. And based on that, We work accordingly in order to make it secure. So, uh, during the product design, we understand the type of application. If it is an Ecommerce application. Uh, any user can make account. Right? Uh, so The main part of it is, uh, your account should not be jeopardized, so your authentication or whatever, it needs to be strong. And the main important part is that, uh, the connection what, uh, what is the connection being used and what type of encryption is being used when you are going to the payment solution. So based on that, uh, based on the functionality of the application or what the information it is holding, It should be worked accordingly in order to design the product. So whenever we are designing the product, 1st phase is doing a thread modeling. And then once the thread modeling and once those, Uh, what we understand from the trend modeling, those features are added to the application. The application goes for the testing. Right? Once the testing has started, we would follow, like, uh, SAST, SCA. We would check all that, and we would do a DAST as well, dynamic analysis of of of it and do a penetration test testing. Based on those, we would get what are the issues, fix those issues, and then then only, uh, it can be, like, ready for the next phase, ready for the other testing phase, which, uh, regression testing or anything which is done by the engineering because after those fixes and there will be certain issues. And, again, The check needs to be done by security. Security would do those necessary checks, and then it would pass for production. Then and then only it will pass for production. And the the entire thing would be called the secure software life cycle life cycle software development life cycle. So this is these are the steps which needs to be followed into in order to proceed with this, uh, secure software lifecycle.

What methodology would, uh, apply to ensure system So, uh, whenever we are doing penetration testing for a critical infrastructure, there are certain checks in mind that That, uh, it shouldn't, uh, we shouldn't be doing something that would crash the system, That wouldn't wouldn't allow us. So in then it is very clear when performing penetration testing. It is not, something which we directly sit and start hacking because that is not something which we do. When when penetration is synced, there are certain criteria. Those criteria need to be placed in order to make sure that the application does doesn't crash, but we can understand the type of attack it is allowing us. And based on that, our, uh, our approach should be so Whenever, uh, we are generally doing, um, I would say, a penetration testing, first, uh, first, we start I would be very honest. I I would start with the task. I would just run the application completely and check for the and do a dynamic analysis of the application and get the checks. And after that, I would, uh, there is something called ASVS checklist. So that checklist is pretty thorough. You just start with that list, and we would try to get some of the results from that. And once we fill that, we would understand what the type of risk, What is there? And that that would be, uh, that is the checklist which we generally follow in order, uh, like, uh, for critical infrastructure. But there are certain requirements. If we get a clearance, then we can do a groundbreaking. You can say a deep dive or a groundbreaking penetration testing involving you can say involving your buffer overflow, A deep, uh, very critical attacks that would hamper the system. So that I hope that answers my