You know the hardest part of any project? The beginning. When you're still trying to find your footing, trying to figure out what the project is all about—that's when you tend to make the most mistakes. It's easier to stay on track once you're on it, but finding that track is often the biggest challenge.This is what we had in mind when we came up with we45 Fedex Day 2021.2 days. 7 teams. 20 contestants. On 26th August, each of the teams had an idea for a project they wanted to execute, and they had only till the next day to do it. And just like that, they were off to the races!
The whole point of Fedex Day is shake things up. Working on a tight deadline can stressful, but the opposite can be just as bad. If you waste time while trying to figure out what your project is, you're not going to have the time to bring it to completion. All 7 teams had an idea for a project they could finish in 2 days. Here's how it worked: the final product did NOT have to be perfect. In fact, that's a good thing, because it means there's room for improvement.As a team, all you had to do was 'ship' a minimum viable product within 2 days and present it to the judges. That's why it's called 'Fedex' Day. And no, that's not a jab at the condition of Fedex deliveries, but wouldn't that be funny?The winner and runner up of we45 Fedex Day get cash prizes, as well as funding to help them develop their project to a more full-fledged and polished version. But we're interested in seeing what all our contestants do with their projects once the competition is over.
For this competition, we had 3 in-house judges who were evaluating each project.Abhay Bhargav, CEO of we45 and the guy overseeing the whole competition. He helped the teams come up with ideas and acted as a consultant to the team members.Bharat Kishore, Head of Growth Operations at we45. He's the guy who'll be deciding if the project has any potential to be made a part of one of our services.Rahul Raghavan, Chief Evangelist at we45. He'll be looking at the projects to see if they have marketability, or if they can help we45 get more visibility.
Team Members: Abhishek BV, Amulya Miriam, Sachin PandeyTopic: API Security, Android &iOS SecurityDescription:The first team on our list chose to build a comprehensive knowledge base for API, Android, and iOS security. Each team member chose one topic and got to work. What initially seemed like a fairly straightforward project turned out to be far more complicated than they realised.Anyone who's worked on mobile or API security will know that these subjects are an ocean unto themselves. Their first challenge was to parse all that information and distill it into a format that was concise yet informative to the user. Add to that the challenge of working remotely and the clock ticking away, and the team felt like they'd bitten off more than they could chew.
"It was a real challenge coming up with a Knowledge Base that was both detailed and easily readable by the user."
Thankfully, they were able to pull through in the last minute. Amulya created a Threat Model scenario for 2 business use cases, while Abhishek and Sachin were able to build and showcase working models with coded scenarios."It was a real challenge," the team said, "coming up with the Knowledge Base that was both useful and easily readable by a user. We realised there was still so much we had to learn about mobile and API security, which was was pretty refreshing. The time constraint was kind of stressful, but that's what got us to work much harder and get this project finished."A2i Security for Dummies plans to create more detail and demonstrative threat models and scenarios for the project in future.
Team Members: Durga Prasad, Rajesh Kanumuru, Santhosh Janardhan, Vijay PadalaTopic: AWS Incident Response PlaybooksDescription: The Cloud Linguists team had a pretty ambitious project on their hands, but being a 4-man team, they figured they could handle it. They worked on an AWS incident response service as an add-on to the AWS Security Hub. They called this their 'AWS Incident Response Playbooks'.Here's how it would work: with just one click, the user could use predefined responses to remediate security findings in the AWS Security Hub automatically. If the finding is not auto-remediated, it notifies the end user through Slack and posts the remediation status. The Playbooks work by using AWS Lambda, and in some cases AWS Systems Manager, and executes the steps to remediate security issues such as unused keys, open security groups, password policies, VPC configurations. The Playbooks use the CIS AWS Foundations Benchmark v1.2.0 as the standard to define the security issues it takes on.
The Playbooks use the CIS AWS Foundations Benchmark as the standard to define the security issues.
"We'd never really worked with AWS Security Hub or Cloud Watch before," said the team members, "so that was a bit of a learning curve. Initially we'd planned to use Amazon SQS (Simple Queue Service) to publish the status to the end user, but we weren't able to consume all the messages in the queue at once. We decided to replace it with DynamoDB instead, which turned out to be the right choice." Cloud Linguists plans to keep working on their project, building out their playbooks to be more polished and user-friendly. Stay tuned, you may hear from them in the future!
Team Members: Vishnu Prasad, Umar FarookTopic: AppSec Lab for .Net ApplicationsDescription:Team WebXploit decided to go with something educational for their project. They built a comprehensive lab that would simulate security attacks and defence strategies in the ASP .Net Core. This could help a newbie practically learn how good and bad practices of offensive and defensive security work in a real-world environment. To narrow their focus somewhat, they settled on the list of OWASP Top 10 attacks in the .Net Core to demonstrate. They began by implementing the exploits that affect the ASP .Net Core. They built both attack and defence workflows into the lab, because as any good security engineer will tell you, a Purple Team approach isn't just better, it's necessary.
As any good security engineer will tell you, a Purple Team approach isn't just better, it's necessary.
Their lab was built to teach the best and worst security practices that are common when dealing with security incidents. They also created a handy knowledge base to help an engineer during ASP .Net code review. "When we came up with this project," said Vishnu and Umar, "the idea was to create a really solid, hands-on way to teach about security practices that wasn't just theory and reading. We wanted to make something that could eventually become a full-fledged course on AppSecEngineer, and I think we're on the right track!" To learn more about our new platform with 25+ courses in every field of AppSec, check out AppSecEngineer.
Team Members: Manjunatha Swamy, Joshua JebarajTopic: Cloud Security Assessment MatrixDescription: Team YAMM (we love the name) worked on a project where they were creating a 'Cloud Security Maturity Model' which would take in the user's inputs and evaluate the 'maturity' of their application or network's cloud security.The concept is very simple: it presents a questionnaire with a series of questions about your AWS security configurations, and you can 'rate' the level of configuration from 1 to 10. The questions are divided among the different AWS services like Amazon S3, EC2, Identity and Access Management, etc. that they pertain to. For Fedex Day, the team decided to stick with 6 major AWS services.
"The bulk of our work was in researching and figuring out what kinds of questions we needed to ask, and how the answers would be evaluated."
The questions can range from "Have you enabled MFA for Users?" to "Does your EC2 run with root privileges?" The model then evaluates your answers and gives you a result that shows you how 'mature' or secure your network/apps are. "AWS has over 170 services," Joshua and Manjunatha commented, "so it was a task just to narrow them down to the ones we wanted. The bulk our work was in researching and figuring out what kinds of questions we needed to ask and how the answers would be evaluated. What we've made is still a rough model, so we're really looking forward to making it more robust." TeamYAMM is planning to add more AWS services to the model, add a slick GUI to make it more user-friendly, and in future even creating models for Azure and GCP. We can't wait to see it!
Team Members: Abhishek Dharani, Akash Methani, Chandra Shekar GoudaTopic: Burp Extension to Detect Cache Poisoning & Host Header InjectionDescription: Host header injections and cache poisoning are like a tag-team of bad news for your website. Here's how it happens: a web page fetches the Host Header via server side logic and adds it to the response. If a server is misconfigured, an attacker can overwrite the Host header value and see their value in the response. When used to exploit a cached page, this results in instant cache poisoning. Team Vision set out to make an extension for Burp Suite that looks for web pages that are served by a cache server and sends headers that overwrite the host header. If the overwrite goes through and the value is reflected in the response, the extension alerts the Burp Issue tab, notifying the security engineers of potential Cache Poisoning.
Host header injections and cache poisoning are like a tag-team of bad news for your web application.
The team used Jython to develop the extension, but had to learn a whole host of new skills in order to build a Burp extension, something they'd never done before. "That was the scary part," they said, "we'd never made an extension from scratch before, so it was like we were laying down the railway track right in front of a moving train. Not sure how we got it done in less than 2 days, but we did!" The team intends on further developing their extension, making it available on the BApp Store, as well as extending compatibility with OWASP ZAP.
Team Members: Sharath Kumar, Tilak T, Nithin JoisTopic: Kubernetes Threat HuntingDescription: On 26 August, the K-Hunters were ready to hunt down some serious Kubernetes threats. But while they were experienced with K8s, threat hunting was relatively new ground for them. They decided to threat-hunt for Kubernetes clusters because there's not a whole lot of research in it. Their goal was to sift through various logs generated by K8s cluster and daemonsets they deployed to look for malicious activity and flag them. They created their own set of rules and leveraged Open Policy Agent for validation since it’s easy to scale. They first identified logs that their rule-engine considered to be ‘dangerous’ and stored them on a database called Macrometa for further analysis.
After running a couple of workloads, the cluster generated over 300,000 logs in 30 minutes.
It wasn't all smooth sailing, though. After running a couple of workloads, the cluster generated over 300,000 logs in 30 minutes! They identified patterns in logs that were generated after analysing them and filtered out what wasn’t necessary. "We took this project up primarily to learn about threat-hunting," the K-Hunters said, "and to get a better understanding of logging in Kubernetes. Except for setting up the Kubernetes cluster, almost everything else was pretty new to us and we ended up learning a lot! And presenting our project to everyone else felt pretty awesome."
Team Members: Abhishek M, Madhu Kumar, Sahad ThangalTopic: Automating Recon workflow and Vulnerability ScanningDescription: For their project, team CodeX settled on building an automation tool that can perform reconnaissance, sort the results, scan for commonly found vulnerabilities, and send push notifications to the user's Slack or Telegram to alert them after the completion of recon and vulnerability scanning. Automating the whole recon and scanning process brings with it the obvious benefits of efficiency and time savings. In addition, the automation script uses open source tools, so adding new tools or replacing existing ones is a simple matter.
"Working on a project like this helped us get a working understanding of Recon Workflow, because we really had to get our hands dirty in the process."
The project can also be built out to be more robust by including features like a slick UI, creating detailed reports with colour coding to highlight Critical, High, and Medium severity issues. The team faced their fair share of challenges, however. Integrating multiple tools and generating outputs for each of them was particularly tricky. This was because the output had to be in a format that could be used as input for Nuclei, a vulnerability scanner tool. "Working on a project like this helped us get a working understanding of Recon Workflow, because we really had to get our hands dirty with the process. It was also fun figuring out how to use a Python script for automation and work with multiple tools and compare results."
we45 Fedex Day 2021 was the biggest competition we've ever hosted at we45, with people from all over the country working on-site and remotely to deliver some really cool projects. It was the best kind of nerdy AppSec science fair, and every team had something interesting to contribute. "I think this was the best ever Fedex Day we've had," said Abhay Bhargav, one of the judges. "We really had serious projects executed by serious people who really learnt things in these last two days." "It's important to point out," commented Rahul Raghavan, who also was a judge, "that every single team put their very best into their projects, and it was refreshing to see the enthusiasm. Even the teams that didn't win have still contributed something cool, and that's really what we're looking for from these competitions." So, who won we45 Fedex Day 2021?
For this hotly contested spot, team Vision bags the prize! Their incredibly useful Burp Suite extension has direct and immediate applicability in a security testing scenario, and has plenty of potential for building an even more robust and polished software that could potentially be released to the BApp Store for the larger public to use. Judges' Comments: Team Vision came up with an excellent project idea in their Burp extension, and executed it well. The project had a crystal-clear vision (no pun intended) and all 3 team members were working together instead of in silos. They gave a strong, compelling presentation that was easy to follow, and has already been made accessible to the team to try out. The project also can prove valuable in the future by releasing on the BApp Store, or extending compatibility with OWASP ZAP. Doing this will greatly contribute to the open source community.
The 'big kahuna' prize went to the Kubernetes experts, team K-Hunters, who chose an innovative and relatively less-explored side of Kubernetes security, which is fast becoming a must-have skill in the modern security landscape. It also makes sense in the context of we45's portfolio of services, augmenting the existing research in a big way. Judges' Comments: The K-Hunters' work in Kubernetes threat-hunting is highly scalable, which is a major win when dealing with K8s clusters. The architecture and execution were solid, and the presentation was equal parts entertaining and thorough. Given the pre-eminence of Kubernetes in the contemporary software landscape, this project simply made a lot of sense in how relevant and useful it is. It was unique and creates a lot of interesting possibilities for Kubernetes security testing in the near future.
The judges were particularly impressed with the work of teams Cloud Linguists and YAMM for their AWS cloud security projects. The simplicity and widespread applicability of Cloud Linguists' AWS Security Playbook and YAMM's Cloud Security Maturity Model made these projects particularly attractive. Judges' Comments: Both these teams were strong contenders for the runner-up prize. Both were well thought-out and executed, and the ideas were unique. However, both projects still have a long way to go to reach a stage of 'completion' where they evolve beyond the concept phase. In fact, the two projects could prove to be extremely powerful in combination with each other, and we're looking forward to seeing how the team members further develop their ideas.
we45 Fedex Day 2021 was the biggest and most ambitious competition we've ever done, and it was a a welcome change of pace. Having gone completely remote since the pandemic, this was the first time in 2 years that so many we45 team members participated in the same event. But this was more than just about reconnecting with the whole team.
So that was we45 Fedex Day 2021. We saw 7 incredible new projects spearheaded by the awesome people here at we45. 26th & 27th August were a whirlwind couple of days, and the race to finish was nail-biting. Massive thanks to all the teams who participated in we45 Fedex Day, and congratulations to the winners! But this isn't the last you're hearing from us! Follow us on Twitter or Linkedin and you might just see these projects pop up again in the weeks and months to come.