2022-12-07 - Version 2

Thriving as an app security engineer: 6 reasons to work in cybersecurity

Although the application security (app sec) role can seem the same in every industry, it’s not. Businesses operating in general industries offer fewer possibilities for comprehensive professional growth than security-focused companies. That was the case for Marvin Petzolt, a Senior Application Security Engineer at Nord Security, who jumped from an application security engineer role at a music-sharing business to a security-oriented company. Let Marvin tell us in his own words what factors make app sec professionals thrive at our company.

Marvin Petzolt, Senior Application Security Engineer at Nord Security

#1 You make an impact

Many people, including me, enjoy working at a place where you can make an impact. As an app security engineer at Nord, I can influence security design and the implementation of some of the greatest cybersecurity products in the industry – NordVPN, NordPass, NordLayer, and NordLocker. By ensuring high-security standards for each product, I contribute to building meaningful, user-friendly, and security-centric consumer solutions valued by millions of people and businesses worldwide.

However, having a tangible impact on security products is not the only way I can make a difference. My security recommendations and guidelines are also taken into account when improving business operations or team workflow. For example, when I joined the Application Security Team, we would be notified of upcoming Nord product updates mainly via our automatization and notification bots. However, this approach left us very little time between security testing of the upcoming feature and release to production, which naturally increased pressure on the team.

So I initiated the concept of security product owners, establishing a bi-directional exchange between a specific Nord product and the Application Security team. This concept allowed us to improve communication between developers, team leads, and the Application Security team.

We’re now notified about upcoming changes significantly earlier, leaving us enough time for all the necessary app security tests.

#2 You can reach your full professional potential

The truth is that being an application security specialist in the general industry doesn’t let you reach your full professional potential due to the limited app security cases and tasks you’re working on. This was one of the key reasons why I left a promising application security engineer role at one of the best-known music-sharing companies. There I was securing mainly one app, so the security issues that challenged me were limited.

I wanted to face different app security cases, advance my career, and concentrate more on technical work, security design, and cryptography – things I’m passionate about.

A security-focused company like Nord Security, with its wide range of applications and potential for different security cases, seemed like a natural solution to fulfill all these goals.

#3 You work with meaningful products and interesting challenges

At Nord Security, I’m contributing to building meaningful products – such as NordVPN, NordPass, NordLayer, and NordLocker – that secure people and businesses online.

Most of the time, I focus on cryptography, security architecture, and low-level, client-side implementations. I perform occasional design reviews, threat model sessions, pentesting of features and release candidates, and security code reviews.

Still, my tasks are pretty diverse and depend on what I want to work on. One day I might look into NordLocker’s architecture and how it will encrypt files in the future. The next day, I’ll focus on reviewing the code of NordVPN’s Meshnet feature, establishing a peer-to-peer connection between two endpoints to exchange data or route internet traffic to verify that it is implemented securely. I’ll sometimes also do a black-box security assessment on the NordPass Android release client.

#4 You work with an experienced team

Working in a security-centric company like Nord Security, you can be sure that you’ll always be guided by some of the best professionals in the cybersecurity field.

If you’re facing a challenging situation that is too difficult or complex for you to cope with on your own, the whole Application Security team comes in to help. The team member with the most experience assesses the issue based on severity and validity. If it’s valid, as a team, we determine how we can support in escalating this issue and jump in to help resolve it as fast as possible.

One of the most useful insights I have received from my team is that an app sec professional doesn’t have to know or be involved in all aspects of the team’s work. Application security has many subcategories and specializations, such as Windows Security, Linux Security, Android, and iOS security. It’s hard enough to keep up with one specialization, but keeping up with all of them is nearly impossible. So it’s OK not to be an expert in all of these technologies, and this is where you can rely on the other members of your team.

Another valuable tip – don’t over-complicate. Keep it user-friendly. The perfect security solution usually doesn’t exist or comes with a heavy impact on the user experience. Having a 32-character password requirement or providing your biometric authentication for every action you take on the app doesn’t help anybody. So it is important to focus on realistic threats and put minor theoretical risks aside for later.

Finally, my team taught me how important it is to keep the cryptographic systems simple. When designing a cryptographic system, the key is to keep it as simple as possible so that anybody can understand it and be able to securely extend this system. The more features and changes are added, the more complex the system becomes. That’s why it is necessary to redesign and realign the cryptographic design from the ground up to better fit the new requirements. If you don’t do that, you have a design that nobody understands. That makes it impossible to apply the necessary security and confidentiality measures.

#5 You are given opportunities to learn

If you’re just starting out in an app security position, coming from a slightly different field, such as web or cloud security, or simply want to learn more, even in a senior position, your team and the whole company will be there to help you grow.

If you’re a newbie, one member of your team will become your onboarding buddy, helping you to get up to speed with everything that is going on in the Application Security team. Additionally, you will be provided with a dedicated document leading you through your 30- and 90-day milestones and a checklist of all the tools and access you require to get started.

To keep our team performing at its best, we have knowledge-sharing sessions, pairing sessions, and daily standups. All this helps us stay updated on each other’s work, share best practices, and sharpen our skills in the app security field. As a team, we also have a Friday tradition of “self-allocated time” when we learn something new. What we choose to learn can be anything from technologies, reading blog posts, news articles, or methodologies. Did you ever want to learn how to develop iOS applications or do a CTF? Then self-allocated time is meant for that.

Collaboration with other teams also has a huge impact on advancing your expertise in app security. It improves your soft skills and teaches effective communication about the risks and severities of security issues. It also gives you a direct connection to developers, which means that they will come to you with questions and concerns during the development process. In turn, it gives you a unique inside look into the technical foundation of the developed software. Just like that, I learned new technologies and programming languages on the fly since they were required to understand the source code and implementation details.

At the company level, we have knowledge-sharing events. One such example is Tech Days, allowing our people to stay in tune with the latest tech and cybersecurity news, trends, and advancements.

Nord Security also offers a personal development budget that can be used for training or certifications, helping us improve in our field. Moreover, teams often visit various conferences, such as Black Hat, to keep a finger on the pulse of the latest in the field of information security.

Last but not least, everybody can have their own personal development plan. It helps me stay aligned with the overall goals of the security team and how my part might fit in the bigger picture. Personally, I would like to dive even deeper into security architecture and cryptography, so I have aligned this goal on my personal development plan in cooperation with my manager.

#6 You don’t have to convince everyone of the importance of security

As an app security specialist, you understand that security should be a top priority in every company. And if you ask a company about it, of course, they will indicate security is their number one priority but is this actually true? From my experience, you always end up arguing with product managers, product owners, and engineering managers about security improvements. Yet, in a company that has security as its main selling point, it becomes easier to motivate security changes and push people in the right direction.

All these reasons are why application security professionals thrive at Nord Security. If you also want to advance your career in this field, join the Application Security team in Lithuania, Germany, or remotely by applying HERE.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

2022 Nord Security

The Dark Stuff – Tor – Continued

Intro

We talked about how to access the tor network, what it is, what a tor circuit and torrc file are, and other stuff. For this one, I’d like to focus on some of the core Tor concepts, as well as possible considerations, issues, weaknesses, risks inherent to Tor, and their appropriate management and mitigation.

Hidden services

This is basically just a relay that offers a web service or any other Internet service; A hidden service is a type of service that’s accessible only through a .onion URL, and its actual IP address is basically hidden behind the Tor circuit.

To host a hidden service, you need to install a web server or any other service you want to host; add this to your torrc file:

HiddenServiceDir /var/lib/tor/service


HiddenServicePort 80 <ip>:80

Tor will then generate a public-private key pair for your service, and it will write it to a file called private_key. It will also create a hostname file.

example –

/var/lib/tor/service/private_key                 


/var/lib/tor/hostname

The hostname file will have the name of your .onion address, as well as the information about your public key.

Obviously, to run a service such as this, you need to know what’s at stake, and if you’re doing it in the first place, you’re probably of the general idea to hide your IP; thus, you should appropriately harden your systems and take the risks into account.

This can be achieved in a myriad of ways, so I like to ponder these topics from a more general/high-level perspective. One possible way to isolate yourself is true virtualization and compartmentalization. Whoonix also comes to mind, as its double VMs setup makes all your traffic routed through the Whoonix gateway, and both of these systems are hardened and preconfigured out-of-the-box, of course, they should be reconfigured if necessary. This would be one example of how you might make it harder for attackers to figure out your real IP address.

However, I am not an expert on how to run hidden services, far from it, I just wanted to sort of ‘define’ them, so I can tie them into our whole narrative here.

Tor2web

Tor2web lets you access hidden service with a standard web browser. (No connection to the Tor network)

Basically, wherever you see a .onion URL, you can replace it with .onion.to, .onion.city, .onion.cab, .onion.direct, etc. Note that this is not anonymous, private or anything like that. This is just a way of accessing without connecting to the Tor network.

From the Tor2web site:

WARNING: Tor2web only protects publishers, not readers. As a reader installing Tor Browser will give you much greater anonymity, confidentiality, and authentication than using Tor2web. Using Tor2web trades off security for convenience and usability.

Tor – reflections – .onion URLs, stuff & risk

Since the darkweb is not indexed by the clearweb search engines finding/discovering hidden services can be difficult. Places where you can find the .onion links are usually Hidden Wikis, Twitter, Reddit, Pastebin, Github and internet forums. You should be able to google search for these links as well.

*A note on hidden wikis – there are many websites that claim to be the hidden wiki and the uncensored Tor hidden wiki – be mindful if/when clicking on here as you can’t always be sure where that exit node is leading to.

As you know, Tor is decentralized by nature, so there is no list of all hidden services, but there are hidden services whose task is to catalog those known .onion addresses.

Such as this.

There are also Torch, Sinbad, and other search engines, but it remains to you to decide how worthy they are.

While we’re on the topic, I’d like to point out that you should always be mindful of the potential risks you’re opening yourself to. Every action counts, and you should take necessary precautions, always.

A good way to illustrate this are the CTFs I participated in, that required us to investigate data collected from Tor that pertains to a slew of illegal activities. The organizers simply didn’t render any content, thus eliminating the risk for us analysts.

You could only see what was relevant for your investigation, be that a hash, bitcoin address, email address, or anything else that was of relevance and scraped to the dataset.

When you’re doing this by yourself, there’s no organizer to filter out stuff for you, so always be mindful of that.

More reflections on Tor and Mitigations

Tor prevents your ISP/local network from knowing what you visited, prevents tracking, and helps with avoiding censorship.

However, the 3-letter agencies dislike Tor; mainly because Tor is the best network for these uses, thus it is always under attack, and when it is, its mostly to deanonymyze its users.

If you’re in locations that might be targeted and risk is high, or your adversary has significant resources, you should not rely on Tor to anonymyze you.

Another big weakness for Tor is you, the user. This is due to you not having good Opsec, which will defeat the purpose of Tor, by default.

Other weaknesses are browser-based attacks, as well as attacks against the host OS.

Of course, you can mitigate and reduce the probability of these attacks and this implies you having some controls implemented.

First and foremost, go back to Opsec basics, learn it inside and out, and create your model.

You should also leverage isolation, compartmentalization/virtualization to reduce the impact and possibility of browser exploits (or other attacks) being successful.

Never install Tor on your main OS, especially if the consequences are high.

Use hardened VMs.

Just running the tor browser in windows is NOT a good idea. Assume the Tor browser is exploitable and mitigate appropriately, use isolation.

Whatever is your isolation, it also needs to be hardened.

To future proof yourself against unknown threats, you need non-persistence; you should not rely on the Tor browser to purge all that data fully reliably. However, you can get this through Tails and other live OSes, VMs or you can use whole disk encryption and secure delete. You can also use combination of these methods to better protect yourself.

Be aware of the design documentation – https://2019.www.torproject.org/projects/torbrowser/design/

Conclusion

I hope I’ve put you on a path down the rabbit hole called Tor! There’s so much more, and I will cover as much as I possibly can.

Stay tuned.

Cover image by JC Gellidon

#tor #risk #tracking #deanonymization

About Version 2 Digital

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.