Saturday, August 13, 2016

Free security tests for EFSS vendors

Or may be "Free security tests of EFSS products for users - to help secure their data and improve user experience".

I want to contribute to the world. I've been looking for my "after-hours purpose" and I want this to be it for next couple of months. There are many great security researchers doing a lot for the world and I want to add something at least bit meaningful. It's not as great contribution as hacking ATMs and medical devices, breaking browsers or making antivirus' vendors do the flop, but it's still something.

I'm starting with a project of security tests and kinda-business analysis of 12 EFSS products, where I'm going to spend over 720 hours(12x60h) to check their security and abuse protection mechanisms, learn about smallest security features, possibly find security vulnerabilities and after I learnt it, come with easy guides for users how to use each and every of those products.
I've been quite some time in EFSS space and seen tons of stuff like problems users face, business requirements etc, so it seems to me like a good idea to research all major products and help ensuring users' data is safe with any product. And if it's not safe enough - work with particular vendor to make it better.

I've been struggling with a choice of vendors which I should test, because there are actually only few major vendors and it was hard for me to assess which of other EFSS vendors actually are worth putting my hands on. Unfortunately I don't have time to test all products on the planet so I had to choose those which have a reasonable customer base as that's where sensitive data is.
So when someone is already big on the market I know I can put in the work, because even for PR reasons they'll want to get security issues fixed. It's about common profit and I don't want to waste X hours for some small vendor which doesn't bother fixing identified issues.
Luckily, I don't need to worry about it anymore as Gartner solved my problem. I'm going to go with the most popular and top in the market vendors according to Gartner's Magic Quadrant for EFSS, and it looks like this:

My targets from Gartner's magic quadrant for EFSS in 2016 are:
- Varonis,
- Thru,
- Huddle,
- Intralinks,
- WatchDox,
- Syncplicity,
- Ctera,
- Acronis,
- Accellion
- Dropbox,
- Box,
- Citrix.

I excluded Google and Microsoft so I still have a space for 2 vendors if they hit me up and request to participate in this marvelous project of mine. I have those 2x 60hours to give away but obviously I don't want to waste time on ultra-niche EFSS products that is in alfa of alfa version at the moment. So if you want to report your company here, ask yourself a question if your products stays somewhat close to vendors from the list above.
What's wrong with Google and Microsoft? Absolutely nothing, actually the opposite - those guys have tremendous security teams and are actively running bug bounty programs so I don't feel that I can contribute that much and I'd prefer to spend that time on smaller vendors.

It's all a very high level assumption. I skimmed through their offerings and some offer on-prems with odd trial request process, some seems to have very closed APIs for desktop and mobile devices so tests coverage between products will definitely vary. I want to focus on cloud offerings after all.
I estimate to finish with all 12 vendors till end of the year, but I'm fine if something changes my plans and it gets shifted a couple of weeks. As long as I finish in Q1 2017 I'm comfortable with it.

I'm going to send out a note to EFSS vendors that are subject of my tests and those that won't want to participate in it, are free to deny it and I'll respect that. Obviously I'll inform community about it so it's clear why I'm testing this and that not. I don't know why would someone resign from 60h of free security tests from a good guy- as bad guys are bashing around without permission anyway - but that's not mine business, they're free to choose.

You may wonder - why would I dedicate ~5 months of my life to analyse security of EFSS products, even though it's obvious it won't make them ultimately safe - or safer at all, as I may spend those 60hours without finding a single bug <- this happens, especially in case of vendors like Dropbox who have very active Bug Bounty program and crowd of people scanning their security.

Well, I already spent ~3years doing the same for one vendor, so those 5 additional months don't look that bad. And I'm still working in EFSS space anyway as a day-job, so this after-hours personal project is still staying in the same lane of EFSS space.
While I'm doing this, it seems to me like a good idea to document and share results of my researches, so someone else doesn't need to duplicate the effort in case he wants to know more about specific product. And I'm talking here both about business-wise and tech-security context.
If it hopefully ends up helping improve security of any of those EFSS vendors that's wonderful, but if not - nothing wrong happens. I'll do my best, we'll see what the outcome is going to be.
Main goals are:
- learn on low level how dozen of EFSS work as becoming more knowledgeable in all these will allow me to be a better employee when working for a day-job EFSS vendor
- provide easy to use tutorials for specific product's users so they know where to find most important security features
- find vulnerabilities and flaws to improve security of those products

After all it's a learning experience with a chance to do something good.

And in case someone still isn't convinced if I'm doing it in a good will:
I'm going to follow responsible disclosure rules if I find any security bug and will be working with vendors to make their products better. This initiative is not meant to find out who sucks the most and then bitch around about products' flaws. It's meant to research how EFSS market holds up overall and if I can utilize my experience in EFSS space to make it better.
Some time ago I decided that my purpose is utilizing my knowledge and experience to contribute as much as possible, so while I'm working in EFSS space, I want to contribute here as I know I'm just good at it.
In a few years from know I may move to transportation space and when gathered enough experience, start testing Uber and Tesla. Then I may move to retailing industry and be bashing around Tesco and Ocado or get sucked into communications and try to crack Snapchat, Whatsapp and Skype's world.
Oh boy, there is tremendous amount of great fields that are yet to be explored by myself and other security folks.
+ if not me then who? It just feels good to be subject-matter expert in something and be knowledgeable enough to help others after that. Doing the right thing is always the right thing.

Yeah, a lot of ranting about which almost no one except of me cares so when do I start?
Within a couple of weeks. Surely this month, hopefully next week. There is a day job which is always my priority and I'll be doing this only if I'm done with everything else as my regular commitments are on top of everything else.
Before I rush into actual pentesting I need to spend tens of hours of reading about those vendors, their business goals and what problems they're trying to solve with their products. Then there will be quite some time to be spent on software setup as some of them AFAIK are on-prem and I won't count this into my 60hours. In case something is too messed up and takes too much time, or API is so closed that there is no way to intercept it and do the testing, I may just drop given product from my list as low-lvl reverse engineering of the product and bypassing who knows how wicked protections is beyond my timeframe, interest and possibly the skillset. Maybe one day, but not this time.

So if I'm starting in a few weeks, why are you writing about this now instead of taking action and just reporting findings when I have something actually valuable to share?
I've been thinking about this for a long time, as I do prefer to execute and then provide meaningful results but there is a couple of arguments why. First of all, it's still egoistic post for my future self as explained already in my "Hello world" blogpost. When I lose a purpose or a motivation in the future, I'll be able to take a look back and see what was firing me up back in the old days. Secondly I want to use this post while explaining my intentions to EFSS vendors. Lastly I need this to be public for reason mentioned above - I'm capable of adding 2 vendors/products to my bucket.
+ maybe, just maybe it will be a spark to someone else to do something similar or even better than me.

A lot of ranting, let's get hands dirty. If you have any questions related to EFSS, any suggestions regarding this project or whatever - feel free to hit me up via email.

For a meantime I still have a few drafted articles that I want to publish, so there should be other interesting stuff coming out.

No comments:

Post a Comment