There are many types of security research, from digging into malware to discovering the latest DDoS attack vectors. At Mend, vulnerability research is a primary focus for our research team, but even that area has many different avenues to pursue. For example, we tend to focus on open source vulnerabilities, so it is quite unlikely that you’ll see us doing reverse engineering and trying to understand assembly code. On top of that, there are many different methods and ways of conducting research.
Since October is Cybersecurity Awareness Month, we thought it would be a perfect time to take a quick look at how the Mend research team approaches our work. After all, raising awareness of cybersecurity issues is the whole goal of the month, so the more you learn, the better protected you and your organization will be from online threats.
Primary vulnerability research practices
1. The first one uses tools – specifically, static application security testing (SAST) tools — to find weak security points in code in a systematic manner. Doing so can even provide a way to build a flow of code, which is not an easy task. In today’s world, each application has endless lines of code connected in complex patterns. SAST tools help security researchers understand the complexities faster, which also accelerates the speed at which we find security vulnerabilities. Needless to say, this is a huge advantage.
2. The second approach we take is to use a more manual or freestyle approach. Here, each researcher uses their unique security knowledge and experience to focus and analyze the points that they know are more prone to security vulnerabilities.
While less systemic, this process allows us to apply our specific institutional knowledge to a situation, which gives us an edge that tools today can’t provide. Say, for example, that I noticed a small change that I’m familiar with, but that SAST tools still lack identifiers for. Or perhaps my colleague noticed that a fix implemented by an open source code maintainer didn’t secure all of the different attacks discussed at a recent lecture. Of course, we also use many methods that are needed across both practices. For example, to verify that a vulnerability is effective in a real world scenario and that it can be leveraged in malicious attacks, we execute the code and dynamically try to inject payloads.
While this provides a high-level perspective on our main methods, there are of course many different approaches in vulnerability research. We are also quite intrigued by the possibilities of using artificial intelligence and big data to build tools to help us analyze open source code, for example.
Read more from our research team in “Remediating Vulnerabilities in npm Packages”