LINE New-Grad Engineers: [June] Security Engineers

LINE welcomed 33 newly graduated engineers this year. In this monthly series, they will be introducing their experiences and give an overview of the work that they do. 

We have invited Mr. Koh from the Application Security Team to talk about his initial work and experiences.

Introduction

Hello! I am Koh You Liang and I officially joined the Cyber Security Department’s Application Security Team (AST) in Fall 2018. Before that, I did part time work for the same team for over half a year. I was assigned to the Risk Assessment team and the Bug Bounty Team, where I spent most of my time looking for vulnerabilities and verifying reports. Since then, I have also joined the Game Security Team and have been developing automation tools for both teams and improved on in-house products like AIR GO.

This article will be about how things went from me joining the company, to being a junior member in the team. The training for new graduates was over in a month, so I quickly got to work on the real issues.

I hope you’ll enjoy this article as much as I enjoyed writing it!

From Student to Security Engineer: My personal experience

I would like to preface that my experience might only be relevant for fresh university graduates. In our team, there are many of those who have previous work experiences, and thus they can get to work right away. Personally, I fondly remember this phase. When I first joined the company, like most of my peers, I started off as a part-timer, working 3 days a week while attending university. At first, although I had an idea of what vulnerabilities were, I had no idea how to practically find them during risk assessments. As such, I was attached to a mentor for a few months, whom I worked together with by shadowing his process of looking for bugs in applications. 

To newcomers: risk assessment is a continuous process most members of AST do to evaluate services for vulnerabilities as they get updated or are due for release. Source code is usually provided, but part-timers may not have access to them at the start, and will have to do a significant amount of blackbox testing.

Blackbox testing means you have to think like an attacker and find bugs by looking at the frontend and guessing what the backend actually does. Thankfully, many applications are web-based or have a component of it, so it was not impossible to find and enumerate endpoints programmatically.

Part of my set-up during our internal hardware hacking workshop – finding the correct connectors.

However, for web, there is one part of the source code that is available to everyone – which is whatever is written on the webpage – the HTML and JavaScript. For example, when one looks at a search function that takes user input, one would naturally suspect the possibility of a Cross-site Scripting (XSS) attack. By throwing special characters and figuring out what is rendered, and how it is getting rendered on the page, it is possible to figure out if the endpoint is vulnerable or not.

Of course, I did not start off immediately being able to find these bugs. My mentor recommended me some practice sites, where I started with easy XSS and worked up to those that require chaining various vulnerabilities. I learned the ropes by reading bug reports from the entire team for about two weeks, and then finally found my first bug – a reflected XSS in a forum site. I eventually learned that web is but one category we have to evaluate, just like security fields, there is also the mobile category, which involves analyzing both Android and iOS applications along with their code. 

There is no structured training as members are expected to be able to search the internet, internal issue tracking system, and the wiki for answers. This is because engineering is very much like mathematics – practice makes perfect. By doing instead of hypothesizing, the person learns much more at a quicker pace.

I was basically doing blackbox testing for the entire period of my part time experience, so I grew to like web a lot, which was the impetus for me to start playing capture-the-flag (CTF), like many of my co-workers have done.

Capture The Flag (CTF)

CTF is an event, usually in the form of a competition between security professionals/students. There are two categories – Attack-Defense, where two teams compete and each team attack the other’s system while defending their own, and Jeopardy, where many teams compete to solve a set of security challenges within a limited time.

Many of my co-workers play or have played for famous teams. LINE is very supportive of CTF participation – members who qualify for the final round of any CTF around the world will be given support similar to that of a business trip, in order to compete in these competitions. The hotel/flight cost is usually covered by the organizers, so we never have to worry about the cost of flying across the world. One of my co-workers plays for the top Japanese team ‘TokyoWesterns’, and they have qualified for practically every major final around the world; they are an inspiration to me. In order to catch up with them, I joined the team ‘OpenToAll’, which was welcoming to beginners and started playing every weekend.

The fruits of my effort were recognized after a year of playing when my team was invited to Defcon China to compete in BCTF, for a prize pool of about 37,000 dollars. We achieved a ranking of 9 out of 16 teams and went up against the famous team that my co-worker plays for. I was thrilled to not only just see them in person, but to also play on the same stage as them. My next finals this year will be in Vietnam and I’m really looking forward to it!

Recently, one of the other teams in our company has created a fun training program for newcomers. It is a CTF-style training, shown in the screenshot below. I have only attempted a few, but the questions are really interesting.

I think that this, coupled with our recruitment web test questions would serve as good training for newcomers. I would strongly recommend anyone, even non-security engineers to try.

Security Community

■Conferences

Last year, during my second month of full time work, I coincidentally came upon a training course at a conference which sparked my interest. Thus I went on a week-long trip to Dubai, where I participated in the Hack in The Box conference and a training course for exploiting the Internet of Things (IoT).

LINE offers full support for overseas conference participation, and we have the autonomy of choosing any conference in any part of the world. Our security department has also been sponsoring various conferences like SECCON and CODE BLUE. A few members of the AST will always be on-site, manning the booths and managing the CTF for the respective competition during those events.

This was us at CODE BLUE! My eyes were closed…

■Becks

As of this year, we have also started organizing our own meetups, termed ‘Becks’ which comes from the words ‘Beer’ and ‘Hacks’, at our very own LINE Cafe. During these meetups, we have security professionals, both internal and external, talk about various topics on security while enjoying beer with the participants. 

Orange-san from Taiwan, sharing about how he hacked Jenkins by abusing Meta Programming.

We just had our third session in June and our upcoming one will be around September, so look out for it on Becks.io

Closing Words

Here’s a picture of some members of the AST, taken last year.

We look forward to you joining us!

Related Post