Digital Security Research Lab Results Over 5 Years
More than five years have passed since the official opening of the research laboratory of Digital Security (known as Digital Security Research Group or DSecRG ), and we decided to summarize the interim results of the unit in numbers, as well as to note a number of the most significant achievements for us.
In 2013, Dmitry Evdokimov became the head of the laboratory, who established himself as an excellent specialist with a deep approach to the study of security problems, and the author of a large number of studies known on the market.
1st research center in Russia
2nd place in the top 10 web attack techniques of 2012
3 years of participation in international conferences
4 performances at BlackHat at 4 geographical locations
5 years of public work
6 employees spoke at international conferences with their own reports
7 days per week,
8 employees received gratitude from the largest companies for the vulnerabilities found;
9 key participants
10 - were in the top 10 reports of BlackHat USA in 2012;
Participated in 15 meetings of Defson Russia;
Speakers in more than 20 countries;
Over 30 presentations at international technical conferences
Over 40 studies
Nearly 100 published vulnerabilities in SAP
Nearly 200 vulnerabilities published in a common
Bole 300 vulnerabilities detected
Since November 2007, the laboratory began the search and analysis of vulnerabilities in software products. The key feature of its activities was the principle of Responsible Disclosure: we inform the developer about the discovered vulnerability, help to close it, and then publish the details. Initially, the objects of analysis were simple web applications and CMS systems, then the focus shifted to the analysis of web servers and DBMSs, and gradually we came to business applications and ERP systems. It must be emphasized that our research center has become a unique phenomenon for the Russian information security market: earlier vulnerability searches were carried out haphazardly and irregularly, in an amateur format. The opening of the DSecRG laboratory brought this activity to a professional level. Over time, some market players have followed Digital Security’s lead.
The number of closed vulnerabilities relative to those discovered
Over the whole period, 318 vulnerabilities were discovered by DSecRG specialists, of which 199 were closed by manufacturers, and the rest are underway. Now the main direction of our activity is Application Security, in which we will continue to work, striving to occupy leading positions not only in Russia but also in the world.
DSecRG experts found about 0.8% of all vulnerabilities that have been closed in the world for 5 years, which exceeds the corresponding figures of all Russian companies in total.
The number of vulnerabilities published in different years
2007 - 2
2008 - 41
2009 - 37
2010 - 26
2011 - 42
2012 - 51
The number of published vulnerabilities in the products of key
SAP manufacturers - 93
Oracle - 19
Adobe - 5
WAGO - 4
VMware - 4
IBM - 3
HP - 2
Microsoft - 1 The
number of published vulnerabilities in various areas of
SAP - 93
Web applications and servers - 58
ERP and business applications - 26
ACU TP (SCADA / ICS) - 7
Other - 6
DBMSs - 5
SDBO - 4
Vulnerability
closing time Minimum closing time for OpenSource for Blogcms and 2z developers. Several vulnerabilities of various kinds were closed in one day!
The average vulnerability closure time for OpenSource developers is 30 days.
For OpenSource developers, the Apache consortium was preparing the update for the longest time — 126 days (vulnerability in Apache Geronimo application marked with identifier [DSECRG-09-019]).
The minimum closing time for commercial companies is at Oracle. The buffer overflow vulnerability in Oracle DBMS was closed for 28 days.
The average vulnerability closure time for commercial companies is 295 days.
The longest update was prepared by Oracle - 1214 days (vulnerability in Oracle Business Intelligence application marked with identifier [DSECRG-12-040]).
During the work of DSecRG, 42 large studies were prepared, the results of which were various articles, reports and speeches at conferences.
Published studies in various fields
* Some studies fall into several categories at once.
The number of studies in different years
2008 - 2
2009 - 3
2010 - 11
2011 - 11
2012 - 15
Studies of different laboratory employees
Polyakov - 21
Sintsov - 11
Evdokimov - 4
Tyurin - 3
Chastukhin - 3
Svistunovich –2
Minozhenko - 2
Cherbov - 1
Neyolov - 1
Safety of RBS systems (2009-2011)
The first study in the field of security of remote banking services in Russia. Previously, very little was said on this topic, but the problems raised by DSecRG specialists attracted the attention of experts from various organizations in the information security industry. The popularity of the security analysis market segment has grown significantly.
Adapting the JIT-Spray technique (2010)
This study improved the attack technique on Adobe Flash to bypass DEP and ASLR. As a result of the work, the attack time was reduced by 100 times! In addition, the study showed that not only the Adobe Flash JIT engine, but also the Safari browser JavaScript engine is susceptible to such an attack. The results of this work were subsequently used by many offensive security companies around the world.
SAP Security in numbers(2007-2012)
SAP Global Security Survey from 2007 to 2011. It was released in two languages and received the InfoSecurity Product Guide award in the Advertising category. The study covered all aspects of SAP security - from vulnerability statistics and descriptions of the top 5 vulnerabilities to the analysis of SAP systems available over the Internet in a particular country in the world, and statistics on the most common versions and patches.
SSRF and Business Applications (2012-2013) The
study was first presented at the BlackHat conference and made the study of a new class of attacks popular. Together with other independent works on SSRF attacks, this publication took 2nd place in the list of 10 most interesting techniques for attacking web applications in 2012.
Mobile Banking (2012-2013)
A static code analysis of the client part of mobile payment applications for iOS and Android was conducted from more than 30 Russian banks. It turned out that all the applications reviewed contain at least one vulnerability that allows attacking the bank or its customers.
In 2009, the laboratory made a breakthrough in development, starting to speak with research at international technical conferences. We were not the first in the West (ElcomSoft performed abroad 10 years ago), but Digital Security took the participation of Russian researchers to a new level, significantly increasing the presence of information security experts at key conferences. For three years, DSecRG has appeared at 36 conferences in 20 countries of Europe, Asia and the USA, and we continue to work in this direction, conquering new continents. It is gratifying that other companies and independent researchers have supported the Digital Security initiative. By 2013, the company had reports at international conferences became the norm, just as a couple of years ago, the presence of thanks from manufacturers became the norm.
Number of speeches at various conferences
CONFidence - 6
BlackHat - 5
HITB - 4
Deepsec - 2
SecurityByte - 2
HackerHalted - 2
Troopers - 1
Source - 1
t2.fi - 1
BruCON - 1
InfoSecurity Kuwait - 1
Just4Meeting - 1
Defcon - 1
RSA - 1
Nullcon - 1
HackTivity - 1
IT-SA - 1
Syscan360 - 1
SAP Security Summit - 1
Hashdays - 1
PoC - 1
Number of performances in different countries
USA - 6
Poland - 5
Germany - 3
Netherlands - 3
India - 3
China - 2
Malaysia - 2
Austria - 2
Czech Republic - 1
Spain - 1
Belgium - 1
Portugal - 1
Kuwait - 1
Hungary - 1
Switzerland - 1
Korea - 1
UAE - 1
Finland - 1
Number of performances in different years
2010 - 9
2011–9
2012 - 19
Number of performances in various fields
Number of speeches of various speakers
Polyakov - 25
Sintsov - 5
Evdokimov - 4
Chastukhin - 4
Minozhenko - 2
Neyolov - 2
To the extent possible, we try to participate in various projects and initiatives. Let us dwell on the most important of them.
ZeroNights
Organization of the annual international ZeroNights conference in Moscow and St. Petersburg. The only uncompromising technical conference in Russia devoted to the latest hacking and protection methods, in 2012 gathered 600 people and more than 50 speakers and was noted by the authoritative publication SCMagazine as the most significant for visiting in 2013, along with monsters such as BlackHat, HITB and Infiltrate.
Defcon Russia
The project was created by research laboratory staff. This is a kind of platform for training young professionals, which allows during informal meetings to gain unique knowledge and skills and exchange experience. Gathers more than 50 people a month, is a prototype of the ZeroNights conference. To date, 15 meetings have been successfully held.
OWASP
In the OWASP project, we are running the OWASP-EAS subproject dedicated to the security of business applications. The first version of the subproject was presented in 2010 and included a description of the main threats to business applications and a methodology for assessing the security of business applications. After a long break due to the collection of information and analysis of systems, in 2013, serious work began on version 2.
Project BaseCamp
Participation in a project dedicated to the safety analysis of automated process control systems, namely vulnerabilities in programmable controllers. We analyzed the WAGO PLC and the kingSCADA system.
Metasploit
Participation in the Metasploit project, development of exploits for Oracle DBMS and other convenient tools to help in conducting pentests.
Bounty programs
Participation in almost all vulnerability search programs. We regularly receive gratitude and cash incentives from Google, Yandex, Nokia, and in the future we plan to support other companies offering similar programs.
Python arsenal
During the study, a base of more than 40 different tools for reverse engineering and analysis of application security in Python was assembled and structured. The result of large-scale work was the creation of a site with a convenient search and an updated database, which is visited daily by hundreds of researchers from around the world.
Alexander Polyakov
AlexandrPolyakov
Founder of the Digital Security Research Group. The author of the book “Oracle Security through the Auditor’s Eyes: Attack and Defense” (2009) and more than 30 articles devoted to the analysis of security systems and applications in leading Russian publications, including the Russian SAP expertise. One of the most famous security experts in the world, SAP and Oracle. Found more than 100 vulnerabilities in their software. In his free time he is fond of searching for non-standard attack vectors and specific problems in business systems.
Alexey Tyurin, Ph.D.
Grrrndog
Specialist in web application security and client banking, has extensive experience in testing for penetration of business systems such as Citrix, VMware and others. With its help, a large number of vulnerabilities were discovered. Easy Hack Editor at Xakep Magazine.
Gleb Cherbov
JRun
Specialist in security analysis of network and web applications. He also deals with security aspects of embedded systems. He is actively involved in research conducted as part of the DSecRG. Co-organizer and regular speaker at Russian Defcon Group meetings.
Dmitry Evdokimov
d1g1
Specializes in security of critical business systems (SAP) and security of mobile platforms (iOS, Windows Phone, Android). He has official thanks from SAP and Oracle for the vulnerabilities found in their products. In addition, the area of interest includes: reverse engineering, software verification / program analysis (SMT, DBI, IR), vulnerability search and exploit writing, development of programs for static and dynamic analysis of Python code. He spoke at conferences such as BlackHat and CONFidence. Leads headings in the Xakep magazine. He is one of the organizers of the conferences Russian Defcon Group (DCG # 7812) and ZeroNights.
Alexander Minozhenko
Jug
Leading researcher of information security. He has extensive experience in testing penetration of such business systems as SAP, VMware and others. He spoke at the conferences CONFidence and Defcon.
Nikolay Mescherin
Ab7orbent
Responsible for analytics and testing of ERPScan Security Monitoring Suite for SAP, and is also actively involved in the search and analysis of vulnerabilities in SAP systems. He has official thanks from SAP AG for the vulnerabilities discovered in the products of the corporation.
Dmitry Chastukhin
chipik
One of the leading specialists in SAP security and web applications. Big fan of Bug-Bounty. She has official thanks from Yandex, Google, Nokia and SAP. He performed at BlackHat USA, HackInTheBox and BruCON, ZeroNights. Actively involved in the activities of Russian Defcon Group.
Evgeny Neyelov
Key interests - security of business applications, analysis of cybercrimes, methods of forensics and its circumvention, security of electronic commerce, antifraud systems. He spoke at SyScan360 and other conferences, where he talked about methods of bypassing antifraud systems. One of the organizers of ZeroNights and Russian Defcon Group. Thanks for the detected vulnerabilities from Microsoft, SAP and other companies.
Alexander Bolshev, Ph.D.
dark_k3y
He has a Ph.D. degree in mathematics of computers and information security, conducts scientific work at St. Petersburg Electrotechnical University LETI, and is involved in research at the Digital Security laboratory, including as a consultant on applied mathematics problems. The author of the study “SSRF DoS Relaying” (2013).
And in our team there are researchers from various cities of Russia, as well as Switzerland, India and Kazakhstan. If you want to be part of our team, write to research@dsec.ru with information about yourself, and we hope that we will find common interests.
In 2013, Dmitry Evdokimov became the head of the laboratory, who established himself as an excellent specialist with a deep approach to the study of security problems, and the author of a large number of studies known on the market.
Digital Security Research Group in numbers
1st research center in Russia
2nd place in the top 10 web attack techniques of 2012
3 years of participation in international conferences
4 performances at BlackHat at 4 geographical locations
5 years of public work
6 employees spoke at international conferences with their own reports
7 days per week,
8 employees received gratitude from the largest companies for the vulnerabilities found;
9 key participants
10 - were in the top 10 reports of BlackHat USA in 2012;
Participated in 15 meetings of Defson Russia;
Speakers in more than 20 countries;
Over 30 presentations at international technical conferences
Over 40 studies
Nearly 100 published vulnerabilities in SAP
Nearly 200 vulnerabilities published in a common
Bole 300 vulnerabilities detected
Vulnerability Search and Detection
Since November 2007, the laboratory began the search and analysis of vulnerabilities in software products. The key feature of its activities was the principle of Responsible Disclosure: we inform the developer about the discovered vulnerability, help to close it, and then publish the details. Initially, the objects of analysis were simple web applications and CMS systems, then the focus shifted to the analysis of web servers and DBMSs, and gradually we came to business applications and ERP systems. It must be emphasized that our research center has become a unique phenomenon for the Russian information security market: earlier vulnerability searches were carried out haphazardly and irregularly, in an amateur format. The opening of the DSecRG laboratory brought this activity to a professional level. Over time, some market players have followed Digital Security’s lead.
The number of closed vulnerabilities relative to those discovered
Over the whole period, 318 vulnerabilities were discovered by DSecRG specialists, of which 199 were closed by manufacturers, and the rest are underway. Now the main direction of our activity is Application Security, in which we will continue to work, striving to occupy leading positions not only in Russia but also in the world.
DSecRG experts found about 0.8% of all vulnerabilities that have been closed in the world for 5 years, which exceeds the corresponding figures of all Russian companies in total.
The number of vulnerabilities published in different years
2007 - 2
2008 - 41
2009 - 37
2010 - 26
2011 - 42
2012 - 51
The number of published vulnerabilities in the products of key
SAP manufacturers - 93
Oracle - 19
Adobe - 5
WAGO - 4
VMware - 4
IBM - 3
HP - 2
Microsoft - 1 The
number of published vulnerabilities in various areas of
SAP - 93
Web applications and servers - 58
ERP and business applications - 26
ACU TP (SCADA / ICS) - 7
Other - 6
DBMSs - 5
SDBO - 4
Vulnerability
closing time Minimum closing time for OpenSource for Blogcms and 2z developers. Several vulnerabilities of various kinds were closed in one day!
The average vulnerability closure time for OpenSource developers is 30 days.
For OpenSource developers, the Apache consortium was preparing the update for the longest time — 126 days (vulnerability in Apache Geronimo application marked with identifier [DSECRG-09-019]).
The minimum closing time for commercial companies is at Oracle. The buffer overflow vulnerability in Oracle DBMS was closed for 28 days.
The average vulnerability closure time for commercial companies is 295 days.
The longest update was prepared by Oracle - 1214 days (vulnerability in Oracle Business Intelligence application marked with identifier [DSECRG-12-040]).
Research work
During the work of DSecRG, 42 large studies were prepared, the results of which were various articles, reports and speeches at conferences.
Published studies in various fields
- Application Security - 30
- Business Applications - 15
- SAP - 11
- Other - 4
- Business Applications - 15
- Databases - 3
- Banking - 4
- Mobile - 2
- Other - 6
- Exploitation - 8
- Embedded - 2
- SCADA - 1
- Forensics - 1
* Some studies fall into several categories at once.
The number of studies in different years
2008 - 2
2009 - 3
2010 - 11
2011 - 11
2012 - 15
Studies of different laboratory employees
Polyakov - 21
Sintsov - 11
Evdokimov - 4
Tyurin - 3
Chastukhin - 3
Svistunovich –2
Minozhenko - 2
Cherbov - 1
Neyolov - 1
Safety of RBS systems (2009-2011)
The first study in the field of security of remote banking services in Russia. Previously, very little was said on this topic, but the problems raised by DSecRG specialists attracted the attention of experts from various organizations in the information security industry. The popularity of the security analysis market segment has grown significantly.
Adapting the JIT-Spray technique (2010)
This study improved the attack technique on Adobe Flash to bypass DEP and ASLR. As a result of the work, the attack time was reduced by 100 times! In addition, the study showed that not only the Adobe Flash JIT engine, but also the Safari browser JavaScript engine is susceptible to such an attack. The results of this work were subsequently used by many offensive security companies around the world.
SAP Security in numbers(2007-2012)
SAP Global Security Survey from 2007 to 2011. It was released in two languages and received the InfoSecurity Product Guide award in the Advertising category. The study covered all aspects of SAP security - from vulnerability statistics and descriptions of the top 5 vulnerabilities to the analysis of SAP systems available over the Internet in a particular country in the world, and statistics on the most common versions and patches.
SSRF and Business Applications (2012-2013) The
study was first presented at the BlackHat conference and made the study of a new class of attacks popular. Together with other independent works on SSRF attacks, this publication took 2nd place in the list of 10 most interesting techniques for attacking web applications in 2012.
Mobile Banking (2012-2013)
A static code analysis of the client part of mobile payment applications for iOS and Android was conducted from more than 30 Russian banks. It turned out that all the applications reviewed contain at least one vulnerability that allows attacking the bank or its customers.
Speeches at international conferences
In 2009, the laboratory made a breakthrough in development, starting to speak with research at international technical conferences. We were not the first in the West (ElcomSoft performed abroad 10 years ago), but Digital Security took the participation of Russian researchers to a new level, significantly increasing the presence of information security experts at key conferences. For three years, DSecRG has appeared at 36 conferences in 20 countries of Europe, Asia and the USA, and we continue to work in this direction, conquering new continents. It is gratifying that other companies and independent researchers have supported the Digital Security initiative. By 2013, the company had reports at international conferences became the norm, just as a couple of years ago, the presence of thanks from manufacturers became the norm.
Number of speeches at various conferences
CONFidence - 6
BlackHat - 5
HITB - 4
Deepsec - 2
SecurityByte - 2
HackerHalted - 2
Troopers - 1
Source - 1
t2.fi - 1
BruCON - 1
InfoSecurity Kuwait - 1
Just4Meeting - 1
Defcon - 1
RSA - 1
Nullcon - 1
HackTivity - 1
IT-SA - 1
Syscan360 - 1
SAP Security Summit - 1
Hashdays - 1
PoC - 1
Number of performances in different countries
USA - 6
Poland - 5
Germany - 3
Netherlands - 3
India - 3
China - 2
Malaysia - 2
Austria - 2
Czech Republic - 1
Spain - 1
Belgium - 1
Portugal - 1
Kuwait - 1
Hungary - 1
Switzerland - 1
Korea - 1
UAE - 1
Finland - 1
Number of performances in different years
2010 - 9
2011–9
2012 - 19
Number of performances in various fields
- Application Security - 30
- Business Applications - 15
- SAP - 11
- Other - 4
- Business Applications - 15
- Databases - 3
- Banking - 4
- Mobile - 2
- Other - 6
- Exploitation - 8
- Embedded - 2
- SCADA - 1
- Forensics - 1
Number of speeches of various speakers
Polyakov - 25
Sintsov - 5
Evdokimov - 4
Chastukhin - 4
Minozhenko - 2
Neyolov - 2
Projects and community initiatives
To the extent possible, we try to participate in various projects and initiatives. Let us dwell on the most important of them.
ZeroNights
Organization of the annual international ZeroNights conference in Moscow and St. Petersburg. The only uncompromising technical conference in Russia devoted to the latest hacking and protection methods, in 2012 gathered 600 people and more than 50 speakers and was noted by the authoritative publication SCMagazine as the most significant for visiting in 2013, along with monsters such as BlackHat, HITB and Infiltrate.
Defcon Russia
The project was created by research laboratory staff. This is a kind of platform for training young professionals, which allows during informal meetings to gain unique knowledge and skills and exchange experience. Gathers more than 50 people a month, is a prototype of the ZeroNights conference. To date, 15 meetings have been successfully held.
OWASP
In the OWASP project, we are running the OWASP-EAS subproject dedicated to the security of business applications. The first version of the subproject was presented in 2010 and included a description of the main threats to business applications and a methodology for assessing the security of business applications. After a long break due to the collection of information and analysis of systems, in 2013, serious work began on version 2.
Project BaseCamp
Participation in a project dedicated to the safety analysis of automated process control systems, namely vulnerabilities in programmable controllers. We analyzed the WAGO PLC and the kingSCADA system.
Metasploit
Participation in the Metasploit project, development of exploits for Oracle DBMS and other convenient tools to help in conducting pentests.
Bounty programs
Participation in almost all vulnerability search programs. We regularly receive gratitude and cash incentives from Google, Yandex, Nokia, and in the future we plan to support other companies offering similar programs.
Python arsenal
During the study, a base of more than 40 different tools for reverse engineering and analysis of application security in Python was assembled and structured. The result of large-scale work was the creation of a site with a convenient search and an updated database, which is visited daily by hundreds of researchers from around the world.
Members
Alexander Polyakov
AlexandrPolyakov
Founder of the Digital Security Research Group. The author of the book “Oracle Security through the Auditor’s Eyes: Attack and Defense” (2009) and more than 30 articles devoted to the analysis of security systems and applications in leading Russian publications, including the Russian SAP expertise. One of the most famous security experts in the world, SAP and Oracle. Found more than 100 vulnerabilities in their software. In his free time he is fond of searching for non-standard attack vectors and specific problems in business systems.
Alexey Tyurin, Ph.D.
Grrrndog
Specialist in web application security and client banking, has extensive experience in testing for penetration of business systems such as Citrix, VMware and others. With its help, a large number of vulnerabilities were discovered. Easy Hack Editor at Xakep Magazine.
Gleb Cherbov
JRun
Specialist in security analysis of network and web applications. He also deals with security aspects of embedded systems. He is actively involved in research conducted as part of the DSecRG. Co-organizer and regular speaker at Russian Defcon Group meetings.
Dmitry Evdokimov
d1g1
Specializes in security of critical business systems (SAP) and security of mobile platforms (iOS, Windows Phone, Android). He has official thanks from SAP and Oracle for the vulnerabilities found in their products. In addition, the area of interest includes: reverse engineering, software verification / program analysis (SMT, DBI, IR), vulnerability search and exploit writing, development of programs for static and dynamic analysis of Python code. He spoke at conferences such as BlackHat and CONFidence. Leads headings in the Xakep magazine. He is one of the organizers of the conferences Russian Defcon Group (DCG # 7812) and ZeroNights.
Alexander Minozhenko
Jug
Leading researcher of information security. He has extensive experience in testing penetration of such business systems as SAP, VMware and others. He spoke at the conferences CONFidence and Defcon.
Nikolay Mescherin
Ab7orbent
Responsible for analytics and testing of ERPScan Security Monitoring Suite for SAP, and is also actively involved in the search and analysis of vulnerabilities in SAP systems. He has official thanks from SAP AG for the vulnerabilities discovered in the products of the corporation.
Dmitry Chastukhin
chipik
One of the leading specialists in SAP security and web applications. Big fan of Bug-Bounty. She has official thanks from Yandex, Google, Nokia and SAP. He performed at BlackHat USA, HackInTheBox and BruCON, ZeroNights. Actively involved in the activities of Russian Defcon Group.
Evgeny Neyelov
Key interests - security of business applications, analysis of cybercrimes, methods of forensics and its circumvention, security of electronic commerce, antifraud systems. He spoke at SyScan360 and other conferences, where he talked about methods of bypassing antifraud systems. One of the organizers of ZeroNights and Russian Defcon Group. Thanks for the detected vulnerabilities from Microsoft, SAP and other companies.
Alexander Bolshev, Ph.D.
dark_k3y
He has a Ph.D. degree in mathematics of computers and information security, conducts scientific work at St. Petersburg Electrotechnical University LETI, and is involved in research at the Digital Security laboratory, including as a consultant on applied mathematics problems. The author of the study “SSRF DoS Relaying” (2013).
And in our team there are researchers from various cities of Russia, as well as Switzerland, India and Kazakhstan. If you want to be part of our team, write to research@dsec.ru with information about yourself, and we hope that we will find common interests.