The Application Security Podcast

Björn Kimminich -- OWASP Juice Shop

Chris Romeo Season 10 Episode 36

Bjorn Kimminich, the driving force behind the OWASP Juice Shop project, joins Chris and Robert to discuss all things Juice Shop. The OWASP Juice Shop is a deliberately vulnerable web application that serves as an invaluable training tool for security professionals and enthusiasts. Bjorn provides a comprehensive overview of the latest features and challenges introduced in the Juice Shop, underscoring the project's commitment to simulating real-world security scenarios.

Key highlights include the introduction of coding challenges, where users must identify and fix code vulnerabilities. This interactive approach enhances the learning experience and bridges the gap between theoretical knowledge and practical application. Additionally, Bjorn delves into the integration of Web3 and smart contracts within the Juice Shop, reflecting the project's adaptation to emerging technologies in the blockchain domain. This integration poses new challenges and learning opportunities, making the Juice Shop a continually relevant and evolving platform for cybersecurity training.

The episode concludes with an acknowledgment of the project's maintenance efforts and the introduction of a novel cheating detection mechanism. This system assesses the patterns and speed of challenge completions, ensuring the integrity of the learning process. Bjorn's discussion also highlights the inclusion of 'shenanigan' challenges, adding a layer of fun and creativity to the application. The significant impact of the Juice Shop on the cybersecurity community, as a tool for honing skills and understanding complex security vulnerabilities, is evident throughout the discussion, marking this episode as an essential watch for those in the field.

Links:
OWASP Juice Shop - https://owasp.org/www-project-juice-shop/

Pwning OWASP Juice Shop by Björn Kimminich. The official companion guide to the OWASP Juice Shop - https://leanpub.com/juice-shop

"OWASP Juice Shop Jingle" by Brian Johnson of 7 Minute Security - https://soundcloud.com/braimee/owasp-juice-shop-jingle

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris Romeo:

We're excited to have Bjorn Kiminich with us, a prominent figure in the application security world. As the product group lead application ecosystem at Kuhn plus Nagel, Bjorn is pivotal in shaping the AppSec program within the corporate IT landscape. An OWASP lifetime member, project leader of the renowned OWASP Juice Shop, and co chapter leader for the OWASP Germany chapter, Bjorn's contributions to the community are truly commendable. We'll catch up on the latest developments with the OWASP Juice Shop since 2019 when we last spoke to Bjorn. Exploring its evolution, new features, and what the future holds. From the introduction of tags, chatbots, and coding challenges to the exciting developments in 2023 like Web3 and the new Scoreboard. Get ready for a deep dive into the world of Juice Shop with Bjorn Kimenich. Let's embark on this insightful journey.

Chris:

Hey folks, welcome to another episode of the Application Security Podcast where we're doing a special episode on the best TV of the 1980s. The conversation points are the A Team, MacGyver, Airwolf, and I don't remember what the other one was

Bjorn Kimminich:

Knight Rider, of

Chris:

Knight Rider, come on! Nah, we're just

Bjorn Kimminich:

with the Hoth, I mean,

Chris:

With Hoff, come on, we're, yeah, we're just kidding. This is, we're not going to talk about 80s TV, but we really should, and we wish we could. But, we are joined by Bjorn Kimenich, who is very well known in the world of OWASP for the Juice Shop. And Bjorn's been a guest of the podcast before, two different times, in 2018 where we talked about the joy of the vulnerable web, Juice Shop and in 2019 when we talked about the new Juice Shop, the Google Summer Code and open security summit, that was happening. So yeah, you have to go back and listen to a couple of the older episodes to hear Bjorn's origin story. But with that we will jump right in.'cause we want to get caught up on what's been happening with Juice Shop and we, Robert and I, were both like. It's been four years since we've talked about Juice Shop on the AppSec podcast because we're big fans of the project and we use the project. So Bjorn, since 2019, let's start by focusing on the user challenges, user interface, user experience. What are the new things that, uh, that are part of Juice Shop now that we want everybody to know about?

Bjorn Kimminich:

Yeah, so, first of all, in the last four years, Juice Shop got a big amount of new hacking challenges actually, so we are currently sitting at 106 Hacking exercises you can do. And that huge number basically more or less forced us to, to, to separate the challenges into different groups a little bit better. So we had already back in 2019, we already had challenge categories. So like cross site scripting, injection, um, authentication issues, blah, blah, blah. So all the classical category stuff, but we, um. Later then introduced, um, tags for challenges as well. So we can, we can group them, uh, for example, by challenges which involve brute force attacks or challenges which require you to do some kind of code analysis or challenges which are considered dangerous because you have something like, um, like stored cross site scripting or some remote code execution, uh, in them and those challenges you might not actually want to deploy by accident on some internet facing, um, machine, right? So that's why we have that category as well. And the Juice Shop even tries to find out if it's Uh, if it's internet facing, so to say, and, uh, uh, try to turn off these dangerous challenges, then by default, so you have to kind of enable an unsafe mode to get them back running. Um, yeah, other tags, for example, are, um, challenges which are good for demonstrations, so for, for, for live, live demos, um, for audiences, or, um, also have, we also have some, some, um, shenanigans. Uh, tag that basically groups all the challenges which are not exactly serious. And we, we actually have, I just looked it up, 11 of those. So 11 completely unserious fun, fun.

Chris Romeo:

Wait, what do you mean by that? What do you mean by a completely unserious Like, what is this shenanigan in I mean, I know what it is everyday life because I'm always pulling them off, but like, what is it in a Juice Shop context?

Bjorn Kimminich:

So it's, it's, it's challenges which are not really, um, coming down to some, some software vulnerability or some, some real security issue. So for example, we have one, uh, steganography challenge where you need to find an image in one of the images in the Juice Shop. So it's not, not really a security issue. I would say it's more for fun. We have some Easter egg, which you can find, and then a nested Easter egg hidden in the Easter egg. We have some fun stuff hidden in our privacy policy. If you scroll over it really closely, you might find that. And so by, by actually reading the policy properly, you can also solve another challenge. Um. Probably one of our most difficult challenges is, uh, also from this category is to, to solve a challenge that doesn't exist. So the Juice Shop has, like I said, 106 challenges and your task is to solve the challenge with the number 999. So. You have to find out how the Juice Shop actually tracks your challenge progress and then try to hack that. So it's kind of a inception level two kind of

Chris:

So it's like a meta, it's like a meta challenge.

Bjorn Kimminich:

Very meta. Yes. Yeah, exactly. So, but, but those, those, those are then really more for, more for fun and not for Not to actually explain serious security issues.

Chris:

So then what's the rate that you're creating new challenges? Cause like one of the things I think when, when I think about Juice Shop, I can take Juice Shop to a new group of developers that have never done anything with it before. I can put it in front of them. They can have a great experience. They find a bunch of different things, but I'm curious, like how, how can I use Juice Shop to engage them over a period of time? So what's the velocity of new challenges being introduced into Juice Shop?

Bjorn Kimminich:

I would say we, we, we slowed down a little bit with, uh, with adding new challenges. And actually I'm rather thinking about removing some of the existing ones because some are a little bit, some are technically a little bit outdated. Others are very, very hard to actually pull off. Uh, so like some, some CSRF, so cross-site request forgery challenge, you can't even solve that properly with today's browsers anymore. So this kind of stuff probably needs to go. Um, but we try to, to, to, to add new challenges whenever something, something new pops up, right? So in the, the latest edition that we have is, uh, four hacking challenges, which are all around Web3 related stuff. So then it's about, uh, stealing an NFT from some, uh, someone's wallet or to actually drain some faucet, uh, for more tokens than you should and, uh, exploiting some, some, some sandbox hidden in the Juice Shop. So

Chris:

And this is.

Bjorn Kimminich:

That's what we try, right? So,

Chris:

that's all in Great. On the Web3 side, you've built a vulnerable chain completely inside of Juice Shop.'cause like I know there's some, there's some vulnerable projects for chains. Like did you incorporate one of those or did you build something from scratch?

Bjorn Kimminich:

Now, um, so we, we basically considered the two options, right? To either have some in memory blockchain in the Juice Shop and then work with that, but we decided against it because it's just too, too complicated. So what we do, we have some, um, some vulnerable smart contracts deployed on a, on an Ethereum test net. And the Juice Shop basically communicates with that. And so, so you actually have to have, um, uh, a wallet and you then with something like MetaMask, for example, you have to connect with that wallet to the Juice Shop. Um, but everything that you do is only happening on the test net. So you can't really harm yourself or lose any of your precious Bitcoins or ethers, right? So that's, that's should be, should be fine. Unless you accidentally connect your production wallet then or your. RealWallet, and there's no warranty, right? Uh, from Juice Shop side, if you, if you lose your Bitcoins. Yeah, but, but, but, but that's, yeah, but, but that's, that's basically the path that we took because the other, the other approach within memory just was too, too heavy.

Robert:

Is that a new dependency now? Or is that just one of many? And if you didn't do that, can you do everything else? Is that something that, um, it's not going to stop you from testing everything else if you don't? Or is it absolutely required?

Bjorn Kimminich:

Now, so, I mean, you can just leave out the Web3 challenges, right? So the, the Juice Shop will still work. Um, normally if you don't connect a wallet, so only if you want to solve the Web3 challenges, then you need to connect a, um, a wallet to play with, right? So that's, that's then that's mandatory. If you don't, then you will never get the scoreboard to 100%, but that's basically also true for some of the other crazy, um, um, difficult challenges we have, right? So. I, I don't expect that someone without cheating actually gets 100 percent like ever these days, because there's just too much, too much crazy stuff going on, uh, with multi, multi level attacks, uh, for, for solving some six star challenges. So that's, that's kind of. It's almost impossible to pull off without looking at the solutions, at least some of them. Yeah, but the, but the Web3 challenges, um, I, I, I basically, I just, I just, uh, released, uh, uh, just sent out a tweet that we had accidentally created some, some breaking change because our Juice Shop server now needs to contact these smart contracts, right? So it needs internet access now, and it didn't before. So when Juice Shop is hosted in corporate environments where internet. Access to the outside is kind of, uh, closed off. Then right now the Juice Shop will crash, but this is something we will fix in the next release.

Chris:

On the dangerous challenges, can you give us an example of one of those, another one of those dangerous challenges? I just want to understand, like, what is the, what is the ultimate danger that I'm, that I'm dealing with?

Bjorn Kimminich:

Okay. So, um, then we marked everything as dangerous that, um, that is persistent. So we have lots of. persistent cross site scripting or stored cross site scripting challenges. So if, um, if you, for example, have a public facing Juice Shop instance, like our own demo instance, right? I really don't want people to leave actual XSS attacks in the Juice Shop database. And then someone else visiting, visiting the application is then actually Really a victim of an attack, right? So that's something we don't want. Um, similarly, there are some challenges which, which, um, which might lead to some, uh, sandbox breakout, we are not 100 percent sure if you can somehow get onto the actual machine underneath, so we rather turn them off by default, but you can, you can just override that by saying, okay, Juice Shop, please run in unsafe mode and then you have everything, uh, available again. So, and on your local machine, they will, they will be on by default. Similarly, some, some, some, uh, denial of service attacks, like, um, with, um, um, uh, XML external entities, for example, right? So that kind of stuff is also turned off by default because I don't want to, I don't want, uh, funny people to kill my demo instance, like all the time. So that's not that, not that good, although it restarts automatically if it breaks down.

Robert:

So we talked about some of the user challenges and UI updates and so forth. What about the backend and behind the scenes? What's new there?

Bjorn Kimminich:

Yeah. So, um, behind the scenes in the last years, we actually made a pretty big migration of our complete, let's say CICD landscape, right? So we originally started on, on Travis CI, which had a free offer for open source projects. And that worked very well for many, many years. I'm absolutely happy with that, but at some point they basically stopped supporting open source projects for free, so we had to find an alternative, and we ended up with GitHub Workflows, GitHub Actions, which is just working like a charm for us. Um, we have, um, we also, um, have moved from my personal GitHub account, um, into, uh, our own org. So there's now github.com/juice-shop, um, as an org, which contains all the projects, so the main app, the CTF extension, all the, all the stuff, and, uh, we have a free team license there, so we can have lots of CICD minutes to actually burn to, to build all our things. And we actually need quite a few. Um, build minutes because we prepare. Still the popular zip files, which you can just download and unpack, and then you just need Node. js locally and you don't have to install anything on top anymore, but we also build Docker images still, um, and even edit ones for Raspberry Pi. So for ARM processors, RAM. Some years ago, right? So, which are also quite popular. That's, that's one, one behind the scenes change that had pretty big impact, I would say. So, and overall, we are very happy with this, with this approach then. So it's all in GitHub actions. Um, What else? So, so something that, uh, is maybe not, not in our infrastructure, but behind the scenes of the Juice Shop itself, um, we introduced something called cheat detection, um, some time ago. So, um, the Juice Shop will, will measure, um, how long it takes for the user to actually solve hacking challenges and coding challenges, which I might come to later as well. So if, and, and then the Juice Shop tries to find out if it's, if it's likely that you Just ran some script or just, um, followed some, some solution guide, right? So if you're too fast with your hacking, Juice Shop will assume that you're cheating and, um, will assign a cheat score similar to spam scoring, um, to each challenge and then also give you a total cheat score, um, that, for example, in classroom setups. Can be quite interesting for the trainer, right? So they know who's actually trying and who's just following the ebook and types everything. So that's, that's, that's not super sophisticated, but it's a quite nice, small touch, I would say.

Chris:

so it's based on time then. So if I'm, so basically you're measuring how fast it takes me to, which highlights the fact that I probably copy and pasted

Bjorn Kimminich:

Yeah. More or less. So, and, and it's, and it's not super, I mean, it, it, it takes into account the difficulty of the challenge. Um, and then just assumes minimum amount of time you would probably need. Um, it will also, um, Take into account some dependencies between challenges. So there are challenges, which you, for example, solve by accident with another one that will not get you any cheat points, so to say, and also there are some trivial challenges, which you just. Solve more or less by browsing the application and this will, those will also not count. So in the end, when you, um, so, so I, I always tested by running our automated test suite, which kind of automatically hacks all the challenges with, and it's pretty fast and that always ends up with like 90 something percent cheat probability in the total score. So it's, that's pretty accurate enough, I would say.

Chris:

Another, uh, thing from the list here, um, we've talked with the guy who wrote Multijuicer. But, uh, did you, so is Multijuicer now integrated though into the, the Juice Shop project as a, it's his home, it has a home now?

Bjorn Kimminich:

Yes, MultiJuicer is, uh, since earlier this year has been put under the overall Juice Shop project umbrella. So it's not, it's not its own OWASP project. It's part of the OWASP Juice Shop project and it's also now living in the, in the, in the Juice Shop, um, GitHub org and that means, um, I would say, uh, starting next year with the next Google Summer of Code, we will hopefully also get a student working on MultiJuicer related topics, right? Because under the umbrella of OWASP, that's all possible. And also we can now finally start ordering, uh, stickers and, uh, other stuff, um, from MultiJuicer as well, all. Under the OWASP umbrella and not, not, uh, privately by the, by the company who, who basically, um, developed it, right,

Chris:

Okay,

Bjorn Kimminich:

which is very nice. So we, we try to pull everything that's, uh, in, into the, into that single OWASP project, um, that is related to Juice Shop and not, not in order to not pollute OWASP with more and more and more tiny projects, right? So I think it's, it makes more sense to have one. One big flagship and not try to have too many small attachments everywhere separately.

Chris:

Now when we were talking before, you mentioned that Juice Shop is approaching its 10th anniversary. Which that's, that's a momentous occasion for anything, right? To have a 10th anniversary. Um, what are you thinking about as far as the future? Like, what are you excited about doing to celebrate the 10th anniversary from a product perspective? Or, um, also future features that are on your mind? Like, where do you see this thing going?

Bjorn Kimminich:

yeah, so, so next year we'll, um, uh, in October, we have the 10th anniversary and as we have released, uh, quite a few brand new features, like coding challenges, for example, just recently, we don't have such a long list of things for the 10th, but, um, we had one particular idea that it would be nice to have in the Juice Shop, some kind of virtual environment where you can run the first original version of the Juice Shop. So version 1. 0, this will not be trivial because, um, that's version requires a very old Node. js and, uh, it will not run on the current one. So I'm not sure we can pull that off, but that would be kind of, uh, kind of cool if you, if you can basically play the old Juice Shop within the new, the new Juice Shop. Yeah. Other than that, I think, um, We, we, we just released, um, a brand new scoreboard. Um, so the old one was growing a little bit slow and, uh, also wasn't, couldn't be considered pretty, I would say anymore. Um, so we have now a completely new tile based, um, um, uh, scoreboard design. And I'm pretty sure we will find some additional enhancements and some, some new UI improvements for, for next year for the, for the. 10th anniversary release, so to say as well. That's, that's one other thing. Yeah, but, um, so our, our, our backlog is currently rather empty because we just had so many interesting, uh, and, and big feature releases happening, uh, especially this year.

Chris:

Yeah, and you mentioned coding challenges. Uh, we forgot to talk about that earlier. So, give us the background. Like, what's, what are you doing with coding challenges?

Bjorn Kimminich:

Yeah. Okay. So, um, for some of the hacking challenges, um, once you solve them, for example, typical process scripting or injection challenge, um, you can then on the scoreboard find a button that triggers a so called coding challenge, um, you will get a pop up and in the pop up, you will see, um, the code that is basically responsible for the vulnerability with some. Code around it as well. And you have to select the actual line or multiple lines, which are causing the problem, right? So what is actually causing this injection vulnerability? And if you, if you can find it, the Juice Shop will give you some hints to guide you through to the right solution. And once you did it, you will switch to the second stage of the coding challenge, where you're presented with typically three or four different options, how to fix this, um, this vulnerability. And you then have to pick the one which you think makes most sense. If you pick the wrong one, you get some hint explaining why this is not correct. If you got the right one, you get confetti and praise and everything. And, um, basically you can, I think we have like 26 or 27 coding challenges. Um, so it's like 25 percent roughly of the whole Juice Shop challenge, uh, list is also, um, has an additional coding challenge now, which is pretty, pretty neat. And maybe, uh, Uh, one thing that then again goes more into the behind the scenes area, um, so the code that is shown, the code snippet is not just from some static file that we have somewhere, but it's the actual code from the Juice Shop that you're currently running itself. So we use some sophisticated, uh, inline markers. To actually say, okay, this is the snippet we want to see. And please don't show this line because this is where the challenge, uh, challenge solution is checked. So please remove that. And then this is actually shown. So if you use some older version of Juice Shop, you will get that actual code being shown. And if I use the latest, then the code might be slightly different. So it's pretty, that's pretty sophisticated, I would say. Um, and we also have some, some safety nets, um. That, uh, helps us notice if we break anything here, um, um, from, uh, for, uh, during refactorings, for example, if we change variable names or stuff, right? So, because the, um, the solutions that you can later select, so the, the, um, the fixes, those are of course hardcoded somewhere, right? And we, we then compare the, those with the, with the actual code snippet and, um, the user will get an actual code diff. to, to see what changes and then they can select the right, the right option. And if we, for example, do some crazy refactoring, the user might see tons of code changes, um, indentation, I don't know, renames, but they have nothing to do with the actual, um, vulnerability, right? So they're just by accident and we prevent that by, by having some, some checks internally. To compare, to compare both. So that's quite sophisticated, I would say.

Chris:

How, uh, how big is the Juice Shop team these days?

Bjorn Kimminich:

So we have a core team of four people. Um, So one former Google Summer of Code student from last year, um, plus my two teammates who I'm working on this already for quite some time. One of them is Jannick who's doing the MultiJuicer and who also actually created the entire new, um, new scoreboard, um, implementation. So, and, um, then we have the, let's say the occasional contributors, right? So typically we rather see like one time contributions. That's one. So someone finds a bug and, um. actually fixes it instead of just reporting it, which is great. Um, and, but we, we try, um, always, especially with our Google summer of code students, we try of course, to motivate them to keep contributing because they are already in the project quite a bit, quite a bit, right? Because they had lots of time to actually get, get, um, get used to it, know the code base and stuff. So, and yeah, this worked once already. Um, and we really hope that this will work in the future as well. So yeah. The core team can actually, can actually grow and more, we have more permanent contributors and maintainers as well. So, because if you have a 10 year old, almost 10 year old project, there's also some maintenance work to be done, right? And I think our code quality is not, um, it's not that bad because, um, if it was. I mean, it's JavaScript, TypeScript. We probably would have abandoned this, uh, a long time ago, right? So keeping, keeping a JavaScript application alive for 10 years successfully is kind of, kind of good.

Chris:

Yeah, definitely. And, and, uh, yes, I mean, thanks to you, to the whole team that are working on this. And you guys always, it's always so encouraging because I think of folks like yourself, like Steve Springett, Jeremy Long, uh, folks that are building, Tools that I know you're putting a lot of effort into. Like I know you're putting hundreds and hundreds of hours into this all the time. And it's really just for the betterment of the community. Like you're not, you're not getting paid. Like nobody's, you know, you're not direct, you're not received. Like, and I want to, I just want, I like to reiterate that whenever I can, so that people know, like, You guys are building a vulnerable web application that's cutting edge and you're not getting paid for it, but you're still putting out awesome stuff and you're adding new features. Um, so don't get mad at Bjorn if you're like, I put a PR or I put a, uh, issue into GitHub and it just didn't get fixed. Well, guess what? Nobody's getting paid here. So grab that issue, get in the code, fix it, generate a PR and they'll review your PR. No problem. Like, contribute to this!

Bjorn Kimminich:

And we, and we. And we actually, I mean, uh, especially for our issue handling, we do have different labels to mark, um, issues, which might be good for beginners, right? So, um, or, but, uh, but also others where we just need help because some challenges or some, some of the, the, the issues, it's not my, my area of expertise. So I'm really happy if someone with, uh, More know how about that specific issue jumps in and that works also sometimes. So especially at times like, uh, Hacktoberfest, for example, or, um, uh, during Christmas time, the 24 pull requests, um, advent calendar, uh, thingy that happens so that, that's always. where you might actually get some more of these, uh, uh, one time contributions in. So that's, that's kind nice. Yeah. And, um, but, um, I mean, talking about money. So Juice Shop, um, Juice Shop is free and there's no premium version or anything. Um, if you want to, if you want to help out the project to get new stickers, t shirts and stuff, and, and, um, maybe also, uh, uh, help one of the developers visit some conference. Then the best way to assist is basically to just support OWASP directly, right? So you can donate to OWASP and then whenever I ask for. Reimbursement for some merchandise stuff or other things, then, um, OWASP is always happy to, to pay that. So there's, we don't have any direct donation channels. It's all going directly through OWASP and, uh, that's the, the easiest way to actually assist the project. Unless you're a developer and want to directly contribute.

Chris:

Generate some PR. So, all right, well, we've got a new segment here since the last time you joined the Application Security Podcast, and I'm now calling it Robert's Lightning Round, because Robert's the delivery agent of the lightning round. So, Robert, take it away.

Robert:

Alright, so we have three questions that we ask. So the first one is, what is your most controversial opinion on application security and why do you hold that view?

Bjorn Kimminich:

Okay. I'm, I'm not sure if it's the most controversial, but, um, in my opinion. Um, we have too many, too many top 10 lists and, and similar, similar, uh, similar kind of things, right? So personally, I, I prefer, um, projects, for example, like the, the OWASP cheat sheet series, where you have like a list of different. Um, topics you can pick the actual problem that you're currently facing and you can read up a lot on it. There's nothing wrong with top 10 lists, but they are overused at the moment and for, for many years, I would say, right? So while they are meant as awareness documents They are being used as pseudo standards or, uh, as marketing material. Like my, my scanner is OWASP top 10, uh, makes you OWASP top 10 compliant, stuff like this, this is just, just silly. If you know how many more vulnerabilities exist from number 11 to 999, right? So, um, that's, I'm not sure if it's controversial, but I would personally prefer to see more cheat sheets, for example, being created, then another top 10 list for one dedicated subtopic in application security.

Robert:

Makes sense. Let's see, number two is, what would it say if you could display a single message on a billboard at the RSA or Black Hat conference?

Bjorn Kimminich:

Not sure if I would want to display that at the RSA or Black Hat conference, but maybe, maybe as Uh, maybe it's something for those conferences. Um, so the message would be, uh, target more developers, right? Um, so the, the focus, especially of the pure security conferences is still way too much on security people in my point of, in my point of view. So if you, if you would focus more on. Actual developers who these days, let's be honest, every developer needs to be a little security engineer these days, right? Like 20 years ago, every developer basically became a tester, QA person, because things like unit testing picked up, right? Every developer then later became a small infrastructure expert because DevOps was the thing, right? And now security is the next, so it's, it's, I think it's important, um, That especially big, big conferences that are pretty much focused on security topics also have something extra in for, for, for developers and many of them have, but, um, I think that could always be, be more, um, That you do to actually motivate developers to get interested in security. And that's one of the reasons why we're doing the Juice Shop, right? Because that's our target audience. It's more developers than actual security people, because we try to teach developers how security issues can break the application.

Robert:

Uh, so number three, uh, what's your top book recommendation and why do you find it valuable? And that could be any book.

Bjorn Kimminich:

Okay. Um, I will be egoistic here and will recommend the owning the OWASP Juice Shop, um, book, which you can get for free on lean pub. Um, You can also read it online, and this is essentially our full blown project documentation. So that contains everything from technical setup, over a complete chapter with hints for all the hacking challenges, and you will, the scoreboard actually links to that, to the online version. There's also technical stuff, like for example, We have one chapter explaining how you can write your own coding challenge or how you can, how the cheat detection works behind the scenes. Um, or you, how you can integrate with, um, with a webhook if you're, if you want to get notified when a challenge is solved. So all that stuff from technical over challenges. Um, up to troubleshooting, it's all in there and a complete massive chapter with all step by step solutions for the hacking challenges. So it's, um, in the PDF version, which is on LeanPub, it's like 400 something pages, um, and you can download it there for free, or you can choose to. Basically donate some, some dollars to actually, to actually get it to say thank you to the project as well. And yeah, again, I always buy stickers from, from anything we earn here. Yeah,

Chris:

Well, Bjorn, we're, as we wrap up our conversation here, what's, uh, what's a key takeaway or a call to action? You want to leave our audience with

Bjorn Kimminich:

basically the Uh, I think I burned the call to action almost already with the, with the call to, to target developers more when it comes to security topics, right? And so the call to the, to the security folks, and it's, I don't think it's, it's a new call, it's something that happens or happens for years already. So security people need to make sure that they. Learn the language of the developers when they want to interact with them, right? So it doesn't, it still doesn't help to just dump your Automated, automatically generated scan report on a developer's desk. That will not help, right? Because they will, Once they have the first ten false positives, they will stop reading and throw it into the trash can, right? And rightfully so, because you should have You should have, uh, gone over the list of findings and at least did a, did a preliminary check if, if the, if the, the reported things are actually reasonable and, uh, even make sense at, at all. Right? And this is still something which I see not always happening. And this leads to frustration at the, on the developers, uh, side. I would say. Um, when, when it comes, ah, no, not the security guys again. So getting, getting more. Uh, focus on what, what your, your clients actually need, uh, is more important than just dumping a compliance violation report on someone's, on

Chris:

100%, 100 percent agree. Well, Bjorn, thanks again for participating in the interview. Thanks for all you do and all the team does with Juice Shop. We do appreciate it. I'm going to say, you know, as a community, we appreciate it because I know lots of people that use it as a training tool. They use it to sharpen their own skills. It's just a very, it's a very popular project. And so thanks for all you do in that arena. And we look forward to catching you at a OWASP conference sometime very soon.

Bjorn Kimminich:

Definitely. Thank you guys.

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The Security Table Artwork

The Security Table

Izar Tarandach, Matt Coles, and Chris Romeo