Meet the team

Abhi M Balakrishnan
Designer | Developer | Author

Akhi Balakrishnan
Illustrations

Adarsh Girijan
Logo | Cover Page | Posters

Jennifer Diaz
Technical Review | Grammar Review

Shashank Nigam
Extensive Technical Review

Keith Johnson
Extensive Technical Review | Testing

Aakash Kumar Goel
Technical Review

Thanks to:
Sarika Unnikrishnan
Niraj Mohite
Prajwal Panchamahalkar
Pardhasaradhi CH
Opheliar Chan
Vidhu Jayabalan
Aaron Hnatiw
SecurityCompass
PayPal




The story


I, Abhi, was in a threat modeling session as a security engineer. During the meeting, I pointed out at a design and said, "that portion may become vulnerable to TOC/TOU." To my surprise, half the people in the room did not know what TOCTOU was. Few people thought almost all new database technologies have in-built controls to prevent them. Some of them said it's a very corner case and applies to only money-transfer kind of scenarios. One person said it's tough to exploit in real life.



Over the next few months, I came across multiple such situations. I wanted to shout out to the world that race conditions are real. But How? I asked myself.



I needed three things:

  1. A platform where I can demonstrate TOCTOU issues to security engineers, web developers, and architects. This platform should cost as close to zero as possible and should be as portable as it can be.
  2. An easy tool to exploit TOCTOU issues
  3. A handy guide to help people get started with TOCTOU



I slowly started building a web app that is vulnerable to TOCTOU. Then I converted into a CTF. Gamification was essential to get people engaged. I think CTFs gives us satisfaction when we solve each challenge. Then I started writing a book. I started talking about it to everybody around me. A few of my friends offered help.



My wife, Sarika, and I used to brainstorm about driving this project forward. She helped me find a name and theme for this project. My brother, Akhi, started sketching Dinosaur themed scenarios for my book right by that time.



It was almost 1.5 years from day one, and I started looking for reviewers. My friends - Aakash, Keith, Jennifer, and Shashank, offered to do the review for me. They sacrificed many of their weekends and late nights for this project.



That made me realize two things:

  1. How vital this project is. All of us sensed the need for a project like TimeGap Theory. We shared a common goal, and that tied us all together.
  2. How dearer are my friends to me. TimeGap Theory project won't be here without them. There is no doubt about that. But more than that, working on this project was a celebration of our friendship. A few years from now on, we all will be able to look back and say, "we did that, and we loved doing that."



Did I tell you about Adarsh? He joined slightly late into the team. He is a cousin brother of mine and is a recent college graduate. Adarsh is the one who designed the logo, cover page of the book, and promotional posters for the OWASP TimeGap Theory.



We used Docker and Heroku to make it easy for people to get the project running. We are showing people how to use browser dev tools, cURL, and a few other free and open-source tools for exploiting TOCTOU vulnerabilities. The handy-guide I mentioned before. It's out now, and you can get it from this link.



Designed, developed and distributed with by Abhi M Balakrishnan

TimeGap Theory is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.