SlideShare a Scribd company logo

ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad

Santhosh Tuppad
Santhosh Tuppad

As technology evolved, software security faced huge challenges and as the years passed, the world has seen drastic changes far too quickly. And along with these advancements, even black-hat hackers or malicious hackers have evolved also very well. Today, the internet is the place for everyone where hackers dwell almost all the time. Every day new applications are released to the web and users start using them and even get addicted to them due to outstanding UX. But, wait! Did someone think about the "security" layer of these applications? Well, we often don’t and most of the applications today suffer from "beggarly / bad security". In this talk, Santhosh Tuppad will focus on the pitfalls of bad security and why software security has failed in a pretty way. He will also shed light on how your users may be facing bigger problems than you can imagine due to bad software that lacks security testing. He will also demonstrate some of the lethal problems that exist in the industry and will talk about technical impact, business impacts like reputation damage, revenue loss and a lot more. Not only that, Santhosh won’t end his talk without some hacking demonstrations that will for sure wow you. Finally, he will tell you how you can start security testing from day 1 and start contributing in terms of building secure software. From this talk, you will gain an understanding about the problems that a lack of security testing presents and you find out about tool-assisted security testing; performing security tests through questioning. After the talk, you will be able to start identifying risks and report comm.on vulnerabilities giving you a feeling of “I can do this”

Technology
1 of 14
Download to read offline
Why software security has gotten worse? And what can we do about it? Santhosh Tuppad, Sometimes BlackHat & Sometimes WhiteHat… I am that man who you don’t want to trust Twitter: @santhoshst | email: Santhosh.Tuppad@gmail.com
sh-3.2# whoami I have been a great liar, wise manipulator, a thief, physical infrastructure breaker, web application hacker, mobile apps hacker, kiosk machine basher, black-hat hacker, white-hat hacker, trainer, security coach, lover of mean machines, spiritual practitioner and blah blah blah!
BRACE YOURSELF... Things are going to get WORSE. Future is not so cool considering the risks about 80 billion smart devices by 2025.
CURRENT STATE OF SECURITY IS TOTALLY SICK! ● OUT OF 10 HOSPITALS 8 OF THEM CAN BE EXPLOITED ● OUT OF 10 SPONSORS IN THIS CONFERENCE 6 OF THEM CAN BE EXPLOITED AND COMPROMISED ● OUT OF 10 WEBSITES USING WORDPRESS, 9 OF THEM POSE RISK ● ELECTRONIC COMMERCE ARE THE WORST… USUALLY! In short, if you are a hacker with blackhat intention, you need not worry about food, clothing and shelter.
WEHAVEBEENDOINGITWRONG…TOTALLY! ● Massive Skill Shortage ● Very few white-hat hackers think like black-hat hackers ● Functional Testing Bias ● Fear of learning Ethical Hacking ● Scanners just don’t suffice, we need hackers (with real skills) ● Extrinsic Motivation is More Powerful Than Intrinsic ● Lack of understanding within the team ● Ample number of reasons for giving excuses ● Comfort layer which says, “Hah, I am okay to do average job”.
● We are not hiring hackers like “Santhosh Tuppad” ;-) ● We think it’s NOT a SHARED responsibility :-( ● Our Developers are not aware of secure coding guidelines :-( ● We highly rely on certified hackers instead of the REAL ones ● We are most fascinated with the decoration of report than the real deliverable (vulnerabilities and exploits) ● We don’t FEEL for our USERS… We say, “We Care!”. Hah! ● Many more... MORE REASONS...
● What database are we using? ● Have we upgraded all the systems to the updated version like Javascripts, database, servers, third-party components etcetera. ● Are we using parsed statements for SQL queries? ● Are we having account lockout policy? ● What Firewall are we using if we are? And more importantly, can I take a look at the configuration of the Firewall? Are there any stories behind these configurations? On what basis, we are setting the account lockout on 100 invalid login attempts. WHAT CAN WE DO ABOUT IT? Start with questioning...
● What are we doing to avoid XSS attacks? Do we have HTML encoding, Javascript encoding, database encoding in place? ● How are we handling the authorisation? ● Have we taken care of security improvements via secure HTTP Headers? ● Why do we trust the third-party components that we have integrated? ● Are we GDPR compliant? Are there any hiccups/loopholes? ● Do we have VISION for “Software Security”? WHAT CAN WE DO ABOUT IT?
○ Start with “Hacking for Dummies” by Kevin Beaver ○ Watch Snowden, Swordfish, Mr.Robot, DarkNet (18+ Sex, Violence, Blood etc.) ○ Watch “Major Malfunction” Adam on YouTube ○ Think Crime (Think like a criminal) ○ Start using Scanners and look into results. Ask yourself, “What makes these results popup?” ○ DNF: OWASP Cheat sheets to kickstart WHAT CAN WE DO ABOUT IT? Learn some attacks or security tests...
If you want to be great at anything, you need to focus on Mindset.
Spain is beautiful… So is Software… Functional makes Sense… So does Security… We get paid for work… Are we doing a good job? Do we believe that “self-education” is our priority? … Do we want to move towards better security? Thank you everyone. Talk to me @santhoshst (Twitter) or just say, “Hackintosh” when you see me to speak in person.

Recommended

Where is my silver bullet?!
Where is my silver bullet?!Where is my silver bullet?!
Where is my silver bullet?!Ivan Novikov
 
Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynoteBrian Honan
 
Hack Snapchat Account
Hack Snapchat AccountHack Snapchat Account
Hack Snapchat Accountjack ordert
 
How to Hack Snapchat Account
How to Hack Snapchat AccountHow to Hack Snapchat Account
How to Hack Snapchat AccountJanim Kione
 
Effective 2FA - Part 1: the technical stuff
Effective 2FA - Part 1: the technical stuffEffective 2FA - Part 1: the technical stuff
Effective 2FA - Part 1: the technical stuffConorGilsenan1
 
Shared responsibility model: Why and how to choose the right 2 fa method for ...
Shared responsibility model: Why and how to choose the right 2 fa method for ...Shared responsibility model: Why and how to choose the right 2 fa method for ...
Shared responsibility model: Why and how to choose the right 2 fa method for ...ConorGilsenan1
 
J Gioglio sxsw2015 W2O
J Gioglio sxsw2015 W2OJ Gioglio sxsw2015 W2O
J Gioglio sxsw2015 W2OW2O Group
 
What is hacking
What is hackingWhat is hacking
What is hackingMuhammadUmer411
 

Recommended

Where is my silver bullet?!
Where is my silver bullet?!Where is my silver bullet?!
Where is my silver bullet?!Ivan Novikov
 
Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynoteBrian Honan
 
Hack Snapchat Account
Hack Snapchat AccountHack Snapchat Account
Hack Snapchat Accountjack ordert
 
How to Hack Snapchat Account
How to Hack Snapchat AccountHow to Hack Snapchat Account
How to Hack Snapchat AccountJanim Kione
 
Effective 2FA - Part 1: the technical stuff
Effective 2FA - Part 1: the technical stuffEffective 2FA - Part 1: the technical stuff
Effective 2FA - Part 1: the technical stuffConorGilsenan1
 
Shared responsibility model: Why and how to choose the right 2 fa method for ...
Shared responsibility model: Why and how to choose the right 2 fa method for ...Shared responsibility model: Why and how to choose the right 2 fa method for ...
Shared responsibility model: Why and how to choose the right 2 fa method for ...ConorGilsenan1
 
J Gioglio sxsw2015 W2O
J Gioglio sxsw2015 W2OJ Gioglio sxsw2015 W2O
J Gioglio sxsw2015 W2OW2O Group
 
What is hacking
What is hackingWhat is hacking
What is hackingMuhammadUmer411
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012jadedsecurity
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017Jorge González
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learnedB.A.
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksThreatReel Podcast
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
 
Your users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themYour users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themSanthosh Tuppad
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
Hackers secrets
Hackers secretsHackers secrets
Hackers secretsFelipe Prado
 
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...Dana Gardner
 
Robust Software Solutions.pptx
Robust Software Solutions.pptxRobust Software Solutions.pptx
Robust Software Solutions.pptxBusiness Thrust Pte. Ltd. (BThrust)
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
Cyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital WorldCyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital Worldqubanewmedia
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
 
Tools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadTools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadSanthosh Tuppad
 
Hacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatHacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatSanthosh Tuppad
 

More Related Content

Similar to ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad

MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012jadedsecurity
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learnedB.A.
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksThreatReel Podcast
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
 
Your users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themYour users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themSanthosh Tuppad
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...Dana Gardner
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
Cyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital WorldCyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital Worldqubanewmedia
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
 

Similar to ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad (20)

MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
 
Your users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themYour users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing them
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experience
 
Hackers secrets
Hackers secretsHackers secrets
Hackers secrets
 
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
 
Robust Software Solutions.pptx
Robust Software Solutions.pptxRobust Software Solutions.pptx
Robust Software Solutions.pptx
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
Cyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital WorldCyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital World
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User Authenticity
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 

More from Santhosh Tuppad

Tools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadTools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadSanthosh Tuppad
 
Hacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatHacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatSanthosh Tuppad
 
Web and mobile security workshop workbook v1 - by santhosh tuppad
Web and mobile security workshop workbook v1 - by santhosh tuppadWeb and mobile security workshop workbook v1 - by santhosh tuppad
Web and mobile security workshop workbook v1 - by santhosh tuppadSanthosh Tuppad
 
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...Santhosh Tuppad
 
The BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
The BUZZ Word - Entrepreneur. A Perspective of Santhosh TuppadThe BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
The BUZZ Word - Entrepreneur. A Perspective of Santhosh TuppadSanthosh Tuppad
 
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...Santhosh Tuppad
 
Test ideas for Login / Authentication and Login Session
Test ideas for Login / Authentication and Login SessionTest ideas for Login / Authentication and Login Session
Test ideas for Login / Authentication and Login SessionSanthosh Tuppad
 
Passion is a free spirit, only you can cage it.
Passion is a free spirit, only you can cage it.Passion is a free spirit, only you can cage it.
Passion is a free spirit, only you can cage it.Santhosh Tuppad
 
Software Testing - Heuristics Cheat Sheet
Software Testing - Heuristics Cheat SheetSoftware Testing - Heuristics Cheat Sheet
Software Testing - Heuristics Cheat SheetSanthosh Tuppad
 
Santhosh tuppad romanian testing conference 2017 - keynote presentation
Santhosh tuppad romanian testing conference 2017 - keynote presentationSanthosh tuppad romanian testing conference 2017 - keynote presentation
Santhosh tuppad romanian testing conference 2017 - keynote presentationSanthosh Tuppad
 
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...Santhosh Tuppad
 
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...Santhosh Tuppad
 

More from Santhosh Tuppad (12)

Tools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadTools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh Tuppad
 
Hacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatHacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-Hat
 
Web and mobile security workshop workbook v1 - by santhosh tuppad
Web and mobile security workshop workbook v1 - by santhosh tuppadWeb and mobile security workshop workbook v1 - by santhosh tuppad
Web and mobile security workshop workbook v1 - by santhosh tuppad
 
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
 
The BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
The BUZZ Word - Entrepreneur. A Perspective of Santhosh TuppadThe BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
The BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
 
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
 
Test ideas for Login / Authentication and Login Session
Test ideas for Login / Authentication and Login SessionTest ideas for Login / Authentication and Login Session
Test ideas for Login / Authentication and Login Session
 
Passion is a free spirit, only you can cage it.
Passion is a free spirit, only you can cage it.Passion is a free spirit, only you can cage it.
Passion is a free spirit, only you can cage it.
 
Software Testing - Heuristics Cheat Sheet
Software Testing - Heuristics Cheat SheetSoftware Testing - Heuristics Cheat Sheet
Software Testing - Heuristics Cheat Sheet
 
Santhosh tuppad romanian testing conference 2017 - keynote presentation
Santhosh tuppad romanian testing conference 2017 - keynote presentationSanthosh tuppad romanian testing conference 2017 - keynote presentation
Santhosh tuppad romanian testing conference 2017 - keynote presentation
 
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
 
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
 

Recently uploaded

Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 

Recently uploaded (20)

Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 

ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad

  • 1.
  • 2. Why software security has gotten worse? And what can we do about it? Santhosh Tuppad, Sometimes BlackHat & Sometimes WhiteHat… I am that man who you don’t want to trust Twitter: @santhoshst | email: Santhosh.Tuppad@gmail.com
  • 3. sh-3.2# whoami I have been a great liar, wise manipulator, a thief, physical infrastructure breaker, web application hacker, mobile apps hacker, kiosk machine basher, black-hat hacker, white-hat hacker, trainer, security coach, lover of mean machines, spiritual practitioner and blah blah blah!
  • 4. BRACE YOURSELF... Things are going to get WORSE. Future is not so cool considering the risks about 80 billion smart devices by 2025.
  • 5. CURRENT STATE OF SECURITY IS TOTALLY SICK! ● OUT OF 10 HOSPITALS 8 OF THEM CAN BE EXPLOITED ● OUT OF 10 SPONSORS IN THIS CONFERENCE 6 OF THEM CAN BE EXPLOITED AND COMPROMISED ● OUT OF 10 WEBSITES USING WORDPRESS, 9 OF THEM POSE RISK ● ELECTRONIC COMMERCE ARE THE WORST… USUALLY! In short, if you are a hacker with blackhat intention, you need not worry about food, clothing and shelter.
  • 6. WEHAVEBEENDOINGITWRONG…TOTALLY! ● Massive Skill Shortage ● Very few white-hat hackers think like black-hat hackers ● Functional Testing Bias ● Fear of learning Ethical Hacking ● Scanners just don’t suffice, we need hackers (with real skills) ● Extrinsic Motivation is More Powerful Than Intrinsic ● Lack of understanding within the team ● Ample number of reasons for giving excuses ● Comfort layer which says, “Hah, I am okay to do average job”.
  • 7. ● We are not hiring hackers like “Santhosh Tuppad” ;-) ● We think it’s NOT a SHARED responsibility :-( ● Our Developers are not aware of secure coding guidelines :-( ● We highly rely on certified hackers instead of the REAL ones ● We are most fascinated with the decoration of report than the real deliverable (vulnerabilities and exploits) ● We don’t FEEL for our USERS… We say, “We Care!”. Hah! ● Many more... MORE REASONS...
  • 8.
  • 9. ● What database are we using? ● Have we upgraded all the systems to the updated version like Javascripts, database, servers, third-party components etcetera. ● Are we using parsed statements for SQL queries? ● Are we having account lockout policy? ● What Firewall are we using if we are? And more importantly, can I take a look at the configuration of the Firewall? Are there any stories behind these configurations? On what basis, we are setting the account lockout on 100 invalid login attempts. WHAT CAN WE DO ABOUT IT? Start with questioning...
  • 10. ● What are we doing to avoid XSS attacks? Do we have HTML encoding, Javascript encoding, database encoding in place? ● How are we handling the authorisation? ● Have we taken care of security improvements via secure HTTP Headers? ● Why do we trust the third-party components that we have integrated? ● Are we GDPR compliant? Are there any hiccups/loopholes? ● Do we have VISION for “Software Security”? WHAT CAN WE DO ABOUT IT?
  • 11. ○ Start with “Hacking for Dummies” by Kevin Beaver ○ Watch Snowden, Swordfish, Mr.Robot, DarkNet (18+ Sex, Violence, Blood etc.) ○ Watch “Major Malfunction” Adam on YouTube ○ Think Crime (Think like a criminal) ○ Start using Scanners and look into results. Ask yourself, “What makes these results popup?” ○ DNF: OWASP Cheat sheets to kickstart WHAT CAN WE DO ABOUT IT? Learn some attacks or security tests...
  • 12. If you want to be great at anything, you need to focus on Mindset.
  • 13.
  • 14. Spain is beautiful… So is Software… Functional makes Sense… So does Security… We get paid for work… Are we doing a good job? Do we believe that “self-education” is our priority? … Do we want to move towards better security? Thank you everyone. Talk to me @santhoshst (Twitter) or just say, “Hackintosh” when you see me to speak in person.