Identity theft is perhaps the most concerning kind of Cybercrime nowadays. The most concerning aspect of identity theft is that once you are a victim it is hard to get rid of the consequences. Although as developers we are probably well aware of the risks towards cybercrime and identity theft in particular, in many parts we as developers play a big role in making identity theft happen. It is not only about how secure is your program, but how aware are you? Or better said how naive are we in practice as developers in this big bad world.

1. Identity theft
developer is key

2. Identity theft
Cybercrime
Hard to get rid of the consequences
We create the code
We protect the data

3. Are we part of the solution
Or part of the problem?

4. Brian Vermeer
Software Engineer

5. Brian Vermeer
Software Engineer

6. Brian Vermeer
Software Engineer

7. Brian Vermeer
Software Engineer

8. Brian Vermeer
Software Engineer

9. Brian Vermeer
Software Engineer

10. Brian Vermeer
Software Engineer

11. Cybercrime
Real threat
and it is growing
Organised and professional
it’s a business
Risks are low
We are not ready
Lot of money involved

12. How profitable is cybercrime?

13. Identity theft
Identity theft is the deliberate use of someone else's
identity, usually as a method to gain a financial advantage or
obtain credit and other benefits in the other person's name,
and perhaps to the other person's disadvantage or loss.
The person whose identity has been assumed may suffer
adverse consequences if they are held responsible for the
perpetrator's actions.

14. Kevin Goes (30)
Some else used a copy of his
passport
and rented several houses

15. Kevin Goes (30)

16. Data is like crude oil
by itself it is dead, but comes to live when applying the right
kind of science

18. What can we do as developers
Protect yourself & be aware

19. Protect youself

20. Protect youself
Where do I leave my notebook ?

21. Protect youself
Where do I leave my notebook ?
Where do I store my passwords ?

22. Protect youself
Where do I leave my notebook ?
Where do I store my passwords ?
Do I use my password multiple times ?

23. Protect youself
Where do I leave my notebook ?
Where do I store my passwords ?
Do I use my password multiple times ?
Is my software up to date ?

24. Protect youself
Where do I leave my notebook ?
Where do I store my passwords ?
Do I use my password multiple times ?
Is my software up to date ?
2 step verification ?

25. Protect youself
Where do I leave my notebook ?
Where do I store my passwords ?
Do I use my password multiple times ?
Is my software up to date ?
2 step verification ?
What wifi hotspot do I use ?

29. Software Development

30. Our application
What we think it is

31. Our application
What we think it is
What it actually is

33. How many dependencies?
Are all needed?
Are all up-to-date?
Are all reliable?
Dependencies

35. Don't trust blindly

36. Security
as part of your development process
business value VS security
code reviews
clean code = secure code

37. OWASP - ASVS
Open Web Application Security
Project
Application Security Verification
Standard
https://www.owasp.org/index.php/
Category:OWASP_Application_Securit
y_Verification_Standard_Project

38. Code review
String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
Connection conn = DriverManager.getConnection(url);
Statement stmt = conn.createStatement();
String newName = request.getParameter("name");
String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
stmt.execute(sql);

39. Code review
String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
Connection conn = DriverManager.getConnection(url);
Statement stmt = conn.createStatement();
String newName = request.getParameter("name");
String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
stmt.execute(sql);
what if my input = ' '; '
UPDATE USERS SET NAME =' '; ' WHERE id=1;

40. SQL Injection
String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
Connection conn = DriverManager.getConnection(url);
Statement stmt = conn.createStatement();
String newName = request.getParameter("name");
String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
stmt.execute(sql);
what if my input = ' '; UPDATE Users SET name = ' '
UPDATE USERS SET NAME =' '; UPDATE Users SET name = '' WHERE id=1;

41. Query Parameterization
String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
Connection conn = DriverManager.getConnection(url);
String newName = request.getParameter("name");
String sql = "UPDATE Users SET name = ? WHERE id=1";
PreparedStatement pstmt = conn.prepareStatement(sql);
pstmt.setString(1, newName);
pstmt.executeUpdate();

42. Password storage

43. Password protection
Don’t store plain text
Don’t limit the password length
Don’t limit the character set
Don’t use an ordinary hash function

44. Password protection
Use a password policy
Use a cryptographically strong credential-specific salt
Use a cryptographic hash algorithm (e.g. PBKDF2)
Use a HMAC (keyed-hash message authentication code), HMAC-SHA256
Design to be compromised

45. XSS (Cross Side Scripting)
http://www.jfokus.se/saveComment?comment=JFokus+is+Awesome!
<h3> Thank you for you comments! </h3>
You wrote:
<p/>
JFokus is Awsome
<p/>

46. XSS (Cross Site Scripting)
http://www.jfokus.se/saveComment?comment=<script src="evil.com/
x.js"></script>
<h3> Thank you for you comments! </h3>
You wrote:
<p/>
<script src="evil.com/x.js"></script>
<p/>

47. Summary
BE AWARE
Protect yourself
Integrate security in development
process
https://www.owasp.org
ASVS

48. Brian Vermeer
@BrianVerm
brian@brianvermeer.nl