A presentation at the Sydney WebApp meeting for the security stream. Covers some easy to follow examples of more common things found and general recommendations for development teams.
Slides from OWASP AppSec USA 2016.
For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now...
With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs and show you how to create a live static analysis rule. Come prepared to see demonstrations of Visual Studio static analysis rules in action, and walk away with a static analysis rule pack to run against your organization’s .NET applications.
Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
Discussion and demonstration of an automated approach
for pairing Memory Forensics with Binary Analysis and
Machine Learning to analyze the execution behavior of
binaries collected from a set of hosts to detect advanced
persistent threats (APT)s that may evade detection by
hooking and "traditional" emulation.
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...Ioannis Stais
Web Applications Firewalls (WAFs) are fundamental building blocks of modern application security. For example, the PCI standard for organizations handling credit card transactions dictates that any application facing the internet should be either protected by a WAF or successfully pass a code review process. Nevertheless, despite their popularity and importance, auditing web application firewalls remains a challenging and complex task. Finding attacks that bypass the firewall usually requires expert domain knowledge for a specific vulnerability class. Thus, penetration testers not armed with this knowledge are left with publicly available lists of attack strings, like the XSS Cheat Sheet, which are usually insufficient for thoroughly evaluating the security of a WAF product.
In this presentation we introduce a novel, efficient, approach for bypassing WAFs using automata learning algorithms. We show that automata learning algorithms can be used to obtain useful models of WAFs. Given such a model, we show how to construct, either manually or automatically, a grammar describing the set of possible attacks which are then tested against the obtained model for the firewall. Moreover, if our system fails to find an attack, a regular expression model of the firewall is generated for further analysis. Using this technique we found over 10 previously unknown vulnerabilities in popular WAFs such as Mod-Security, PHPIDS and Expose allowing us to mount SQL Injection and XSS attacks bypassing the firewalls. Finally, we present LightBulb, an open source python framework for auditing web applications firewalls using the techniques described above. In the release we include the set of grammars used to find the vulnerabilities presented.
Http Parameter Pollution, a new category of web attacksStefano Di Paola
On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called
Http Parameter Pollution (HPP).
HPP attacks can be defined as the possibility to override or add HTTP GET/POST parameters by injecting query string
delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
* Override existing hardcoded HTTP parameters.
* Modify the application behaviors.
* Access and, potentially exploit, uncontrollable variables.
* Bypass input validation checkpoints and WAFs rules.
Slides from OWASP AppSec USA 2016.
For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now...
With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs and show you how to create a live static analysis rule. Come prepared to see demonstrations of Visual Studio static analysis rules in action, and walk away with a static analysis rule pack to run against your organization’s .NET applications.
Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
Discussion and demonstration of an automated approach
for pairing Memory Forensics with Binary Analysis and
Machine Learning to analyze the execution behavior of
binaries collected from a set of hosts to detect advanced
persistent threats (APT)s that may evade detection by
hooking and "traditional" emulation.
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...Ioannis Stais
Web Applications Firewalls (WAFs) are fundamental building blocks of modern application security. For example, the PCI standard for organizations handling credit card transactions dictates that any application facing the internet should be either protected by a WAF or successfully pass a code review process. Nevertheless, despite their popularity and importance, auditing web application firewalls remains a challenging and complex task. Finding attacks that bypass the firewall usually requires expert domain knowledge for a specific vulnerability class. Thus, penetration testers not armed with this knowledge are left with publicly available lists of attack strings, like the XSS Cheat Sheet, which are usually insufficient for thoroughly evaluating the security of a WAF product.
In this presentation we introduce a novel, efficient, approach for bypassing WAFs using automata learning algorithms. We show that automata learning algorithms can be used to obtain useful models of WAFs. Given such a model, we show how to construct, either manually or automatically, a grammar describing the set of possible attacks which are then tested against the obtained model for the firewall. Moreover, if our system fails to find an attack, a regular expression model of the firewall is generated for further analysis. Using this technique we found over 10 previously unknown vulnerabilities in popular WAFs such as Mod-Security, PHPIDS and Expose allowing us to mount SQL Injection and XSS attacks bypassing the firewalls. Finally, we present LightBulb, an open source python framework for auditing web applications firewalls using the techniques described above. In the release we include the set of grammars used to find the vulnerabilities presented.
Http Parameter Pollution, a new category of web attacksStefano Di Paola
On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called
Http Parameter Pollution (HPP).
HPP attacks can be defined as the possibility to override or add HTTP GET/POST parameters by injecting query string
delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
* Override existing hardcoded HTTP parameters.
* Modify the application behaviors.
* Access and, potentially exploit, uncontrollable variables.
* Bypass input validation checkpoints and WAFs rules.
Jugal Parikh, Microsoft
Holly Stewart, Microsoft
Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be “gamed” leading to unexpected outcomes.
In this talk, we’ll compare the difficulty of tampering with cloud-based models and client-based models. We then discuss how we developed stacked ensemble models to make our machine learning defenses less susceptible to tampering and significantly improve overall protection for our customers. We talk about the diversity of our base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, we’ll describe suspected tampering activity we’ve witnessed using protection telemetry from over half a billion computers, and whether our mitigation worked.
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]securityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Reading Group Presentation: Web Attacks on Host-Proof Encrypted StorageMichael Rushanan
This presentation exposes the current threat model to host-proof encrypted storage, details of vulnerability exploitation per application, and multiple pointers to relevant academic research in web security. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
https://www.usenix.org/conference/woot12/web-based-attacks-host-proof-encrypted-storage
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
Vulnerabilities are the same things as common errors. Why do we distinguish them? Do this, if you want to earn more money. CWE - Common Weakness Enumeration. CVE - Common Vulnerabilities and Exposures. Now using Valgrind you're searching not for a memory leak, but for a denial of service.
HTTP Parameter Pollution (HPP) - SEaCURE.it presentation by Luca Carettoni and Stefano Di Paola
Throughout this presentation, we will present a new attack technique called HTTP Parameter Pollution (HPP). We will examine with a fresh perspective a newly discovered input validation flaw, while demonstrating new threats and possible attack scenarios. Such injection can be defined as the possibility to override the HTTP GET/POST parameters within the query string. In such situations, an attacker may replace existent values which are normally hardcoded and not accessible. In many cases it can be used to modify the behaviors of client-side and server-side applications, to exploit vulnerabilities in uncontrollable variables as well as bypassing web application firewalls. Some of the attacks covered in this talk have been discovered in real-world applications.
Although input validation vulnerabilities are a well-known subject in the web application security field and are extensively covered by several researchers, it is quite surprising that no formal definition of the HPP attack was previously published, as far as we know. Once again, it is a clear demonstration of how important is to develop comprehensive input validation filters in order to manage new incoming web application threats
This microteahing is very amazing because it shows parts of the journey of some doctors who treat ill people particularly children not only with medicine but also with humor. According to this reading is possible to lear some vocabulary and answer some questions.
Jugal Parikh, Microsoft
Holly Stewart, Microsoft
Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be “gamed” leading to unexpected outcomes.
In this talk, we’ll compare the difficulty of tampering with cloud-based models and client-based models. We then discuss how we developed stacked ensemble models to make our machine learning defenses less susceptible to tampering and significantly improve overall protection for our customers. We talk about the diversity of our base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, we’ll describe suspected tampering activity we’ve witnessed using protection telemetry from over half a billion computers, and whether our mitigation worked.
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]securityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Reading Group Presentation: Web Attacks on Host-Proof Encrypted StorageMichael Rushanan
This presentation exposes the current threat model to host-proof encrypted storage, details of vulnerability exploitation per application, and multiple pointers to relevant academic research in web security. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
https://www.usenix.org/conference/woot12/web-based-attacks-host-proof-encrypted-storage
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
Vulnerabilities are the same things as common errors. Why do we distinguish them? Do this, if you want to earn more money. CWE - Common Weakness Enumeration. CVE - Common Vulnerabilities and Exposures. Now using Valgrind you're searching not for a memory leak, but for a denial of service.
HTTP Parameter Pollution (HPP) - SEaCURE.it presentation by Luca Carettoni and Stefano Di Paola
Throughout this presentation, we will present a new attack technique called HTTP Parameter Pollution (HPP). We will examine with a fresh perspective a newly discovered input validation flaw, while demonstrating new threats and possible attack scenarios. Such injection can be defined as the possibility to override the HTTP GET/POST parameters within the query string. In such situations, an attacker may replace existent values which are normally hardcoded and not accessible. In many cases it can be used to modify the behaviors of client-side and server-side applications, to exploit vulnerabilities in uncontrollable variables as well as bypassing web application firewalls. Some of the attacks covered in this talk have been discovered in real-world applications.
Although input validation vulnerabilities are a well-known subject in the web application security field and are extensively covered by several researchers, it is quite surprising that no formal definition of the HPP attack was previously published, as far as we know. Once again, it is a clear demonstration of how important is to develop comprehensive input validation filters in order to manage new incoming web application threats
This microteahing is very amazing because it shows parts of the journey of some doctors who treat ill people particularly children not only with medicine but also with humor. According to this reading is possible to lear some vocabulary and answer some questions.
Slides that were presented at SecTalks in Perth that runs through a light code review of libpurple, shows a few example findings, including CVE-2013-6485 and a few others. These bugs were fixed in Pidgin 2.10.8 on Jan 28th 2014.
I’m going to go... stalk... Lenny and Carl...volvent
A talk from Ruxmon Canberra (June 2013) on work around Talkback, where it's been and where it's going with an upcoming 2.0 version.
Also a few quick thoughts on the threat model faced by those implementing technologies that's processing social media data.
The presentation was prepared for the Indonesian DGCA's SAG members from the Directorates of Airports and Air Navigation. The objective of the workshop was to increase the members knowledge of the theory and practical application of aviation safety management systems.
Updated - Safety Management Systems - Workshop - DGCA SAG Members - As Presentedtherunwaycentreline
The slides I used for a workshop on safety management concepts for members of the Indonesian DGCA's State Safety Program Safety Action Groups - specifically the Directorates of Airports and Air Navigation members.
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
One of the biggest problems of software projects is that, while the practice of software development is commonly thought of as engineering, it is inherently a creative discipline; hence, many things about it are hard to measure. While simple yardsticks like test coverage and cyclomatic complexity are important for code quality, what other metrics can we apply to answer questions about our code? What coding conventions or development practices can we implement to make our code easier to measure? We'll take a tour through some processes and tools you can implement to begin improving code quality in your team or organization, and see what a difference it makes to long-term project maintainability. More importantly, we'll look at how we can move beyond today's tools to answer higher-level questions of code quality. Can 'good code' be quantified?
One of the biggest problems of software projects is that, while the practice of software development is commonly thought of as engineering, it is inherently a creative discipline; hence, many things about it are hard to measure. While simple yardsticks like test coverage and cyclomatic complexity are important for code quality, what other metrics can we apply to answer questions about our code? What coding conventions or development practices can we implement to make our code easier to measure? We'll take a tour through some processes and tools you can implement to begin improving code quality in your team or organization, and see what a difference it makes to long-term project maintainability. More importantly, we'll look at how we can move beyond today's tools to answer higher-level questions of code quality. Can 'good code' be quantified?
Operations: Production Readiness Review – How to stop bad things from HappeningAmazon Web Services
There is more to deploying code than pushing the deploy button. A good practice that many companies follow is a Production Readiness Review (PRR) which is essentially a pre-flight check list before a service launches. This helps ensure new services are properly architected, monitored, secured, and more. We’ll walk through an example PRR and discuss the value of ensuring each of these is properly taken care of before your service launches.
DevSecCon Talk: An experiment in agile Threat ModellingzeroXten
ThreatSpec aims to close the gap between development and security by bringing the threat modelling process further into the development process. This is achieved by having developers and security engineers write threat specifications alongside code, then dynamically generating reports and data-flow diagrams from the code.
2. Started off doing web-dev, sysadmin, programming
90‟s
Traditional
web-dev
Modern
web-dev
Now
3. Started off doing web-dev, sysadmin, programming
90‟s
Have been doing security research for 10+ years
Traditional Designing/developing custom sec-tech.
web-dev Security assessments (code review, pentesting, etc.)
Consulting related to security defense, etc.
Modern
web-dev
Now
4. Started off doing web-dev, sysadmin, programming
90‟s
Have been doing security research for 10+ years
Traditional Designing/developing custom sec-tech.
web-dev Security assessments (code review, pentesting, etc.)
Consulting related to security defense, etc.
Over the past several years, the term „web‟ has well
and truly changed, and now encompasses:
HTML-based user-interfaces for apps
Mobile phone applications
Modern
Web-based SaaS, web-services, etc.
web-dev
Now ChromeOS, etc.
6. However:
• Text-book vulnerable code (e.g. SQL injection) is not so common
• Flaws are becoming more complicated (or at least abstracted)
7. However:
• Text-book vulnerable code (e.g. SQL injection) is not so common
• Flaws are becoming more complicated (or at least abstracted)
• Showing exploitation of vulnerabilities is useful to illustrate the risk
• But also takes away from explaining how these bugs surface
8. However:
• Text-book vulnerable code (e.g. SQL injection) is not so common
• Flaws are becoming more complicated (or at least abstracted)
• Showing exploitation of vulnerabilities is useful to illustrate the risk
• But also takes away from explaining how these bugs surface
• Vulnerability statistics can be interesting
• But can also be quite misleading
9. Provide example flaws based on recent web-related assessments
Often developers making a small (sometimes understandable) mistake
10. Provide example flaws based on recent web-related assessments
Often developers making a small (sometimes understandable) mistake
Run through several defensive steps
A few processes and mitigation methods to consider
General guidance, recommended reading, etc.
11. Provide example flaws based on recent web-related assessments
Often developers making a small (sometimes understandable) mistake
Run through several defensive steps
A few processes and mitigation methods to consider
General guidance, recommended reading, etc.
I have only have 20 minutes for this, but I‟ll be touching on quite a lot
These slides will be put online with all of the references, links, etc.
Also happy to chat about any of this over a drink
12. Interpretation
• Languages/compilers behaviors and annoying technicalities
Logic Flaws
• Logic issues that don‟t have an immediate security impact
Technology Layers
• How technology layers can have interesting technicalities
Defensive Measures
• Several approaches to help manage webapp risks
16. Technology Functionality Test Cases
PHP & Apache Web Upload & Compile Test
& Linux Execute Binary Case Sets
17. 1. How is the PHP Upload working?
1. How is the uploaded file stored?
2. How are file extensions validated?
Technology Functionality Test Cases 3. …
2. How is it executing the binary?
1. Queued in a database?
2. via PHP popen(), system()?
3. Pushing to other web-services?
4. …
PHP & Apache Web Upload & Compile Test 3. What is returned to the user?
& Linux Execute Binary Case Sets
1. Is user-controlled input correctly
encoded (filename, etc.)
2. …
4. …
21. A few minutes later…
Pop a www-user shell over a reliable
and encrypted channel
Determine the entry-point flaw
Start a white-box code review of the
application
Start a review of the host environment
and surrounding infrastructure
23. Simplified Code The Bug
param is attacker-controlled
param is not explicitly cast as a
numeric value, thus:
param = „0.1‟ = PASS
param = „1.1‟ = FAIL
param = „and hi‟ = FAIL
param = „1.1 and hi‟ = FAIL
param = „0.1 and hi‟ = PASS
Resulting in arbitrary command
execution on the system
24. Simplified Code Explanation
param is attacker-controlled
param is validated as a numeric value
between 0 and 1
param = „0.1‟ = PASS
param = „1.1‟ = FAIL
param = „and hi‟ = FAIL
param = „1.1 and hi‟ = FAIL
param = „0.1 and hi‟ = FAIL
The shellescapearg() function is also
used to escape the argument to popen()
26. This example is a bit dumb, but: The Bug
strcmp() accepts two strings and
returns 0 if they match
The return value of strcmp() is
checked using the type-unsafe equality
operator of „==„
If either parameter is not a string (for
example an array) strcmp() will fail and
return 0/NULL
27. The Fix Explanation
strcmp() accepts two strings and
returns 0 if they match
The return value of strcmp() is
checked using the type-safe equality
operator of „===„
28. A lot of higher level languages are quite lax about data-types
This is dangerous for web-languages and affects many applications
Be explicit and remove assumptions about data-types
29. A lot of higher level languages are quite lax about data-types
This is dangerous for web-languages and affects many applications
Be explicit and remove assumptions about data-types
A common trend is for developers to lower their guard post-validation
“This user-controlled data is now trusted” is a very dangerous assumption
30. A lot of higher level languages are quite lax about data-types
This is dangerous for web-languages and affects many applications
Be explicit and remove assumptions about data-types
A common trend is for developers to lower their guard post-validation
“This user-controlled data is now trusted” is a very dangerous assumption
It can be dangerous hopping between programming languages
Programmers of different backgrounds make various (risky) assumptions
Get proficient at the languages you spend most time in
Every single language has its “gotchas” to be aware of
31. How logic flaws can be much more serious than a security hole
33. The interface performed (adequate) client-side and server-side validations
34. Later on, discovered an (almost) identical interface
35. Later on, discovered an (almost) identical interface
Oh, snap
36. Explanation
Payment
Resource Virtually identical payment resources were
A
implemented separately
Payment One (the lesser visible) resource missed a
Gateway server-side validation for negative sums
Bridge The flaw allowed an attacker to credit an
arbitrary account (i.e. receive money)
Payment
Resource
B
37. “Safe” applications can still suffer from application-specific risks
This was a relatively well written .NET application with minimal security risks
Yet, this single logic bug raised more immediate concern than if I had popped a shell
38. “Safe” applications can still suffer from application-specific risks
This was a relatively well written .NET application with minimal security risks
Yet, this single logic bug raised more immediate concern than if I had popped a shell
The nature of new software functional requirements should be treated with caution
Hacked on components/interfaces without proper system and integration analysis
39. “Safe” applications can still suffer from application-specific risks
This was a relatively well written .NET application with minimal security risks
Yet, this single logic bug raised more immediate concern than if I had popped a shell
The nature of new software functional requirements should be treated with caution
Hacked on components/interfaces without proper system and integration analysis
There are huge risks when critical validation/integration isn‟t centralized
Often has a higher chance of inconsistent validation rules
Makes it more expensive and inefficient to both implement and later fix issues
Less efficient to review critical code when it‟s scattered erratically
41. Data transferring from higher level
A couple of basic examples:
languages down to the OS-level
introduce certain risks
Technicalities such as how NULL bytes
are treated for certain functions affect
almost all languages
.NET/Java
iOS Applications
PHP, …
So far this year have found such
issues in two jobs (.NET and Java)
Arbitrary file write to full server
compromise
42. XSS is very common and affecting
more technologies and devices
UIWebView in iOS, etc.
Many interesting attacks possible
Attacking internal network infra.
Triggering client-side vulnerabilities
Targeted phishing attacks that are
executing specific payloads
Increasingly used for decently
executed targeted attacks
Such as using XSS to own apache.org
43. Secure, Open, Convenient
Pick two
Frameworks are great for many
obvious reasons
It‟s clear frameworks do help limit or
remove certain risks
But there‟s a lot of functionality that‟s
supported and/or exposed
Ruby on Rails is a recent target by
researchers
It will take some time for it to mature
Louis from PentesterLab gave a great
overview on the recent issues
45. Mitigations are about raising the cost
of an attack
Try avoiding things that add an attack
surface (e.g. WAF‟s)
Explicit inbound/outbound network
trusts should be part of provisioning
End-point threats affect almost
everyone these days
Review the DSD‟s Top 35
See what big targets are doing:
Facebook talk from Ruxcon
46. Threat Modeling
It‟s important to spend some time to
think about your potential adversaries
Threats aren‟t just bots and kids
scanning your network and webapps
People focusing on your apps
Social engineering (remote or physical)
Internal staff
(the list goes on...)
A basic way to get started in-house is to
try Microsoft‟s card-game !
47. Unfortunately, it‟s still common for
things to be out of date/vulnerable
Subscribe to a freely available
vulnerability alerting service
Regularly review your external internet
presence and services
Try to lean on auto. updates, or test
with a prod clone with them enabled to
see if things break
If it‟s not essential, don‟t run it
48. During code reviews I usually map out
developer comments
Frequency of comments vs. mood
The use of specific keywords (e.g. XXX,
TODO, dropping the f-bomb)
Instead of venting in code, keep a risk
register for risky/uncertain spots
Have a peer-review process and/or
periodically bring in an external
specialist to help go over it
49. Some basic changes to QA testing can
pick up some low-hanging fruit
Fixing issues internally during
development is a lot cheaper
Lots of excellent resources for learning
and testing, such as PentesterLab.com
There are good guides for different
languages, such as the Ruby guide by
Meder@Google
50. Keep up with research relevant to you,
there‟s new things every day
I develop a tool called „Talkback‟ that
tracks news/research
There are free monthly seminars called
„Ruxmon‟ in Sydney
Consider attending the annual Ruxcon
security conference in Melbourne
51. Bugs happen. It‟s okay.
Dedicate some time to think about:
Your potential threats
How you can introduce security tests
during your development lifecycle
If you get external security people in
Think about what you want to get exactly
Organise it to be as efficient as possible
Remember that:
functionality = attack surface
KISS is a security feature in itself
The devil is in the details