sake securitydevsec-18042016

Click here to load reader

Post on 10-Feb-2017

176 views

Category:

Technology

0 download

Embed Size (px)

TRANSCRIPT

  • DEVELOPERSASSECURITYTESTERS#SAKE18#DEVSEC#SOLITATECH

    Antti.virtanen@solita.fiSanoma Knowledge Technology Exchange 18.4. 2016

  • TODAY

    Me? A software architect at Solita. Security/hacking amateur.

    Today.. Security testing during software development Can developers do it? Demo: How to do it in practice

  • Source: Hackerman, Kung Fury movie

    Source: NSA recruitment video.

    Source: securityintelligence.com

    Source: Lizard Squad hacking group logo

  • LETS FOCUS ON SOFTWARE

    Solita is mostly involved in the inner layer of the onion, implementing software solutions.

    Mostly browser based solutions.

    .. so thats what well discuss today.

  • Threat analysis Implementationand design

    Automated tests Manual tests Operational security

  • SOLITA #DEVSEC LANDSCAPE

  • DEVELOPERS VS. EXPERTS

    Pros: Enables continuous security testing.

    Developers will automate. Minimal hand-over costs.

    Will find important non-security related bugs.

    Cons: Not security specialists. Will miss some things. May need investment (training, some tools)

  • LETS DEMO! MANUAL TESTING BY DEVELOPERS Lets look at BURP Proxy as an example..

    Demo!

    The application is a customized Surveypal. Questions, answers, reports. The demo setup is the usual development setup, only the proxy is special.

  • DEVELOPER -> HACKER

    Traits Curiosity and creativity. What will happen, if.. ? Perseverance

    Skills Technical knowledge, deep/wide Common vulnerabilities Security testing

    Some developers are hobbyist hackers. (Apply at rekry@solita.fi)

View more