sake securitydevsec-18042016
TRANSCRIPT
DEVELOPERSASSECURITYTESTERS#SAKE18#DEVSEC#SOLITATECH
[email protected] Knowledge Technology Exchange 18.4. 2016
TODAY
› Me? • A software architect at Solita. • Security/hacking amateur.
› Today.. • Security testing during software development• Can developers do it?• Demo: How to do it in practice
Source: Hackerman, Kung Fury movie
Source: NSA recruitment video.
Source: securityintelligence.com
Source: Lizard Squad hacking group logo
LET’S FOCUS ON SOFTWARE
› Solita is mostly involved in the inner layer of the onion, implementing software solutions.
› Mostly browser based solutions.
› .. so that’s what we’ll discuss today.
Threat analysis Implementationand design
Automated tests Manual tests Operational security
SOLITA #DEVSEC LANDSCAPE
DEVELOPERS VS. EXPERTS
› Pros:• Enables continuous security testing.
• Developers will automate.• Minimal hand-over costs.
• Will find important non-security related bugs.
› Cons:• Not security specialists. Will miss some things.• May need investment (training, some tools)
LET’S DEMO! MANUAL TESTING BY DEVELOPERS› Let’s look at BURP Proxy as an example..
› Demo!
• The application is a customized “Surveypal”. Questions, answers, reports.• The demo setup is the usual development setup, only the proxy is special.
DEVELOPER -> HACKER
› Traits• Curiosity and creativity. What will happen, if.. ? • Perseverance
› Skills• Technical knowledge, deep/wide• Common vulnerabilities• Security testing
› Some developers are hobbyist hackers. (Apply at [email protected])