sake securitydevsec-18042016

DEVELOPERSASSECURITYTESTERS#SAKE18#DEVSEC#SOLITATECH

Antti.virtanen@solita.fiSanoma Knowledge Technology Exchange 18.4. 2016

TODAY

Me? A software architect at Solita. Security/hacking amateur.

Today.. Security testing during software development Can developers do it? Demo: How to do it in practice

Source: Hackerman, Kung Fury movie

Source: NSA recruitment video.

Source: securityintelligence.com

Source: Lizard Squad hacking group logo

LETS FOCUS ON SOFTWARE

Solita is mostly involved in the inner layer of the onion, implementing software solutions.

Mostly browser based solutions.

.. so thats what well discuss today.

Threat analysis Implementationand design

Automated tests Manual tests Operational security

SOLITA #DEVSEC LANDSCAPE

DEVELOPERS VS. EXPERTS

Pros: Enables continuous security testing.

Developers will automate. Minimal hand-over costs.

Will find important non-security related bugs.

Cons: Not security specialists. Will miss some things. May need investment (training, some tools)

LETS DEMO! MANUAL TESTING BY DEVELOPERS Lets look at BURP Proxy as an example..

Demo!

The application is a customized Surveypal. Questions, answers, reports. The demo setup is the usual development setup, only the proxy is special.

DEVELOPER -> HACKER

Traits Curiosity and creativity. What will happen, if.. ? Perseverance

Skills Technical knowledge, deep/wide Common vulnerabilities Security testing

Some developers are hobbyist hackers. (Apply at rekry@solita.fi)