Slide 1

Slide 1 text

Don’t forget about Security In web applications

Slide 2

Slide 2 text

Cheers from Italy

Slide 3

Slide 3 text

Alessandro Classic Developer Saw Star Wars false true Saw Star Trek false true Gamer false true Drinks coffee false true Drinks beer true true Has beard true true ~2 meters tall true false

Slide 4

Slide 4 text

73% Web application attacks accounted for 73% of all incidents says report

Slide 5

Slide 5 text

“At some point in the history of your company, you’re probably going to get hacked.” - Heather Adkins, director of security at Google “There are only two types of companies: those that have been hacked, and those that will be.” - Robert Mueller, FBI Director

Slide 6

Slide 6 text

OWASP Top 10 Most Critical Web Application Security Risks 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards

Slide 7

Slide 7 text

Application Security is ignored or underrated ● Complex topic ● Difficult to sell ● “I never had any security incident” ™

Slide 8

Slide 8 text

“We have our own security system, and it has never been breached in more than 15 years” - oilandgasinternational.com

Slide 9

Slide 9 text

Oilandgasinternational.com, 10 minutes later

Slide 10

Slide 10 text

App level Security is developer responsibility

Slide 11

Slide 11 text

“I am secure by default” - Rails

Slide 12

Slide 12 text

“Show me the code” - anyone

Slide 13

Slide 13 text

One line of code… what can go wrong?

Slide 14

Slide 14 text

WARNING: Very advanced hacker skills > brew install sqlmap > sqlmap --dump --url= "http://localhost:3000/ilike_search?search_term=rails"

Slide 15

Slide 15 text

5 minutes later… complete_database_dump.csv

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

gem install brakeman

Slide 18

Slide 18 text

gem install bundler-audit

Slide 19

Slide 19 text

How to be better at security ● Have a black hoodie ● Have basic security knowledge ● Know some tools ● Have a plan for responding to incidents ● Have a security contact page

Slide 20

Slide 20 text

Bonus: Security is fun!!! ● Hacking labs ● Challenges ● Capture the flag ● Example: root-me.org

Slide 21

Slide 21 text

No content