.NET developer since 2005 • Throughout that time I have been focused on developer practices. • I have worked for 8 fortune 500 companies and 3 nationally recognized non-profits in a consulting role. • My current role at BlueBolt Solutions is Security Engineer / Enterprise Architect / Solutions Developer • I am around the internet under the handle @punkcoder
theft / stolen credit card? • Is this your first security talk? • Does your company have a security plan in place? • How many people have internal security teams? • How many people are testing for security before deployment? • How many people are testing for security after deployment? • Have you been exposed to a security audit? • Have you had your (day, week, month, year) ruined by a security event?
Availability • If I can own any one of these I (as the bad guy) have succeeded. • Security is something that isn't important until it's really important.
Session Management * • Cross Site Scripting * • Insecure Direct Object References * • Security Misconfiguration * • Sensitive Data Exposure * • Missing Function Level Access Control • Cross-Site Request Forgery • Using Components with Known Vulnerabilities • Invalidated redirects and forwards
25, 2018, and applies to all European Businesses as well as businesses that do business in the EU. • The following sanctions can be imposed: • a warning in writing in cases of first and non-intentional non-compliance • regular periodic data protection audits • a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 4 [14])) • a fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83, Paragraph 5 & 6[14])”
that they are detected the easier they are to solve. • This is a problem that is getting worse, and the front line of this war is developers and ops teams. • Education is Essential • Practice is Prevention • Security isn’t something that you can bolt on afterwards, it needs to be part of the initial plan. • Work with people offering responsible disclosure, address issues quickly and communicate effectively.
are interested in security • Get management buy in • Help train other coworkers to spot things that don’t look right and escalate. • Plan events around application security awareness.
way I can improve and the only way that amegala can help to get only the best speakers. • http://prairiecode.amegala.com/evals • http://prairiecode.amegala.com/evals