takeover your servers, want you to stop to work) • Bots (the same as villains but fully automated) • Malware (wants to spread itself mostly to hijack your workstation and steal data) • Activists (the same as villains but philosophy driven)
servers are dangerous • Outsourced security - you’re a number, not a priority - are hosting providers security aware? - do they make VA and WAPT on regular basis? - do they have Web Application Firewalls?
happy to break it! • Empower 25% of the Internet websites out there (58,7% of websites with a CMS installed) - http://w3techs.com/ technologies/details/cm-wordpress/all/ all • Vulnerabilities for plugins and themes out almost everyday
automagically • Setup some basic ipfilter rules • Setup a web application firewall with nginx and mod_security • Use code review to heal our source code from vulnerabilities • Learn some tips to write safe code starting from today
comfortable with • Integrate in your rake test strategy • Some KPI you must have: - some stats about your code (LOC/ comment density, …) - vulnerability in third party dependencies - warning about bad programming habits
time - strict timeframes - not clear specs (remember, ideally it’s up to the customer to write BDD scenarios) • We’re not trained to - school teach us we must deploy a code that is working - school doesn’t teach us how to write good test lists
Ask you neighbourhood #appsec guy to write them • Use something already prepared (http:// www.continuumsecurity.net/bdd- getstarted.html) • Integrate your stories in your testing workout • You just scored a A- in your security class