As technology evolved, software security faced huge challenges and as the years passed, the world has seen drastic changes far too quickly. And along with these advancements, even black-hat hackers or malicious hackers have evolved also very well. Today, the internet is the place for everyone where hackers dwell almost all the time. Every day new applications are released to the web and users start using them and even get addicted to them due to outstanding UX. But, wait! Did someone think about the "security" layer of these applications? Well, we often don’t and most of the applications today suffer from "beggarly / bad security".
In this talk, Santhosh Tuppad will focus on the pitfalls of bad security and why software security has failed in a pretty way. He will also shed light on how your users may be facing bigger problems than you can imagine due to bad software that lacks security testing. He will also demonstrate some of the lethal problems that exist in the industry and will talk about technical impact, business impacts like reputation damage, revenue loss and a lot more.
Not only that, Santhosh won’t end his talk without some hacking demonstrations that will for sure wow you. Finally, he will tell you how you can start security testing from day 1 and start contributing in terms of building secure software.
From this talk, you will gain an understanding about the problems that a lack of security testing presents and you find out about tool-assisted security testing; performing security tests through questioning. After the talk, you will be able to start identifying risks and report comm.on vulnerabilities giving you a feeling of “I can do this”
Scanning the Internet for External Cloud Exposures via SSL Certs
ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad
1.
2. Why software security has
gotten worse? And what can
we do about it?
Santhosh Tuppad, Sometimes BlackHat & Sometimes WhiteHat…
I am that man who you don’t want to trust
Twitter: @santhoshst | email: Santhosh.Tuppad@gmail.com
3. sh-3.2# whoami
I have been a great liar, wise manipulator, a
thief, physical infrastructure breaker, web
application hacker, mobile apps hacker, kiosk
machine basher, black-hat hacker, white-hat
hacker, trainer, security coach, lover of mean
machines, spiritual practitioner and blah blah
blah!
4. BRACE YOURSELF...
Things are going to get WORSE. Future is not so cool
considering the risks about 80 billion smart devices by
2025.
5. CURRENT STATE OF SECURITY IS TOTALLY SICK!
● OUT OF 10 HOSPITALS 8 OF THEM CAN BE
EXPLOITED
● OUT OF 10 SPONSORS IN THIS CONFERENCE 6 OF
THEM CAN BE EXPLOITED AND COMPROMISED
● OUT OF 10 WEBSITES USING WORDPRESS, 9 OF
THEM POSE RISK
● ELECTRONIC COMMERCE ARE THE WORST…
USUALLY!
In short, if you are a hacker with blackhat intention, you need not
worry about food, clothing and shelter.
6. WEHAVEBEENDOINGITWRONG…TOTALLY!
● Massive Skill Shortage
● Very few white-hat hackers think like black-hat hackers
● Functional Testing Bias
● Fear of learning Ethical Hacking
● Scanners just don’t suffice, we need hackers (with real skills)
● Extrinsic Motivation is More Powerful Than Intrinsic
● Lack of understanding within the team
● Ample number of reasons for giving excuses
● Comfort layer which says, “Hah, I am okay to do average job”.
7. ● We are not hiring hackers like “Santhosh Tuppad” ;-)
● We think it’s NOT a SHARED responsibility :-(
● Our Developers are not aware of secure coding guidelines :-(
● We highly rely on certified hackers instead of the REAL ones
● We are most fascinated with the decoration of report than the
real deliverable (vulnerabilities and exploits)
● We don’t FEEL for our USERS… We say, “We Care!”. Hah!
● Many more...
MORE REASONS...
8.
9. ● What database are we using?
● Have we upgraded all the systems to the updated version like
Javascripts, database, servers, third-party components etcetera.
● Are we using parsed statements for SQL queries?
● Are we having account lockout policy?
● What Firewall are we using if we are? And more importantly, can
I take a look at the configuration of the Firewall? Are there any
stories behind these configurations? On what basis, we are
setting the account lockout on 100 invalid login attempts.
WHAT CAN WE DO ABOUT IT?
Start with questioning...
10. ● What are we doing to avoid XSS attacks? Do we have HTML
encoding, Javascript encoding, database encoding in place?
● How are we handling the authorisation?
● Have we taken care of security improvements via secure HTTP
Headers?
● Why do we trust the third-party components that we have
integrated?
● Are we GDPR compliant? Are there any hiccups/loopholes?
● Do we have VISION for “Software Security”?
WHAT CAN WE DO ABOUT IT?
11. ○ Start with “Hacking for Dummies” by Kevin Beaver
○ Watch Snowden, Swordfish, Mr.Robot, DarkNet (18+ Sex,
Violence, Blood etc.)
○ Watch “Major Malfunction” Adam on YouTube
○ Think Crime (Think like a criminal)
○ Start using Scanners and look into results. Ask yourself,
“What makes these results popup?”
○ DNF: OWASP Cheat sheets to kickstart
WHAT CAN WE DO ABOUT IT?
Learn some attacks or security tests...
12. If you want to be great at anything,
you need to focus on Mindset.
13.
14. Spain is beautiful… So is Software…
Functional makes Sense… So does Security…
We get paid for work… Are we doing a good job?
Do we believe that “self-education” is our priority?
… Do we want to move towards better security?
Thank you everyone. Talk to me @santhoshst (Twitter) or
just say, “Hackintosh” when you see me to speak in person.