SlideShare a Scribd company logo

ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad

Santhosh Tuppad
Santhosh Tuppad

As technology evolved, software security faced huge challenges and as the years passed, the world has seen drastic changes far too quickly. And along with these advancements, even black-hat hackers or malicious hackers have evolved also very well. Today, the internet is the place for everyone where hackers dwell almost all the time. Every day new applications are released to the web and users start using them and even get addicted to them due to outstanding UX. But, wait! Did someone think about the "security" layer of these applications? Well, we often don’t and most of the applications today suffer from "beggarly / bad security". In this talk, Santhosh Tuppad will focus on the pitfalls of bad security and why software security has failed in a pretty way. He will also shed light on how your users may be facing bigger problems than you can imagine due to bad software that lacks security testing. He will also demonstrate some of the lethal problems that exist in the industry and will talk about technical impact, business impacts like reputation damage, revenue loss and a lot more. Not only that, Santhosh won’t end his talk without some hacking demonstrations that will for sure wow you. Finally, he will tell you how you can start security testing from day 1 and start contributing in terms of building secure software. From this talk, you will gain an understanding about the problems that a lack of security testing presents and you find out about tool-assisted security testing; performing security tests through questioning. After the talk, you will be able to start identifying risks and report comm.on vulnerabilities giving you a feeling of “I can do this”

Technology
1 of 14
Download to read offline
Why software security has gotten worse? And what can we do about it? Santhosh Tuppad, Sometimes BlackHat & Sometimes WhiteHat… I am that man who you don’t want to trust Twitter: @santhoshst | email: Santhosh.Tuppad@gmail.com
sh-3.2# whoami I have been a great liar, wise manipulator, a thief, physical infrastructure breaker, web application hacker, mobile apps hacker, kiosk machine basher, black-hat hacker, white-hat hacker, trainer, security coach, lover of mean machines, spiritual practitioner and blah blah blah!
BRACE YOURSELF... Things are going to get WORSE. Future is not so cool considering the risks about 80 billion smart devices by 2025.
CURRENT STATE OF SECURITY IS TOTALLY SICK! ● OUT OF 10 HOSPITALS 8 OF THEM CAN BE EXPLOITED ● OUT OF 10 SPONSORS IN THIS CONFERENCE 6 OF THEM CAN BE EXPLOITED AND COMPROMISED ● OUT OF 10 WEBSITES USING WORDPRESS, 9 OF THEM POSE RISK ● ELECTRONIC COMMERCE ARE THE WORST… USUALLY! In short, if you are a hacker with blackhat intention, you need not worry about food, clothing and shelter.
WEHAVEBEENDOINGITWRONG…TOTALLY! ● Massive Skill Shortage ● Very few white-hat hackers think like black-hat hackers ● Functional Testing Bias ● Fear of learning Ethical Hacking ● Scanners just don’t suffice, we need hackers (with real skills) ● Extrinsic Motivation is More Powerful Than Intrinsic ● Lack of understanding within the team ● Ample number of reasons for giving excuses ● Comfort layer which says, “Hah, I am okay to do average job”.
● We are not hiring hackers like “Santhosh Tuppad” ;-) ● We think it’s NOT a SHARED responsibility :-( ● Our Developers are not aware of secure coding guidelines :-( ● We highly rely on certified hackers instead of the REAL ones ● We are most fascinated with the decoration of report than the real deliverable (vulnerabilities and exploits) ● We don’t FEEL for our USERS… We say, “We Care!”. Hah! ● Many more... MORE REASONS...
● What database are we using? ● Have we upgraded all the systems to the updated version like Javascripts, database, servers, third-party components etcetera. ● Are we using parsed statements for SQL queries? ● Are we having account lockout policy? ● What Firewall are we using if we are? And more importantly, can I take a look at the configuration of the Firewall? Are there any stories behind these configurations? On what basis, we are setting the account lockout on 100 invalid login attempts. WHAT CAN WE DO ABOUT IT? Start with questioning...
● What are we doing to avoid XSS attacks? Do we have HTML encoding, Javascript encoding, database encoding in place? ● How are we handling the authorisation? ● Have we taken care of security improvements via secure HTTP Headers? ● Why do we trust the third-party components that we have integrated? ● Are we GDPR compliant? Are there any hiccups/loopholes? ● Do we have VISION for “Software Security”? WHAT CAN WE DO ABOUT IT?
○ Start with “Hacking for Dummies” by Kevin Beaver ○ Watch Snowden, Swordfish, Mr.Robot, DarkNet (18+ Sex, Violence, Blood etc.) ○ Watch “Major Malfunction” Adam on YouTube ○ Think Crime (Think like a criminal) ○ Start using Scanners and look into results. Ask yourself, “What makes these results popup?” ○ DNF: OWASP Cheat sheets to kickstart WHAT CAN WE DO ABOUT IT? Learn some attacks or security tests...
If you want to be great at anything, you need to focus on Mindset.
Spain is beautiful… So is Software… Functional makes Sense… So does Security… We get paid for work… Are we doing a good job? Do we believe that “self-education” is our priority? … Do we want to move towards better security? Thank you everyone. Talk to me @santhoshst (Twitter) or just say, “Hackintosh” when you see me to speak in person.

Recommended

Where is my silver bullet?!
Where is my silver bullet?!Where is my silver bullet?!
Where is my silver bullet?!Ivan Novikov
 
Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynoteBrian Honan
 
Hack Snapchat Account
Hack Snapchat AccountHack Snapchat Account
Hack Snapchat Accountjack ordert
 
How to Hack Snapchat Account
How to Hack Snapchat AccountHow to Hack Snapchat Account
How to Hack Snapchat AccountJanim Kione
 
Effective 2FA - Part 1: the technical stuff
Effective 2FA - Part 1: the technical stuffEffective 2FA - Part 1: the technical stuff
Effective 2FA - Part 1: the technical stuffConorGilsenan1
 
Shared responsibility model: Why and how to choose the right 2 fa method for ...
Shared responsibility model: Why and how to choose the right 2 fa method for ...Shared responsibility model: Why and how to choose the right 2 fa method for ...
Shared responsibility model: Why and how to choose the right 2 fa method for ...ConorGilsenan1
 
J Gioglio sxsw2015 W2O
J Gioglio sxsw2015 W2OJ Gioglio sxsw2015 W2O
J Gioglio sxsw2015 W2OW2O Group
 
What is hacking
What is hackingWhat is hacking
What is hackingMuhammadUmer411
 

Recommended

Where is my silver bullet?!
Where is my silver bullet?!Where is my silver bullet?!
Where is my silver bullet?!Ivan Novikov
 
Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynoteBrian Honan
 
Hack Snapchat Account
Hack Snapchat AccountHack Snapchat Account
Hack Snapchat Accountjack ordert
 
How to Hack Snapchat Account
How to Hack Snapchat AccountHow to Hack Snapchat Account
How to Hack Snapchat AccountJanim Kione
 
Effective 2FA - Part 1: the technical stuff
Effective 2FA - Part 1: the technical stuffEffective 2FA - Part 1: the technical stuff
Effective 2FA - Part 1: the technical stuffConorGilsenan1
 
Shared responsibility model: Why and how to choose the right 2 fa method for ...
Shared responsibility model: Why and how to choose the right 2 fa method for ...Shared responsibility model: Why and how to choose the right 2 fa method for ...
Shared responsibility model: Why and how to choose the right 2 fa method for ...ConorGilsenan1
 
J Gioglio sxsw2015 W2O
J Gioglio sxsw2015 W2OJ Gioglio sxsw2015 W2O
J Gioglio sxsw2015 W2OW2O Group
 
What is hacking
What is hackingWhat is hacking
What is hackingMuhammadUmer411
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012jadedsecurity
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017Jorge González
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learnedB.A.
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
 
Your users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themYour users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themSanthosh Tuppad
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
Hackers secrets
Hackers secretsHackers secrets
Hackers secretsFelipe Prado
 
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...Dana Gardner
 
Robust Software Solutions.pptx
Robust Software Solutions.pptxRobust Software Solutions.pptx
Robust Software Solutions.pptxBusiness Thrust Pte. Ltd. (BThrust)
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
Cyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital WorldCyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital Worldqubanewmedia
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
 
Tools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadTools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadSanthosh Tuppad
 
Hacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatHacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatSanthosh Tuppad
 

More Related Content

Similar to ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad

MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012jadedsecurity
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learnedB.A.
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
 
Your users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themYour users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themSanthosh Tuppad
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...Dana Gardner
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
Cyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital WorldCyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital Worldqubanewmedia
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
 

Similar to ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad (20)

MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017
 
Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
 
Your users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing themYour users are humans and let's live our promise of securing them
Your users are humans and let's live our promise of securing them
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experience
 
Hackers secrets
Hackers secretsHackers secrets
Hackers secrets
 
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
 
Robust Software Solutions.pptx
Robust Software Solutions.pptxRobust Software Solutions.pptx
Robust Software Solutions.pptx
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
Cyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital WorldCyber Threats and Data Privacy in a Digital World
Cyber Threats and Data Privacy in a Digital World
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User Authenticity
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 

More from Santhosh Tuppad

Tools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadTools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadSanthosh Tuppad
 
Hacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatHacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatSanthosh Tuppad
 
Web and mobile security workshop workbook v1 - by santhosh tuppad
Web and mobile security workshop workbook v1 - by santhosh tuppadWeb and mobile security workshop workbook v1 - by santhosh tuppad
Web and mobile security workshop workbook v1 - by santhosh tuppadSanthosh Tuppad
 
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...Santhosh Tuppad
 
The BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
The BUZZ Word - Entrepreneur. A Perspective of Santhosh TuppadThe BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
The BUZZ Word - Entrepreneur. A Perspective of Santhosh TuppadSanthosh Tuppad
 
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...Santhosh Tuppad
 
Test ideas for Login / Authentication and Login Session
Test ideas for Login / Authentication and Login SessionTest ideas for Login / Authentication and Login Session
Test ideas for Login / Authentication and Login SessionSanthosh Tuppad
 
Passion is a free spirit, only you can cage it.
Passion is a free spirit, only you can cage it.Passion is a free spirit, only you can cage it.
Passion is a free spirit, only you can cage it.Santhosh Tuppad
 
Software Testing - Heuristics Cheat Sheet
Software Testing - Heuristics Cheat SheetSoftware Testing - Heuristics Cheat Sheet
Software Testing - Heuristics Cheat SheetSanthosh Tuppad
 
Santhosh tuppad romanian testing conference 2017 - keynote presentation
Santhosh tuppad romanian testing conference 2017 - keynote presentationSanthosh tuppad romanian testing conference 2017 - keynote presentation
Santhosh tuppad romanian testing conference 2017 - keynote presentationSanthosh Tuppad
 
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...Santhosh Tuppad
 
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...Santhosh Tuppad
 

More from Santhosh Tuppad (12)

Tools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh TuppadTools are my servants. and I am the master - By Santhosh Tuppad
Tools are my servants. and I am the master - By Santhosh Tuppad
 
Hacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-HatHacking - Bridging the Gap And Going Beyond to Fight Black-Hat
Hacking - Bridging the Gap And Going Beyond to Fight Black-Hat
 
Web and mobile security workshop workbook v1 - by santhosh tuppad
Web and mobile security workshop workbook v1 - by santhosh tuppadWeb and mobile security workshop workbook v1 - by santhosh tuppad
Web and mobile security workshop workbook v1 - by santhosh tuppad
 
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
Testing IoT Security shouldn't fear you if you have got a hacker mindset - By...
 
The BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
The BUZZ Word - Entrepreneur. A Perspective of Santhosh TuppadThe BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
The BUZZ Word - Entrepreneur. A Perspective of Santhosh Tuppad
 
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
Agile Testing Days Tutorial (Germany) 2017 - Web and Mobile Security Testing...
 
Test ideas for Login / Authentication and Login Session
Test ideas for Login / Authentication and Login SessionTest ideas for Login / Authentication and Login Session
Test ideas for Login / Authentication and Login Session
 
Passion is a free spirit, only you can cage it.
Passion is a free spirit, only you can cage it.Passion is a free spirit, only you can cage it.
Passion is a free spirit, only you can cage it.
 
Software Testing - Heuristics Cheat Sheet
Software Testing - Heuristics Cheat SheetSoftware Testing - Heuristics Cheat Sheet
Software Testing - Heuristics Cheat Sheet
 
Santhosh tuppad romanian testing conference 2017 - keynote presentation
Santhosh tuppad romanian testing conference 2017 - keynote presentationSanthosh tuppad romanian testing conference 2017 - keynote presentation
Santhosh tuppad romanian testing conference 2017 - keynote presentation
 
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
Santhosh Tuppad - Profile - Entrepreneur - Software Tester - Ethical Hacker -...
 
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
Santhosh tuppad - A journey that is fascinating and will be more fascinating ...
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad

  • 1.
  • 2. Why software security has gotten worse? And what can we do about it? Santhosh Tuppad, Sometimes BlackHat & Sometimes WhiteHat… I am that man who you don’t want to trust Twitter: @santhoshst | email: Santhosh.Tuppad@gmail.com
  • 3. sh-3.2# whoami I have been a great liar, wise manipulator, a thief, physical infrastructure breaker, web application hacker, mobile apps hacker, kiosk machine basher, black-hat hacker, white-hat hacker, trainer, security coach, lover of mean machines, spiritual practitioner and blah blah blah!
  • 4. BRACE YOURSELF... Things are going to get WORSE. Future is not so cool considering the risks about 80 billion smart devices by 2025.
  • 5. CURRENT STATE OF SECURITY IS TOTALLY SICK! ● OUT OF 10 HOSPITALS 8 OF THEM CAN BE EXPLOITED ● OUT OF 10 SPONSORS IN THIS CONFERENCE 6 OF THEM CAN BE EXPLOITED AND COMPROMISED ● OUT OF 10 WEBSITES USING WORDPRESS, 9 OF THEM POSE RISK ● ELECTRONIC COMMERCE ARE THE WORST… USUALLY! In short, if you are a hacker with blackhat intention, you need not worry about food, clothing and shelter.
  • 6. WEHAVEBEENDOINGITWRONG…TOTALLY! ● Massive Skill Shortage ● Very few white-hat hackers think like black-hat hackers ● Functional Testing Bias ● Fear of learning Ethical Hacking ● Scanners just don’t suffice, we need hackers (with real skills) ● Extrinsic Motivation is More Powerful Than Intrinsic ● Lack of understanding within the team ● Ample number of reasons for giving excuses ● Comfort layer which says, “Hah, I am okay to do average job”.
  • 7. ● We are not hiring hackers like “Santhosh Tuppad” ;-) ● We think it’s NOT a SHARED responsibility :-( ● Our Developers are not aware of secure coding guidelines :-( ● We highly rely on certified hackers instead of the REAL ones ● We are most fascinated with the decoration of report than the real deliverable (vulnerabilities and exploits) ● We don’t FEEL for our USERS… We say, “We Care!”. Hah! ● Many more... MORE REASONS...
  • 8.
  • 9. ● What database are we using? ● Have we upgraded all the systems to the updated version like Javascripts, database, servers, third-party components etcetera. ● Are we using parsed statements for SQL queries? ● Are we having account lockout policy? ● What Firewall are we using if we are? And more importantly, can I take a look at the configuration of the Firewall? Are there any stories behind these configurations? On what basis, we are setting the account lockout on 100 invalid login attempts. WHAT CAN WE DO ABOUT IT? Start with questioning...
  • 10. ● What are we doing to avoid XSS attacks? Do we have HTML encoding, Javascript encoding, database encoding in place? ● How are we handling the authorisation? ● Have we taken care of security improvements via secure HTTP Headers? ● Why do we trust the third-party components that we have integrated? ● Are we GDPR compliant? Are there any hiccups/loopholes? ● Do we have VISION for “Software Security”? WHAT CAN WE DO ABOUT IT?
  • 11. ○ Start with “Hacking for Dummies” by Kevin Beaver ○ Watch Snowden, Swordfish, Mr.Robot, DarkNet (18+ Sex, Violence, Blood etc.) ○ Watch “Major Malfunction” Adam on YouTube ○ Think Crime (Think like a criminal) ○ Start using Scanners and look into results. Ask yourself, “What makes these results popup?” ○ DNF: OWASP Cheat sheets to kickstart WHAT CAN WE DO ABOUT IT? Learn some attacks or security tests...
  • 12. If you want to be great at anything, you need to focus on Mindset.
  • 13.
  • 14. Spain is beautiful… So is Software… Functional makes Sense… So does Security… We get paid for work… Are we doing a good job? Do we believe that “self-education” is our priority? … Do we want to move towards better security? Thank you everyone. Talk to me @santhoshst (Twitter) or just say, “Hackintosh” when you see me to speak in person.