Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Why software security has
gotten worse? And what can
we do about it?
Santhosh Tuppad, Sometimes BlackHat & Sometimes White...
sh-3.2# whoami
I have been a great liar, wise manipulator, a
thief, physical infrastructure breaker, web
application hacke...
BRACE YOURSELF...
Things are going to get WORSE. Future is not so cool
considering the risks about 80 billion smart device...
CURRENT STATE OF SECURITY IS TOTALLY SICK!
● OUT OF 10 HOSPITALS 8 OF THEM CAN BE
EXPLOITED
● OUT OF 10 SPONSORS IN THIS C...
WEHAVEBEENDOINGITWRONG…TOTALLY!
● Massive Skill Shortage
● Very few white-hat hackers think like black-hat hackers
● Funct...
● We are not hiring hackers like “Santhosh Tuppad” ;-)
● We think it’s NOT a SHARED responsibility :-(
● Our Developers ar...
● What database are we using?
● Have we upgraded all the systems to the updated version like
Javascripts, database, server...
● What are we doing to avoid XSS attacks? Do we have HTML
encoding, Javascript encoding, database encoding in place?
● How...
○ Start with “Hacking for Dummies” by Kevin Beaver
○ Watch Snowden, Swordfish, Mr.Robot, DarkNet (18+ Sex,
Violence, Blood...
If you want to be great at anything,
you need to focus on Mindset.
Spain is beautiful… So is Software…
Functional makes Sense… So does Security…
We get paid for work… Are we doing a good jo...
ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad
ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad
ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad
Prochain SlideShare
Chargement dans…5
×

ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad

As technology evolved, software security faced huge challenges and as the years passed, the world has seen drastic changes far too quickly. And along with these advancements, even black-hat hackers or malicious hackers have evolved also very well. Today, the internet is the place for everyone where hackers dwell almost all the time. Every day new applications are released to the web and users start using them and even get addicted to them due to outstanding UX. But, wait! Did someone think about the "security" layer of these applications? Well, we often don’t and most of the applications today suffer from "beggarly / bad security".


In this talk, Santhosh Tuppad will focus on the pitfalls of bad security and why software security has failed in a pretty way. He will also shed light on how your users may be facing bigger problems than you can imagine due to bad software that lacks security testing. He will also demonstrate some of the lethal problems that exist in the industry and will talk about technical impact, business impacts like reputation damage, revenue loss and a lot more.


Not only that, Santhosh won’t end his talk without some hacking demonstrations that will for sure wow you. Finally, he will tell you how you can start security testing from day 1 and start contributing in terms of building secure software.


From this talk, you will gain an understanding about the problems that a lack of security testing presents and you find out about tool-assisted security testing; performing security tests through questioning. After the talk, you will be able to start identifying risks and report comm.on vulnerabilities giving you a feeling of “I can do this”

  • Soyez le premier à commenter

ExpoQA 2018 - Why software security has gotten worse? And what can we do about it_ - By Santhosh Tuppad

  1. 1. Why software security has gotten worse? And what can we do about it? Santhosh Tuppad, Sometimes BlackHat & Sometimes WhiteHat… I am that man who you don’t want to trust Twitter: @santhoshst | email: Santhosh.Tuppad@gmail.com
  2. 2. sh-3.2# whoami I have been a great liar, wise manipulator, a thief, physical infrastructure breaker, web application hacker, mobile apps hacker, kiosk machine basher, black-hat hacker, white-hat hacker, trainer, security coach, lover of mean machines, spiritual practitioner and blah blah blah!
  3. 3. BRACE YOURSELF... Things are going to get WORSE. Future is not so cool considering the risks about 80 billion smart devices by 2025.
  4. 4. CURRENT STATE OF SECURITY IS TOTALLY SICK! ● OUT OF 10 HOSPITALS 8 OF THEM CAN BE EXPLOITED ● OUT OF 10 SPONSORS IN THIS CONFERENCE 6 OF THEM CAN BE EXPLOITED AND COMPROMISED ● OUT OF 10 WEBSITES USING WORDPRESS, 9 OF THEM POSE RISK ● ELECTRONIC COMMERCE ARE THE WORST… USUALLY! In short, if you are a hacker with blackhat intention, you need not worry about food, clothing and shelter.
  5. 5. WEHAVEBEENDOINGITWRONG…TOTALLY! ● Massive Skill Shortage ● Very few white-hat hackers think like black-hat hackers ● Functional Testing Bias ● Fear of learning Ethical Hacking ● Scanners just don’t suffice, we need hackers (with real skills) ● Extrinsic Motivation is More Powerful Than Intrinsic ● Lack of understanding within the team ● Ample number of reasons for giving excuses ● Comfort layer which says, “Hah, I am okay to do average job”.
  6. 6. ● We are not hiring hackers like “Santhosh Tuppad” ;-) ● We think it’s NOT a SHARED responsibility :-( ● Our Developers are not aware of secure coding guidelines :-( ● We highly rely on certified hackers instead of the REAL ones ● We are most fascinated with the decoration of report than the real deliverable (vulnerabilities and exploits) ● We don’t FEEL for our USERS… We say, “We Care!”. Hah! ● Many more... MORE REASONS...
  7. 7. ● What database are we using? ● Have we upgraded all the systems to the updated version like Javascripts, database, servers, third-party components etcetera. ● Are we using parsed statements for SQL queries? ● Are we having account lockout policy? ● What Firewall are we using if we are? And more importantly, can I take a look at the configuration of the Firewall? Are there any stories behind these configurations? On what basis, we are setting the account lockout on 100 invalid login attempts. WHAT CAN WE DO ABOUT IT? Start with questioning...
  8. 8. ● What are we doing to avoid XSS attacks? Do we have HTML encoding, Javascript encoding, database encoding in place? ● How are we handling the authorisation? ● Have we taken care of security improvements via secure HTTP Headers? ● Why do we trust the third-party components that we have integrated? ● Are we GDPR compliant? Are there any hiccups/loopholes? ● Do we have VISION for “Software Security”? WHAT CAN WE DO ABOUT IT?
  9. 9. ○ Start with “Hacking for Dummies” by Kevin Beaver ○ Watch Snowden, Swordfish, Mr.Robot, DarkNet (18+ Sex, Violence, Blood etc.) ○ Watch “Major Malfunction” Adam on YouTube ○ Think Crime (Think like a criminal) ○ Start using Scanners and look into results. Ask yourself, “What makes these results popup?” ○ DNF: OWASP Cheat sheets to kickstart WHAT CAN WE DO ABOUT IT? Learn some attacks or security tests...
  10. 10. If you want to be great at anything, you need to focus on Mindset.
  11. 11. Spain is beautiful… So is Software… Functional makes Sense… So does Security… We get paid for work… Are we doing a good job? Do we believe that “self-education” is our priority? … Do we want to move towards better security? Thank you everyone. Talk to me @santhoshst (Twitter) or just say, “Hackintosh” when you see me to speak in person.

×