Transform into Your Team's Web Security Guru

Stephen Teilhet (Synopsys)
3:45pm–5:15pm Monday, 04/20/2015
Security
Location: Salon 1/2
Average rating: ***..
(3.00, 5 ratings)
Slides:   1-ZIP 

THIS TUTORIAL HAS REQUIREMENTS AND INSTRUCTIONS LISTED BELOW

If your development team is like many others, you are looking for good security people that can uncover and help you fix the security issues within your apps. Since there is a shortage of knowledgeable security people that can perform these duties, why not jump-start your own group from the ground up to handle the security of your apps.

This workshop will show you how to create your own security team, whether it’s a team of one or several. We will start by answering the questions everyone has:

  • Where do I start?
  • What tools should I use?
  • What is SAST/DAST and why do I need it?
  • How do I use these tools the way they were meant to be used?
  • What do I focus on, having limited time/resources?
  • Do I look for outside help?
  • How do I organize all of this mess?
  • Where do I go to gain deeper understanding?

In a nutshell, I want to begin by showing you how to start and develop your team as well as your skills to find and eradicate security vulnerabilities in your code. Next, we’ll dive into the outline of how to perform a security review and organize the results. Finally, we’ll dig deeper into the meat of this topic, which is manual code reviews, using security testing tools (as an assistant, not a panacea) and penetration testing. You should leave this session with a roadmap for not only starting your own security review team, but also becoming your team’s security guru.

This session will benefit both the beginner security practitioner as well as the more advanced.

Basic outline of the workshop:

  • Getting organized
  • Learning and other research efforts
  • Starting with an app (know your code)
  • Collect and run your tools (SAST and DAST)
  • Feed the output of the tools into your manual efforts
  • Security code reviews
  • Pen-tests

TUTORIAL REQUIREMENTS AND INSTRUCTIONS FOR ATTENDEES

Mainly a desire to want to develop more secure applications. Having a basic understanding of security tools such as static and dynamic analyzers as well as threats such as XSS and SQLi are very desirable, but not absolutely necessary.

If the attendees want to follow along with the examples a laptop will be necessary. A vulnerable testing application, tools and any other materials will be made available online.

Photo of Stephen Teilhet

Stephen Teilhet

Synopsys

Steve Teilhet is an author and a security researcher. He has been working in the security field for the last 13 years mainly in the area of application security. He uses this knowledge in developing both static and dynamic analysis security tools as well as helping others secure their application’s code. His research has spanned many areas of application security such as client-side, mobile and server-side. While application security keeps him busy during the day, he has also written several books and articles. His latest book “C# 3.0 Cookbook” was published through O’Reilly Media Inc.

Comments on this page are now closed.

Comments

Picture of Stephen Teilhet
Stephen Teilhet
01/05/2015 11:31pm PST

Hi Aditya. Yes, I’ll be focusing on front-end JavaScript as well as the server side. For the server-side I’m working on including some node.js stuff as well as how to handle some Ajax/REST security as well. That being said, I’m going to come at the talk from the perspective of finding and fixing security flaws in your code. For example, I won’t be talking specifically about the most secure way of building a REST service or the best technology to use, but rather about how to examine the REST service (or any other general web service) for security flaws. Much of the talk will center around understanding and using both static and dynamic methods of reviewing your code for insecure code patterns as well as attacking it as an attacker would to prove the insecure coding patterns. We’ll be applying both manual and automated techniques to the static and dynamic methods, both to show you how they work and to show weaknesses and strengths of each.

I do think you would get a lot out of this talk, but I don’t know if it will be specific enough to answer the particular questions that you may have about your application. For instance, a deep dive on authentication/authorization could easily take up 2-4 hours. Unfortunately, I don’t have that much time during this talk. However, regardless if you decide to attend this talk or not (I hope you do attend, though), I’d love to meet after the talk at the conference to discuss in more depth any particulars that you may have with securing your application’s code.

I hope that explained things a little better. Let me know if you have any more questions.

Aditya Challa
01/03/2015 5:56am PST

Hi, will this session be focusing on front-end web development, JavaScript or server-side? I’m looking to understand how we can deal with security when we use AJAX and RESTFul services, authentication, authorization, security tokens, etc. Please advise if this is the right session for me. Thanks!