Web App Security Testing for Everyone

Tony Porterfield (Security researcher and advocate)
4:30pm–5:00pm Wednesday, 04/22/2015
Security
Location: Salon 8
Average rating: ****.
(4.17, 6 ratings)

Web applications are under constant attack and intrusions and data breaches are on the rise. Though attacks can be complex and sophisticated, many of the most common vulnerabilities are straightforward to observe and exploit.

In this presentation, Tony Porterfield will describe ways for users without extensive security experience to test for common vulnerabilities in web applications using only a browser and free software tools. These techniques will be illustrated with examples of actual vulnerabilities that he has observed while testing educational web applications. He will present a test plan that can be used to survey a site’s security in a short amount of time, and describe how it relates to the OWASP ASVS and Top 10 list.

Participants will learn how to test for and discover vulnerabilities including

  • Improper session management and cookie settings
  • Username enumeration
  • Direct object references
  • Caching of sensitive data
  • Improper password storage
  • Information leakage
  • Exposed APIs
  • Error messages and excessive headers
  • Clickjacking
  • Email sent without TLS

Participants will learn about free software and websites that can be used to evaluate security, including:

  • Browser add ons
  • Security-checking proxies such as OWASP ZAP and Burp Proxy
  • SSL Checker
  • TLS Checker
  • ASAFAWEB ASP.net security checker
  • Google transparency reports
Photo of Tony Porterfield

Tony Porterfield

Security researcher and advocate

Tony Porterfield is a software engineer with 20 years experience in the computer and networking industries. A parent of two, he is a strong advocate for improving the security and privacy of web applications used by children and students.

His web app security findings have been published in the New York Times and Mother Jones, and he was a panelist at the 2014 Common Sense Media School Privacy Zone Summit in Washington DC.

Comments on this page are now closed.

Comments

James Martin
06/09/2015 4:05pm PDT

These are the 10 most important points that participants will learn and understand. If someone wants to become a web application development expert then he must learn these things.

Andrew James
06/08/2015 7:25pm PDT

This post is very informative and I learn lots of things from here. Visit W3Schools

Picture of Tony Porterfield
Tony Porterfield
04/05/2015 4:22pm PDT

Last month I wrote a piece for Edsurge about Why Student Data Security Matters

Picture of Tony Porterfield
Tony Porterfield
04/05/2015 4:17pm PDT

You can read recent NY Times coverage of security problems in educational web apps here and here