moderately successful wordpress plugin. • Closed plugin 9 years ago coz of other commitments and … • Faced non responsible disclosure • So fixed the bug and then called it quits
distribution single handedly since 2012-2018 • Next version to come out in 2 months timeframe. • The entire infrastructure and related setup was handled as primary dev + admin
project called codevigilant • As of now focused on PHP mainly wordpress plugin and themes • 200+ public disclosures, • 150+ to be disclosed. • Lots under validation process Built and Maintained Backend, automation, website Disclosure process, co-ordination
CSS only website • Website heavily data driven • Specific aim to not use Javascript at all in website directly • Coding my own hugo theme as well as writing custom wrappers
websites (~10+) on Wordpress self hosted since 2007 • Maintained entire offensive, defensive and operations network for an infosec company for 5+ years single handedly • Build automations and supporting various opensource projects via time, effort, money, documentation etc
is considered an art and not a science • Security needs to be commoditized and converted to science • How do you do it • Exactly how dev’s have done this with infrastructure • From manual and long drawn process we have reached to • All codified near instantaneous infrastructure deployments
should not have existed but its here and people use it. • Eat security art side and make it security science • Automatable • Documented • Testable • Repeatable It may not be 100% possible but it is achievable in high 90’s
repeat no one other then dev knows code better • Leverage security team and support function: • Take inputs from them as early and as often as possible • Take final ownership of product in your hand • If security team acts as bottleneck they are doing it wrong
to do this or that • Lots of suggestions to follow secure early or put security in early stages. • Unsurprisingly lots spooked with third party dependencies • But a common theme emerged in all these tweets especially from veterans of this field.
tools like semgrep • Learn how to test the vulnerabilities • Try to find bug as close to writing code as you can IDE Plugin > git commit hook > CI tool