Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected]
• Can also be detected by testing different inputs and seeing what happens in relatively predictable ways. • In short, tools (both security and test automation) can often find this.
through which fraud can take place. • Consider: An attacker uses someone else’s account info that was leaked in a public break to make a transaction and send the purchase to a new address.
by security tools. At least not without big custom implementation work. • A tester could try adding a purchase to a new shipping address and verify that the application prompts for the user’s credit card. (What Amazon does)
often easy to predict URL patterns. (Because of REST) • It is also extremely easy to REPLAY or resend a request that has been tampered with. • Therefore, it is always important to check that the logged in user has permissions to perform the action requested.
• The best way to make software secure is to make security part of the process. • There are many ways to do this - none is perfect. • Find a way to make the security fit your process.
requirements • Test for XSS, Injection, Authorization • Leverage automation where possible • Know some of the limits of security tools • Visit owasp.org to find more resources!