Hope management in web applications from pentester’s point of view
Quite often we can read from news that someone got hacked, some data (including pics!) was leaked. Quite often web applications are built with hope “nothing bad will happen”. Quite often users use web application in hope “nothing bad will happen with my data”. I call it all: “hope management”.
As an user – you hope that no one will guess your credentials and web applications keep your data securely.
As a developer – you hope that no one will hack your code, you know enough about security, frameworks-libraries you are using in your project are secure (because they are so widespread and famous!).
As a project manager – you hope all project members are producing only quality and secure software, no one will hack it and the client will be happy.
As a consumer – you hope development company produces secure software and during security test testers find all vulnerabilities.
As a security tester – you hope your scanner can find all vulnerabilities.
Once you have security incident – who is guilty? Attacker – because he/she is bad? Developer – because he/she wrote the code? Admin? Tester? Project manager? Consumer?
As web application security tester, web application security trainer and ex-developer, I will share my opinion about “hope management” in this non-technical presentation. Come and brainstorm about security-bottle-necks in softare development. Also, you may want to change your password later.
BIO: Elar was a Web Application developer about 8 years before switching to security field in the beginning of 2012. Elar is penetration tester and the main lector and course developer of 4-day Web Application Security training course in Clarified Security (In September 2014 he rounded up 1000 hours of WAS training given since 2012 March launch). Elar enjoys researching, writing Proof-of-Concepts and constantly keeps adding to the training content form real life pentesting experiences. He knows what can go wrong in Web Application as penetration tester and Web Application Security trainer and as ex-developer.