speaker: Eoin Keary
As an industry, we are very busy but things don’t seem to be getting better. Big companies are hacked. If we have the brainpower and the budget, why aren’t things improving?
Asymmetric arms race
- like the bear. you don’t need to outrun the bear, just the guy behind you.
- You may be secure at any given time. But it’s like a treadmill. Things change
Too many variables and too limit time to ensure “real” security. Many attacks go after the business logic.
Current state
- 10 men years of development and two weeks of ethical hacking
- Testing targets 80-90% coverage.
“Risk comes from not knowing what you’re doing” – Warren Buffet
Testing is time limited. Tools give false positives so still need to investigate output. Code is pushed frequently. The value of the pen test drops because the code no longer matches that test.
Most tools cant scan for DOM/XSS. See DOM XSS Test Cases,
Robots are good at detecting known unknowns. Humans are good at detecting unknown unknowns.
We eat cheeseburger until the doctor says you are going to get a heart attack. We write insecure code until we get hacked.
Tool: https//github.com/jeremy long/DependencyCheck
We can’t improve what we can’t measure.. Risk changes depending on context. Just because it is XSS, doesn’t automatically make it high. Maybe it is on a page only one person can access.
My take
Nice analogies. It felt a bit like preaching to the choir though. I had trouble finding the organization in the presentation (hence the lack of organization in this blog post). In hindsight, I should have guessed this given the lengthy abstract. Also some of the “new” things were in earlier preentation. I left half an hour in. Possible the second half was better.