Security is paramount for applications delivered over the Internet. We’ve put a lot of energy into our own development practices, and recently we’ve been sharing some of the things we have learnt and refined with developer audiences around New Zealand.
Over the last six months I’ve been presenting on different aspects of web security to about 350 developers at user group meetings, Code Camps, conferences and to some of our partners. The main focus has been on understanding the potential threats in a web environment, share some of our experiences, and offer some best practice on how to protect your applications.
Monday at the OWASP New Zealand day was a lot of fun. I co-presented with Andy Prow from Aura Software Security . We had two participants up the front sparring with giant boxing gloves while I protected our sample ASP.NET application from Andy’s ‘hacking’ attacks.
There was lots to learn from the various sessions – most surprising to me was the lack of security around Firefox Extensions. In a session presented by Roberto Suggi Liverani and Nick Freeman from Security-Assessment.com, we saw the sorts of bad behaviour a Firefox extension can get up to without you realising. Moral of the story: don’t install extensions that you don’t trust!
We also heard about the 2 million unprotected credit card numbers found on NZ companies’ infrastructure, how small security issues can be compounded when chained with other issues, how SOAP web services can be tested, and how after 10 years we’re still making the same mistakes again and again.
All the talks were recorded, so I expect at some stage the videos and slides will end up at the OSWAP NZ website. So if you’re a developer or architect, come along to user group meetings to learn more about web security. The OWASP guidelines are also available for free from the OWASP site.
If you’re a .NET development shop or Xero partner, I’d be happy to come along and present to you and your team for an hour or so.