Today, Off Script hosts Josh and James discuss all things web application security. It’s something that is getting more and more important to get right. More cyber attacks. More ransomware attacks. They address good application hygiene and the common pitfalls they are seeing people fall for. Big data breaches can lead to losing customer trust so it’s so important to makes sure you’re running a tight ship with security.
Basic security maintenance is essential but what can companies and individuals be doing to make sure their web applications are secure during a time of high value bug bounties being offered to people for finding vulnerabilities?
Bug bounties. The positives, negatives and relevancy to different sized agencies
The use of bots to find MongoDB vulnerabilities
Encrypted vaults
The Slack issue
How hard is it to put secure processes in place from the start?
Canary and environment variables
If you’re a security researcher, what do you do with responsible disclosure?
The fine line between helping the hackers and helping the community
What makes a good, secure app?
Package managers
Modern libraries making it obvious when you are doing a bad thing
Open pull requests
Get your house in order with OWASP
Frameworks and the early standards they set with password management and security hygiene
Importance of rotating keys
Human interfaces and the floors surrounding them
What can we learn from Twelve-Factor?
Github Workspaces and recreatable environments
The issues of convenience
Macs vs dev accessibility and Windows catching up
Github and Atom
Good, automated test suites
How to have a good view on what makes a good security test
Falling into the trap of feeling productive
Sitting down with the team to discuss testing value and priorities
The creativity of SQL injection
Reinventing the wheel
Dangers of writing an encryption tool and importance of getting an external security company
Resources:
* GitHub Security Bug Bounty (https://bounty.github.com/)
* snyk (https://snyk.io/)
* Yarn (https://yarnpkg.com/)
* The Open Web Application Security Project (https://owasp.org/)
* 12 Factor (https://12factor.net/)
* Hyper (https://hyper.is/)
Find out more about Stac and Parallax:
* Stac (https://stac.works)
* Parallax (https://parall.ax)
