Software Practice Advancement Conference

SPA Conference session: Getting Inside Common Web Security Threats

One-line description:A workshop where we will use a deliberately insecure web application to delve into some of the common security weaknesses of web-based systems and learn how to fix them.
Session format: Workshop 150 [read about the different session types]
Abstract:Nowadays all software developers need to be aware of threats to web based systems, not just those who work for Facebook. With nearly all systems having a web interface of some sort and the common attack vectors for these systems being well known, it's not just cybercriminals, Anonymous or the NSA who are the primary threat, but Alice in Accounts. However while we've ve all heard of a cross-site scripting attack, what does the vulnerable code look like and how do we fix it?

In this session we will review the top 10 list of threats to web based systems and perform some of the attacks ourselves. We will then inspect the vulnerable code and fix it to repel the attack. In so doing attendees will get to delve into what each vulnerability looks like, understand how they can be mitigated and learn how to harden web-based systems to protect them against attacks.

Audience background:Software developers with a basic knowledge of web based systems development. Emphatically do not need to be JavaScript ninjas though. The example application will be Java based but .NET developers should be able to join in too. Attendees will need a Linux, Mac or Windows computer to use or share.
Benefits of participating:Understanding the top threats to web based system security and how to address them.

An overview of resources from the Open Web Application Security Project (OWASP), in particular the WebGoat application that can be used for understanding vulnerabilities.
Materials provided:- Presentation slides
- Guided exercise instructions for a subset of the OWASP Top 10
- Automated setup for laptops (a Github repo and a build script)
Process:The workshop is based on the process of introducing the subject to confirm or provide base knowledge and then having the attendees explore the problem space via guided exercises to learn by doing.

- An initial short presentation reviews the fundamentals of IT security and sets some context by defining terms like threat, attack, attacker, mitigation, and mechanism.

- A second part of the presentation introduces the OWASP Top 10 list of web application vulnerabilities, briefly describing each.

- For the rest of the session attendees will choose a couple of the items from the list and use a deliberately vulnerable application to investigate each by performing the attack, reviewing the vulnerability, fixing the vulnerability and attacking the application again to prove that it is resolved.

- Attendees will be encouraged to work in pairs to investigate the vulnerabilities.

- The attendees can take away the working environment and so can continue to investigate vulnerabilities after the session if they are interested in doing so.
Detailed timetable:00:00 - 00:10 Introductions and overview of core IT security knowledge
00:10 - 00:40 Brief introduction to the OWASP Top 10 List
00:40 - 01:15 Automated lab installation, start work on first vulnerability
01:15 - 01:30 Break
01:30 - 02:15 Continue work on vulnerabilities
02:15 - 02:30 Review of what we have learned and identify follow up actions
Outputs:The slides and web based pointers to security resources. The participants will take away working security examples.
History:This is a new session to be developed for SPA 2015.
1. Eoin Woods
2. Nick Rozanski
Barclays Investment Bank
3. Andy Longshaw
Advanced Legal