Web Application Security with James Hall and Josh Nesbitt

iTunes Spotify Feed

Episode #08

  22nd September, 2021
  47 minutes

Today, Off Script hosts Josh Nesbitt (Stac) and James Hall (Parallax) discuss all things web application security. It’s something that is getting more and more important to get right. More cyber attacks. More ransomware attacks. They address good application hygiene and the common pitfalls they are seeing people fall for. Big data breaches can lead to losing customer trust so it’s so important to makes sure you’re running a tight ship with security.

Basic security maintenance is essential but what can companies and individuals be doing to make sure their web applications are secure during a time of high value bug bounties being offered to people for finding vulnerabilities?

Some topics covered in this episode:

  • Bug bounties. The positives, negatives and relevancy to different sized agencies
  • The use of bots to find MongoDB vulnerabilities
  • Encrypted vaults
  • The Slack issue
  • How hard is it to put secure processes in place from the start?
  • Canary and environment variables
  • If you’re a security researcher, what do you do with responsible disclosure?
  • The fine line between helping the hackers and helping the community
  • What makes a good, secure app?
  • Package managers
  • Modern libraries making it obvious when you are doing a bad thing
  • Open pull requests
  • Get your house in order with OWASP
  • Frameworks and the early standards they set with password management and security hygiene
  • Importance of rotating keys
  • Human interfaces and the floors surrounding them
  • What can we learn from Twelve-Factor?
  • Github Workspaces and recreatable environments
  • The issues of convenience
  • Macs vs dev accessibility and Windows catching up
  • Github and Atom
  • Good, automated test suites
  • How to have a good view on what makes a good security test
  • Falling into the trap of feeling productive
  • Sitting down with the team to discuss testing value and priorities
  • The creativity of SQL injection
  • Reinventing the wheel
  • Dangers of writing an encryption tool and importance of getting an external security company

Find our more about Stac and Parallax

Stac: https://stac.works
Parallax: https://parall.ax

References

https://bounty.github.com/
https://snyk.io/
https://yarnpkg.com/
https://owasp.org/
https://12factor.net/
https://hyper.is/