An application security programme is your company’s product security game plan, that has a goal of reducing the number of security flaws introduced into the application over the course of its software lifecycle. While, at the same time increasing the difficulty of exploitation (i.e. making it harder for an attacker to find vulnerabilities) and reducing security risks, such as data loss…
Defending web and mobile applications against the bad guys has always been hard, there is no escaping that fact. However it doesn’t seem to be getting any easier either. Evolving development practices (Agile, DevOps, CD/CI, IaC) have a big part to play, but there are several other trends that are also not helping the situation. So in this modern world of development, how can we better secure these applications?
The short answer is we need to change the way we approach application security, by designing an application security programme or secure software development lifecycle (SSDLC) that fits better into these evolving development practices…
I spoke about the pro’s and con’s of bug bounty programs with Mike at CrikeyCon 2017. This is a community-led conference targeting those with an interest in information security around South East Queensland and beyond.
I presented at OWASP AppSec Day 2016, an event run by the OWASP Melbourne Chapter designed to spread application security knowledge to the general tech community through talks and workshops.
I presented a slightly updated from DDD Sydney deck at DDD Melbourne about what motivates hackers to break into systems and how you could approach securing your company’s web application at scale. DDD Melbourne is a non profit community event in Melbourne run by developers for developers.
I presented on bug bounty programs at an Infrastructure Coders event in Melbourne. The meetup is focused on Infrastructure (DevOps) and is designed for Systems Administrators, Developers, DevOps, Web Operations Engineers and all people who build high traffic websites.
At WAHCKon Perth 2015 an information security conference held in Perth Australia, i presented on how to brake common Android binary protections like root detection and SSL pinning.
When performing a penetration test on an Android or iOS application the developer can implement what are called binary protections that hinder an attacker from easily analysing an application. Some of the more common protections are SSL pinning, code obfuscation and root detection. This article explains how to bypass the latter, namely root detection on Android.
When you are performing a pen test or participating in a bug bounty program, sometimes you are confronted by a Web Application Firewall (WAF) designed to block malicious payloads. To properly identify and exploit a Cross-site Scripting vulnerability you will need to find a way around it! This article demonstrates a method of creating an SVG based payload to bypass those pesky WAF’s.