Live Hacking: Breaking into Your Web App • Brian Vermeer • GOTO 2022
About this talk
This presentation was recorded at GOTO Amsterdam 2022. #GOTOcon #GOTOams http://gotoams.nl Brian Vermeer - Java Champion & Senior Developer Advocate at Snyk @brian_vermeer ABSTRACT Join us for a captivating live hacking session with Brian Vermeer. In Brian's opinion, open source modules are undoubtedly impressive. However, they also represent an undeniable and massive risk. Within open source modules you are introducing someone else's code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user's data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which together with Brian, you'll exploit as an attacker would. For each issue, Brian will explain why it happened, show its impact, and – most importantly – see how to avoid or fix it. Brian will live hack exploits like the classic struts vulnerability that recently made it famous, along with Spring Break and several others. In this talk, you'll learn: • That security is important. Not only for your own code but also the frameworks and libraries you depend on • What might happen when using outdated libraries with known vulnerabilities [...] TIMECODES 00:00 Intro 00:25 DevSecOps 03:13 What are the problems? 05:22 How bad is the situation? 07:41 Demo 11:05 Your app's code 13:02 Serverless example 14:36 Spring serverless example 15:54 Open source usage has exploded 19:56 Live hacking/Demo 31:21 Docker 35:57 What's the solution? 38:35 DveSecOps in your SDLC 40:25 Resources 40:47 Outro Download slides and read the full abstract here: https://gotoams.nl/2022/sessions/1603 RECOMMENDED BOOKS Jim Manico & August Detlefsen • Iron-Clad Java • https://amzn.to/3qGqwBw Liz Rice • Container Security • https://amzn.to/3oU4iJe Liz Rice • Kubernetes Security • https://www.oreilly.com/library/view/kubernetes-security/9781492039075 Aaron Parecki • OAuth 2.0 Simplified • https://amzn.to/2A3IMOf Aaron Parecki • OAuth 2.0 Servers • https://amzn.to/3ecHEsz Aaron Parecki • The Little Book of OAuth 2.0 RFCs • https://amzn.to/3i7qnlC Erdal Ozkaya • Cybersecurity: The Beginner's Guide • https://amzn.to/2T6OIj3 Richer & Sanso • OAuth 2 in Action • https://amzn.to/3hXiAH6 Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • https://amzn.to/2U8iLY2 https://twitter.com/GOTOcon https://www.linkedin.com/company/goto- https://www.instagram.com/goto_con https://www.facebook.com/GOTOConferences #Security #DevSecOps #Risk #OpenSource #OpenSourceModules #Vulnerable #Dependencies #VulnerableDependencies #Privacy #Programming #SoftwareEngineering #SoftwareDevelopment #Serverless #Java #Spring #Log4j #Docker CHANNEL MEMBERSHIP BONUS Join this channel to get early access to videos & other perks: https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/join Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech Sign up for updates and specials at https://gotopia.tech/newsletter SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily. https://www.youtube.com/user/GotoConferences/?sub_confirmation=1
Stay Updated
Get notified about new features and conference additions.
