Application Hackers Have A Handbook. Why Shouldn’t You?

Marc Shinbrood

Fri, 15th August 2014

Speaker Bio 1:
Marc Shinbrood is currently Vice President at Trustwave where he focuses on application security. He has been in the vendor software and appliance business environment for over 35 years, with the last 15 years focusing on enterprise-level software and appliance security solutions.

Prior to joining Trustwave, Marc was CEO and Chairman of Breach Security, Inc. He has served in every conceivable role with a computer software company, including serving as CEO or principal operating officer five times. He is the author of numerous articles and videos, a frequent speaker at industry events and venture capital conferences and was an Associate Technical Editor for Midrange Computing Magazine. Marc achieved a Bachelor of Science degree in Computer Science in the first undergraduate graduating class at Purdue University and was recently awarded the Outstanding Alumnus Award by the School of Computers Science at Purdue.

Learning Objectives:

Marc will explain:

  • Today’s Vulnerabilities
  • Real World Application Security Lifecycle
  • A Holistic Application Security Solution

Resources and materials:

Questions and answers

Max, Concise Courses:
@17:40 Prevention is always better than cure but how do we detect if we have been hacked? Aside from the obvious page defacement – what is a solid method of detection post hack?

Marc Shinbrood:
First, you have to have a way to figure out if you have been hacked. Web application firewalls provide logs and what we are looking for is anomalous behavior. We need to look for that. [There are] tools that help you do that. Penetration testing, code reviews and just constant monitoring is what you have to do. There is no short-cut.

Max, Concise Courses:
@18:30 What about blocking entire IP Ranges? Does that help our security posture? Truth is, we don’t have any business in say, Russia, so why would we allow traffic to come from those nations? If you agree with this then does an .htaccess file help with that?

Marc Shinbrood:
Well let me say that Geo-IP blocking isn’t worth it. If you are being scanned from someone in [for example] South Korea or North Korea at 0200 am in the morning, certainly you want to stop that. Nobody would argue that! Having said that, tools can be used to do an http audit, and [get] all of that kind of information. You can do Geo-IP ranges etc, but that is not enough. You have to do a lot more.

Max, Concise Courses:
@19:40 You mentioned getting expertise on writing secure code, what would you recommend to obtain that experience, i.e. is there a resource you’d recommend or a training course to better secure our code?

Marc Shinbrood:

Absolutely! Trustwave provides the ability to train your developers in any language that you have. We can train people on how to write secure code and what the problems can be. Let me say that this is something that people don’t take very seriously. That is definitely a concern. We had a customer who put up a website for children and on the first day they played games, [that was a feature of the website] and once the games were played, if you played well, you got coupons to buy their products. On the first day they got 400,000 hits on that website by young ladies from the age to ten to 14. Of those girls, 200 maxed-out on the coupons because they found a backdoor that was left open by the developers. It happens, and we don’t take it too seriously. In this example no one got hurt [the only victim was that] additional coupons were given away.

If you do not stay vigilant and you have people writing code that have not had any security training then you really could be in significant trouble.