Johnny Xmas on Web Security & the Anatomy of a Hack

Real Device Testing

• 84% of QA organizations surveyed reported needing to test on real devices for successful Cionic builds. (4s)

Cada: Preventing Bot Access

• Cada is a company that works to ensure that only humans, and not bots, can access web applications. (1m10s)

Common Web Application Attacks

• Most web application attacks are not particularly sophisticated and rely on simple scripts and tools like curl, Burp Suite, and Python requests. (4m51s)
• Puppeteer is a tool that can be used to bypass security defenses. (5m48s)
• SQL injection (SQLi) is a common vulnerability, despite being widely known and used in training for both attackers and defenders. (6m37s)
• Phishing is an effective attack method that exploits the weakest link in any system: people. (7m38s)

Attacker Tactics

• Attackers often possess large quantities of login credentials obtained from data breaches. (11m17s)
• Attackers can use simple tools to determine email address formats and build username lists based on common naming conventions. (12m36s)
• CAPTCHA is not an effective deterrent against determined attackers, as bypass tools and Mechanical Turk services can be used to circumvent them. (13m30s)
• Attackers often use brute force methods to gain access to systems, trying different login credentials until they find a valid combination. They may target mail servers first, as they are often less protected, and then use those credentials to access other systems, such as VPNs. (18m7s)
• Once inside a network, attackers may exploit the lack of internal security measures, such as network segmentation or throttling of login attempts, to gain further access to sensitive data. (20m30s)

Security Recommendations

• Organizations should strongly consider implementing multi-factor authentication for internal web applications, especially those handling sensitive data. (21m13s)
• Monitoring should encompass both failed and successful login attempts, particularly for systems like domain controllers, where any login activity is unusual and warrants investigation. (21m24s)
• "Defense in depth," which involves establishing multiple layers of security measures, is crucial for slowing down attackers and increasing the time required for a successful breach. (23m29s)

Developer Security Practices

• Developers should understand why they are implementing security measures and how they work, rather than just focusing on the technical details. (26m2s)
• Many security vulnerabilities are caused by developers using weak encryption keys, leaving keys in code comments or git repositories, and not changing default passwords. (26m27s)
• Developers should prioritize learning about basic security concepts and common attacks, such as those listed in the OWASP Top 10, and practice attacking their own systems in a safe environment to gain a better understanding of how to defend against them. (27m31s)

InfoQ Trends Report

• The InfoQ Trends Report provides information on AI Ops adoption. (31m17s)
• The report can be reviewed in under 11 minutes. (31m19s)
• A link to the report is available at info.linkd.devops trends -209. (31m21s)