Web Application TestingQuick guide to testing and references

C|EHDevOps

I hate PCIRuby on Rails Developer

Pretend to know other things…I like turtles…

No I will not hack into your wifes email.

James Ruffer

Developers?Ruby?PHP?

Python?Java?

Android?Cobol?

Fortran?Is .NET still around?

PenTesters?

Who are you?

Who is attacking you?

● Kiddy scripters● Dumbasses● Angry Hacker● Professional Hacker● Team of Hackers

Who should you protect yourself against?

● Kiddy Scripters● Dumbasses

How and Why?

HOW?

Know the most common hacking tools:

https://www.concise-courses.com/hacking-tools/top-ten/

BackTrack now known as https://www.kali.org/

http://www.metasploit.com/

Resources to stay up to date on

OWASPData Loss DBVerizon Report

Hack this siteRoot this box

www.owasp.orgwww.datalossdb.orgwww.verizonenterprise.com/DBIR/

www.hackthissite.org/pages/index/index.php

Please for the love of God...force some password rules like uppercase with number

and special char...expire 90 days.

Simple Two Factor solutionsGoogle Two Factor

Password Rules

Copy / Paste will save time BUT...

Using other plugins or others code to save time is commonly done BUT have you actually looked at the code? Tested the code?

Open Source code is the worst for exploits. OAuth plugin https://github.com/intridea/omniauth

How old is the github project?

Intro to burp suite for app testing

Burp Suite is a great way to test MANY things but information gathering is first step.

DevOps can help

ModSecNaxsi

TinFoil

NetSparker

https://www.modsecurity.org/https://code.google.com/p/naxsi/wiki/LearningModehttps://www.tinfoilsecurity.com/

www.netsparker.com/web-vulnerability-scanner/vulnerabilities/

Have a shared pentesting box with team. Read logs and update often.

Comment in Git push after tests.

Dedicated testing Box