SlideShare a Scribd company logo

Hacker vs Tools: Which to Choose?

ā€¢Download as PPTX, PDFā€¢
ā€¢
Security Innovation
Security Innovation

Geoffrey Vaughan, Security Engineer at Security Innovation, discusses the pro's and con's of using a hacker vs. a scanning tool for testing applications.

Technology
1 of 23
Hacker vs. Tools Geoffrey Vaughan Security Engineer @mrvaughan
Why this talk? ā€¢ Our goal is to build secure software ā€¢ What does an SDLC that considers security throughout look like? ā€¢ Where can you automate security controls in your SDLC? ā€¢ What are the implications of building 1 application vs. managing hundreds? ā€¢ Learn to think more like a hacker
Whoami ā€¢ Geoffrey Vaughan @MrVaughan ā€¢ Security Engineer @SecurityInnovation ā€¢ Appsec pentesting/advisory at all areas of SDLC ā€¢ Former High School/Prison/University Teacher ā€¢ Occasionally Iā€™m let out of my basement ā€¢ Travelled from Toronto to be here with you today
Disclaimer ā€¢ Vendor/tool agnostic ā€¢ I provide services in all areas of SDLC ā€¢ Hacker Biased (I am one)
Qualities Qualities of a Hacker ā€¢ Develops creative solutions to complex problems ā€¢ Researches and deeply understands the problem ā€¢ May leverage tools in the pursuit of a solution Qualities of a (Security) Tool ā€¢ Helps solve problems fast ā€¢ Automates the mundane ā€¢ Can use signatures, behaviors, or analytics ā€¢ Great for high volume testing (large problems and large number of test cases)
Securing your SDLC ā€¢ At various points in your SDLC, you may want to use a hacker and/or a tool to help secure your product ā€¢ Hackers are great at thinking about problems from a different perspective ā€¢ Great for finding design flaws ā€¢ Tools can be very thorough at finding/preventing defined known issues ā€¢ Great for doing tedious things
Security Requirements Have you thought of everything? ā€¢ How do you confidently know from an early stage that you have thought of every possible thing that could go wrong with your application? ā€¢ It is a lot cheaper && easier && faster to fix security issues in the Requirements phase than in Production ā€¢ Like 30 to 100X less expensive! ā€¢ (Depends who you ask)
Security Requirements Have you thought of everything? Hacker ā€¢ Probably will find things the tools miss ā€¢ Will think of some really interesting edge cases ā€¢ Might not think of everything Tool ā€¢ Checklists ā€¢ Threat Modeling ā€¢ Processes
Design/Architecture Most architecture designs consist of: ā€¢ Use cases ā€¢ User stories ā€¢ Data Flow Diagrams ā€¢ Server/Stack layouts
Design/Architecture Hacker ā€¢ Hacker + Developer in a room with a flow diagram can often find many issues in a very short amount of time ā€¢ This approach doesnā€™t scale well when the application becomes infinitely large or when there is a huge list of applications to test Tool ā€¢ Threat modeling ā€¢ There are not a lot of tools out there that provide meaningful value in this space
Development Hacker ā€¢ Training ā€¢ Manual Code Review ā€¢ Can find more complex vulnerabilities ā€¢ Doesnā€™t scale well ā€¢ Peer Code reviews Tool ā€¢ In IDE plugins (code assisted development) ā€¢ Static analysis tools ā€¢ Limited vulnerability classes detectable ā€¢ Lots of false positives (thousands) ā€¢ Good coverage for large applications ā€¢ Secure Coding Guidelines
What can you find with static analysis? Good at finding ā€¢ Source ļƒ  Sink issues, tracking where malicious input is executed (XSS, SQLi, and URL Redirects) ā€¢ Security misconfigurations ā€¢ Insecure randomness ā€¢ Some session management issues ā€¢ False Positives!!!! Not good at finding ā€¢ Authorization issues ā€¢ Some authentication issues (password resets, password brute force) ā€¢ Abuse of business rules ā€¢ Memory corruption issues (some) ā€¢ Design flaws
QA/Testing ā€¢ Ideally, itā€™s best to try to find issues as early in the SDLC as possible ā€¢ In QA, finding and fixing issues is more difficult ā€¢ More costly, could introduce delays, sometimes under strict time constraints ā€¢ Some issues could require redesign or architecture changes ā€¢ First chance to do runtime analysis
QA/Testing Hacker ā€¢ Can consider the whole picture of the application ā€¢ Limited by time/best effort ā€¢ If combined with source code, can give best perspective into finding vulnerabilities ā€¢ Hard to cover all pages/parameters Tool ā€¢ Fuzzing high volume of test cases ā€¢ Crawl/test large applications with good coverage ā€¢ Can do Authenticated vs. Unauthenticated testing ā€¢ Crash analysis, runtime debugging ā€¢ Still has trouble with business rules
Production Hacker ā€¢ Can leverage external resources (Social Engineering, Social media, Google) ā€¢ Can leverage weak/vulnerable users ā€¢ May invest significant time/energy Tool ā€¢ Signature based detection ā€¢ Heuristic threat intelligence ā€¢ Abnormality detection ā€¢ Continuous runtime scanning
So What About Agile? Security Tasks: 1. Every Feature/Story Requirements 2. Every Sprint/Release Requirements 3. Regular Maintenance
With Every New Feature / User Story: ā€¢ Do the feature requirements consider the security implications of this feature? ā€¢ How will this feature affect the overall threat model
Every Sprint / New Release ā€¢ Ensure overall security requirements continue to apply across every new sprint (checklist?) ā€¢ Impact on application architecture ā€¢ Threat modelling for all new features ā€¢ Automated code review ā€¢ Manual/Peer code review ā€¢ Security Testing of new features
Regular Maintenance ā€¢ Periodic security testing and scanning to ensure no new issues arise. The result is a snapshot of current your security posture ā€¢ Regular security training for all members of the team ā€¢ Takes a big picture look at results from all security testing and look for areas where issues could have been prevented sooner.
Secrets to Doing Agile Security Well ā€¢ It takes the whole team thinking about security all the time ā€¢ Perform regular checks to identify, address issues, and improve processes ā€¢ Systems and processes are necessary to implement security controls throughout.
Hacker vs. Tool? ā€¢ An informed hacker will know to use each tool and when to rely on their hacker mindset/instincts ā€¢ Learn to think more like a hacker toā€¦ ā€¢ Make better tools ā€¢ Attack your application as a hacker might ā€¢ Learn the trade, not the tool
More Talks today: Iā€™m also presenting 2 other talks today on completely unrelated subjects: Catching IMSI Catchers: Hunting the hunter, can you tell if your phoneā€™s being captured by a rogue cell phone tower/ IMSI catcher/ Stingray? Security Best Practices for Regular Users - What's in your personal threat model? What assets are you trying to protect? Learn how to improve your personal security and privacy online through best practices and security tips.
Thank you Geoffrey Vaughan @mrvaughan @SecurityInnovation

Recommended

Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous TestingTechWell
Ā 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous TestingTechWell
Ā 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
Ā 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
Ā 
What is pentest
What is pentestWhat is pentest
What is pentestitissolutions
Ā 
Testing Tools and Tips
Testing Tools and TipsTesting Tools and Tips
Testing Tools and TipsSoftServe
Ā 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
Ā 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
Ā 

Recommended

Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous TestingTechWell
Ā 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous TestingTechWell
Ā 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
Ā 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
Ā 
What is pentest
What is pentestWhat is pentest
What is pentestitissolutions
Ā 
Testing Tools and Tips
Testing Tools and TipsTesting Tools and Tips
Testing Tools and TipsSoftServe
Ā 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
Ā 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
Ā 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
Ā 
Digital transformation testing.
Digital transformation testing. Digital transformation testing.
Digital transformation testing. Deepak Daniel
Ā 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and toolsVikram Khanna
Ā 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
Ā 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
Ā 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
Ā 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career pathVikram Khanna
Ā 
A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingVikram Khanna
Ā 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
Ā 
Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Peter Rawsthorne
Ā 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotCigital
Ā 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
Ā 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
Ā 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIshrath Sultana
Ā 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
Ā 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
Ā 
Agile security
Agile securityAgile security
Agile securityArthur Donkers
Ā 
Injecting Threat Modeling into the SDLC by Susan Bradley
Injecting Threat Modeling into the SDLC by Susan BradleyInjecting Threat Modeling into the SDLC by Susan Bradley
Injecting Threat Modeling into the SDLC by Susan BradleyQA or the Highway
Ā 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
Ā 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
Ā 
Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckSecurity Innovation
Ā 
2005 RSA Conference: Safe at Any Speed
2005 RSA Conference: Safe at Any Speed2005 RSA Conference: Safe at Any Speed
2005 RSA Conference: Safe at Any SpeedSecurity Innovation
Ā 

More Related Content

What's hot

Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
Ā 
Digital transformation testing.
Digital transformation testing. Digital transformation testing.
Digital transformation testing. Deepak Daniel
Ā 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and toolsVikram Khanna
Ā 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
Ā 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
Ā 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career pathVikram Khanna
Ā 
A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingVikram Khanna
Ā 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
Ā 
Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Peter Rawsthorne
Ā 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotCigital
Ā 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
Ā 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
Ā 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIshrath Sultana
Ā 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
Ā 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
Ā 
Injecting Threat Modeling into the SDLC by Susan Bradley
Injecting Threat Modeling into the SDLC by Susan BradleyInjecting Threat Modeling into the SDLC by Susan Bradley
Injecting Threat Modeling into the SDLC by Susan BradleyQA or the Highway
Ā 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
Ā 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
Ā 

What's hot (20)

Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Ā 
Digital transformation testing.
Digital transformation testing. Digital transformation testing.
Digital transformation testing.
Ā 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and tools
Ā 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Ā 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
Ā 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
Ā 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career path
Ā 
A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration Testing
Ā 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Ā 
Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017
Ā 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Ā 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
Ā 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Ā 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
Ā 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
Ā 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Ā 
Agile security
Agile securityAgile security
Agile security
Ā 
Injecting Threat Modeling into the SDLC by Susan Bradley
Injecting Threat Modeling into the SDLC by Susan BradleyInjecting Threat Modeling into the SDLC by Susan Bradley
Injecting Threat Modeling into the SDLC by Susan Bradley
Ā 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
Ā 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
Ā 

Viewers also liked

Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckSecurity Innovation
Ā 
2005 RSA Conference: Safe at Any Speed
2005 RSA Conference: Safe at Any Speed2005 RSA Conference: Safe at Any Speed
2005 RSA Conference: Safe at Any SpeedSecurity Innovation
Ā 
No Safety Without Security
No Safety Without SecurityNo Safety Without Security
No Safety Without SecuritySecurity Innovation
Ā 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsSecurity Innovation
Ā 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationSecurity Innovation
Ā 
Automotive Cybersecurity Challenges for Automated Vehicles: Jonathan Petit
Automotive Cybersecurity Challenges for Automated Vehicles: Jonathan PetitAutomotive Cybersecurity Challenges for Automated Vehicles: Jonathan Petit
Automotive Cybersecurity Challenges for Automated Vehicles: Jonathan PetitSecurity Innovation
Ā 
Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?Security Innovation
Ā 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer RiskSecurity Innovation
Ā 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
Ā 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
Ā 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
Ā 

Viewers also liked (12)

Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality Check
Ā 
2005 RSA Conference: Safe at Any Speed
2005 RSA Conference: Safe at Any Speed2005 RSA Conference: Safe at Any Speed
2005 RSA Conference: Safe at Any Speed
Ā 
No Safety Without Security
No Safety Without SecurityNo Safety Without Security
No Safety Without Security
Ā 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still Exists
Ā 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and Organization
Ā 
Automotive Cybersecurity Challenges for Automated Vehicles: Jonathan Petit
Automotive Cybersecurity Challenges for Automated Vehicles: Jonathan PetitAutomotive Cybersecurity Challenges for Automated Vehicles: Jonathan Petit
Automotive Cybersecurity Challenges for Automated Vehicles: Jonathan Petit
Ā 
Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?
Ā 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Ā 
Catching IMSI Catchers
Catching IMSI CatchersCatching IMSI Catchers
Catching IMSI Catchers
Ā 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
Ā 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015
Ā 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
Ā 

Similar to Hacker vs Tools: Which to Choose?

How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
Ā 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
Ā 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
Ā 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
Ā 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
Ā 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
Ā 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
Ā 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
Ā 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
Ā 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
Ā 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
Ā 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testingAdrian Munteanu
Ā 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer RisksKevo Meehan
Ā 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
Ā 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
Ā 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus WalshDevops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus WalshDrew Malone
Ā 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
Ā 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
Ā 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
Ā 
Snyk investor deck late 2015 short
Snyk investor deck late 2015 shortSnyk investor deck late 2015 short
Snyk investor deck late 2015 shortEd Sim
Ā 

Similar to Hacker vs Tools: Which to Choose? (20)

How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
Ā 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Ā 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Ā 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
Ā 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Ā 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
Ā 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Ā 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
Ā 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
Ā 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
Ā 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
Ā 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testing
Ā 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer Risks
Ā 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Ā 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ā 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus WalshDevops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Ā 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Ā 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
Ā 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Ā 
Snyk investor deck late 2015 short
Snyk investor deck late 2015 shortSnyk investor deck late 2015 short
Snyk investor deck late 2015 short
Ā 

More from Security Innovation

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
Ā 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
Ā 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
Ā 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
Ā 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security ChampionsSecurity Innovation
Ā 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
Ā 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
Ā 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
Ā 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureSecurity Innovation
Ā 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
Ā 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSecurity Innovation
Ā 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeSecurity Innovation
Ā 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
Ā 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecuritySecurity Innovation
Ā 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionSecurity Innovation
Ā 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaSecurity Innovation
Ā 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingSecurity Innovation
Ā 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
Ā 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
Ā 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
Ā 

More from Security Innovation (20)

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Ā 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Ā 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Ā 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Ā 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
Ā 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Ā 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Ā 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Ā 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
Ā 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Ā 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
Ā 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
Ā 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
Ā 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
Ā 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
Ā 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
Ā 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Ā 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Ā 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Ā 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Ā 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
Ā 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
Ā 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...gurkirankumar98700
Ā 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
Ā 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
Ā 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
Ā 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
Ā 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
Ā 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
Ā 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
Ā 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
Ā 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
Ā 
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
Ā 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
Ā 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĆŗjo
Ā 
Scaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationScaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationRadu Cotescu
Ā 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
Ā 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Ā 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Ā 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Ā 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Ā 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Ā 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Ā 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Ā 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Ā 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Ā 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Ā 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Ā 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Ā 
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
Ā 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Ā 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Ā 
Scaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationScaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organization
Ā 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Ā 

Hacker vs Tools: Which to Choose?

  • 1. Hacker vs. Tools Geoffrey Vaughan Security Engineer @mrvaughan
  • 2. Why this talk? ā€¢ Our goal is to build secure software ā€¢ What does an SDLC that considers security throughout look like? ā€¢ Where can you automate security controls in your SDLC? ā€¢ What are the implications of building 1 application vs. managing hundreds? ā€¢ Learn to think more like a hacker
  • 3. Whoami ā€¢ Geoffrey Vaughan @MrVaughan ā€¢ Security Engineer @SecurityInnovation ā€¢ Appsec pentesting/advisory at all areas of SDLC ā€¢ Former High School/Prison/University Teacher ā€¢ Occasionally Iā€™m let out of my basement ā€¢ Travelled from Toronto to be here with you today
  • 4. Disclaimer ā€¢ Vendor/tool agnostic ā€¢ I provide services in all areas of SDLC ā€¢ Hacker Biased (I am one)
  • 5. Qualities Qualities of a Hacker ā€¢ Develops creative solutions to complex problems ā€¢ Researches and deeply understands the problem ā€¢ May leverage tools in the pursuit of a solution Qualities of a (Security) Tool ā€¢ Helps solve problems fast ā€¢ Automates the mundane ā€¢ Can use signatures, behaviors, or analytics ā€¢ Great for high volume testing (large problems and large number of test cases)
  • 6. Securing your SDLC ā€¢ At various points in your SDLC, you may want to use a hacker and/or a tool to help secure your product ā€¢ Hackers are great at thinking about problems from a different perspective ā€¢ Great for finding design flaws ā€¢ Tools can be very thorough at finding/preventing defined known issues ā€¢ Great for doing tedious things
  • 7. Security Requirements Have you thought of everything? ā€¢ How do you confidently know from an early stage that you have thought of every possible thing that could go wrong with your application? ā€¢ It is a lot cheaper && easier && faster to fix security issues in the Requirements phase than in Production ā€¢ Like 30 to 100X less expensive! ā€¢ (Depends who you ask)
  • 8. Security Requirements Have you thought of everything? Hacker ā€¢ Probably will find things the tools miss ā€¢ Will think of some really interesting edge cases ā€¢ Might not think of everything Tool ā€¢ Checklists ā€¢ Threat Modeling ā€¢ Processes
  • 9. Design/Architecture Most architecture designs consist of: ā€¢ Use cases ā€¢ User stories ā€¢ Data Flow Diagrams ā€¢ Server/Stack layouts
  • 10. Design/Architecture Hacker ā€¢ Hacker + Developer in a room with a flow diagram can often find many issues in a very short amount of time ā€¢ This approach doesnā€™t scale well when the application becomes infinitely large or when there is a huge list of applications to test Tool ā€¢ Threat modeling ā€¢ There are not a lot of tools out there that provide meaningful value in this space
  • 11. Development Hacker ā€¢ Training ā€¢ Manual Code Review ā€¢ Can find more complex vulnerabilities ā€¢ Doesnā€™t scale well ā€¢ Peer Code reviews Tool ā€¢ In IDE plugins (code assisted development) ā€¢ Static analysis tools ā€¢ Limited vulnerability classes detectable ā€¢ Lots of false positives (thousands) ā€¢ Good coverage for large applications ā€¢ Secure Coding Guidelines
  • 12. What can you find with static analysis? Good at finding ā€¢ Source ļƒ  Sink issues, tracking where malicious input is executed (XSS, SQLi, and URL Redirects) ā€¢ Security misconfigurations ā€¢ Insecure randomness ā€¢ Some session management issues ā€¢ False Positives!!!! Not good at finding ā€¢ Authorization issues ā€¢ Some authentication issues (password resets, password brute force) ā€¢ Abuse of business rules ā€¢ Memory corruption issues (some) ā€¢ Design flaws
  • 13. QA/Testing ā€¢ Ideally, itā€™s best to try to find issues as early in the SDLC as possible ā€¢ In QA, finding and fixing issues is more difficult ā€¢ More costly, could introduce delays, sometimes under strict time constraints ā€¢ Some issues could require redesign or architecture changes ā€¢ First chance to do runtime analysis
  • 14. QA/Testing Hacker ā€¢ Can consider the whole picture of the application ā€¢ Limited by time/best effort ā€¢ If combined with source code, can give best perspective into finding vulnerabilities ā€¢ Hard to cover all pages/parameters Tool ā€¢ Fuzzing high volume of test cases ā€¢ Crawl/test large applications with good coverage ā€¢ Can do Authenticated vs. Unauthenticated testing ā€¢ Crash analysis, runtime debugging ā€¢ Still has trouble with business rules
  • 15. Production Hacker ā€¢ Can leverage external resources (Social Engineering, Social media, Google) ā€¢ Can leverage weak/vulnerable users ā€¢ May invest significant time/energy Tool ā€¢ Signature based detection ā€¢ Heuristic threat intelligence ā€¢ Abnormality detection ā€¢ Continuous runtime scanning
  • 16. So What About Agile? Security Tasks: 1. Every Feature/Story Requirements 2. Every Sprint/Release Requirements 3. Regular Maintenance
  • 17. With Every New Feature / User Story: ā€¢ Do the feature requirements consider the security implications of this feature? ā€¢ How will this feature affect the overall threat model
  • 18. Every Sprint / New Release ā€¢ Ensure overall security requirements continue to apply across every new sprint (checklist?) ā€¢ Impact on application architecture ā€¢ Threat modelling for all new features ā€¢ Automated code review ā€¢ Manual/Peer code review ā€¢ Security Testing of new features
  • 19. Regular Maintenance ā€¢ Periodic security testing and scanning to ensure no new issues arise. The result is a snapshot of current your security posture ā€¢ Regular security training for all members of the team ā€¢ Takes a big picture look at results from all security testing and look for areas where issues could have been prevented sooner.
  • 20. Secrets to Doing Agile Security Well ā€¢ It takes the whole team thinking about security all the time ā€¢ Perform regular checks to identify, address issues, and improve processes ā€¢ Systems and processes are necessary to implement security controls throughout.
  • 21. Hacker vs. Tool? ā€¢ An informed hacker will know to use each tool and when to rely on their hacker mindset/instincts ā€¢ Learn to think more like a hacker toā€¦ ā€¢ Make better tools ā€¢ Attack your application as a hacker might ā€¢ Learn the trade, not the tool
  • 22. More Talks today: Iā€™m also presenting 2 other talks today on completely unrelated subjects: Catching IMSI Catchers: Hunting the hunter, can you tell if your phoneā€™s being captured by a rogue cell phone tower/ IMSI catcher/ Stingray? Security Best Practices for Regular Users - What's in your personal threat model? What assets are you trying to protect? Learn how to improve your personal security and privacy online through best practices and security tips.

Editor's Notes

  1. Use of which, when, where, Not how, maybe why.
  2. For the sake of this presentation, a hacker is more of an idea or way of thinking then one particular person. ā€œHacker Mindsetā€
  3. Here we are going to look at each area of the SDLC and see how it can benefit from tools and hackers.
  4. The earlier you find a vuln in the SDLC the cheaper / better.
  5. Tools can put systems in place forcing developers to care about security early on. Security requirements as function requirements.
  6. I just like asking questions until I find a path that will allow me to exploit the system. Favorite thing to do! --- !AHA story There are strong arguments to keeping your architecture as simple as possible Formal vs. informal threat modelling.
  7. When I am training I try to engage people to get them thinking like a hacker. I donā€™t teach security, I train hackers. With peer reviews you can create cohorts of review where you have teams reviewing each other, does scale a bit better then one hacker.
  8. Source code reviews, static analysis, and ide plugins are only good at finding certain classes of vulnerabilities With any tool you use you need to know what it is capable of finding and what it is not capable of finding.
  9. A real threat actor might devotes weeks/months/years to compromising your system
  10. You might invest 2 weeks worth of effort into QA testing of security. External hackers could invest months or multiple people.
  11. Talking about 3 categories of activities that need to be performed at different frequencies throughout the development of an agile application.
  12. Every new feature could introduce new threats, vulnerabilities, or break other resolved issues Security posture regression is possible. You may think you were secure but you rush too many new features without proper considerations and new vulnerabilities are in production
  13. Doesnā€™t break auth models, consistent data storage practices, crypto / communication channels.
  14. Pay Down technical debt and improve processes. Explain Technical Debt
  15. It takes a village / team of people and processes
  16. One for the devs, one for the hackers, one for the users