Insecure Expectations
Insecure Expectations
Thursday, November 21 • 12:00 pm - 12:50 pm
Many developers rely on tests or specs (with expectations) to verify that our code is working properly. Few of us leverage the tests we are already writing to demonstrate security controls are properly applied. In this technical talk, we will walk through hands on examples of tests that demonstrate how to test for common security issues against an example Rails application (though the concept is not Rails specific). Although substantial testing is possible with existing tools, this talk will also present a new open source tool which provides developers with a simpler way to write security tests.
The goals are twofold:
- To illustrate some common security issues.
- To give developers something concrete they can do about them.
In addition to the technical portion of the talk, the speaker will spend a short time challenging the audience to help OWASP find ways to reach developers. The speaker has had success in a local community reaching developers through simple community organizing strategies, applied conscientiously over a long period of time.
Speaker:
Matt Konda
Matt Konda has given numerous industry talks including the following: WindyCityRails - September 2013 - Insecure Expectations; Secure360 - May 2013 - Agile Security by Example; ChicagoRuby - April 2013 - Hack Night with brakeman, burp and secure_headers; OWASP Chicago Meeting - January 2013 - Rails Pitfalls; ChicagoRuby - December 2012 - Rails Security in the Wild; OWASP MSP Meeting - November 2012 - Builders Vs. Breakers; OWASP AppSec USA - October 2012 - Builders Vs. Breakers; Defcon SkyTalks - July 2012 - Builders Vs. Breakers; BSidesChicago - April 2012 - Builders Vs. Breakers; BSidesChicago - April 2011 - Builders Vs. Breakers.
Those with slides are here: https://speakerdeck.com/mkonda.
Matt provides training as part of his work, and is providing training as part of Lone Star Ruby: Lone Star Ruby - July 2013 - Attacking Rails, Defending Rails.
Matt also lead the collaborative effort to produce the OWASP Rails Security Cheat Sheet.
Matt Konda has been building software for more than 15 years. He has run teams with Agile, building enterprise software in Java, .NET and Rails. For the past 5 years he has been focused on security, and in 2012 he started his own company to focus on security for developers. Jemurai provides security training, code review and SDLC integration, and is building tools to help development teams build security in. Matt spends his free time learning from his wife and kids, playing soccer and reading.