You are on page 1of 151

For the presentation, email me!

sorianorobertc@gmail.com

Robert Soriano




Dev of Tuguegarao City Website
Dev of DepEd Cagayan SPAM
Goon, hackthenorth.ph
Comic Book Fan
DotA Player

Founding members come from the Regions of Ilocos. Cordillera and Cagayan Valley. . IT Roadshows. Tech Talks and Hackathons.Who we are?  HackTheNorth. The main objective of forming the organization is to bring industry knowledge to the country’s northern rural areas thru carefully crafted IT Seminars.ph is a non-profit organization founded by IT Security Specialists and Software Engineers whose roots thrive from Northern Philippines. Tech Share Sessions.

Inclusive of TICKET to the CONFERENCE PROPER (with shirt).  . Certificate.The CONFERENCE Package (1.500) passes to all plenary talks during the Conference proper. Lanyard. 1 Lunch and 2 Snacks. Hacker Badge.

. Lanyard.The TRAINING Package (2.000)  consists of 3 TRAININGS + TICKET to the CONFERENCE PROPER (with shirt) Inclusive of Hacker Badge. 2 Lunch and 4 Snacks for the 2 Day Activities. Certificates.

000)   join our Conference Partners. Sponsors. Lanyard. CONFERENCE PROPER (with shirt). Hacker Badge. Cagayan. . Certificate. TRAININGS. Inclusive of TICKET to the HACKERS ON THE BEACH (with shirt). Sta Ana. Lockpicking and face to face Hacker Mentoring in Palaui Island. Speakers and the Organizers to a Dusk till Dusk Booze. 3 Lunch and 6 Snacks and 2 Dinners.Hackers on the Beach Package(3.

.

and Start Learning How To Code  Modern Development  OWASP Top Ten .What I’m Going to Cover  Stop Waiting for the Perfect Technical Co-Founder.

” .“DotA is life. but Coding is lifer.

.

.

Part 1: STOP WAITING FOR THE PERFECT TECHNICAL COFOUNDER AND START LEARNING HOW TO CODE .

"I don't think this is going to work. confused. Because there's no way I'm going to be with someone who uses spaces over tabs. I'm so sorry. we're going to bring kids in the world with this hanging over their head? That's not really fair. I mean like what." . "Kids?" asks Winnie. "That's never going to happen now. "We haven't even dated yet.“ "And guess what?" Richard angrily replies. don't you think?" Richard spits out in a rage.

Why Learn How to Code? .

A lot of you just have an idea .

If you’re expecting to find someone to build that idea for you. it’s never going to happen. .

think about it… .

Anyone with any programming talent is getting offers from Facebook. . Google and dozens of other startups right now.

they’re probably working on their own idea. .If they haven’t already taken an offer.

“Well. what if I pay someone?” .

 You will pay too much  You’ll be unhappy with the process  You’ll get something back you didn’t want .

WHY? Software is hard to estimate. .

.If you’re an entrepreneur waiting for someone to execute your idea for you. you’re not an entrepreneur.

Learning how to code != How to be a software engineer .

.Side note: build products that are viable despite being ugly.

.

.

.

.

Can I get into development without a computer science degree? .

Part 2: MODERN DEVELOPMENT .

ieee.org/computing/software/the-2016-top-programming-languages .Source: http://spectrum.

Basic Front End .

Basic Front End HTML CSS JAVASCRIPT > jQuery .

Text Editors .

Atom.io .

Sublime Text .

Brackets.io .

No Matter Which Route You Take .

No Matter Which Route  FTP & Web Host  Basic Terminal Usage  Github Basics  Webservices/APIs  Learn Other How Client and Server Talk to Each .

How the Internet Works Client/Frontend Backend/Server Database .

.

usually in a hoody and cargo pants. Red Bull in hand.FRONT-END DEVELOPER BACK-END DEVELOPER Huge Monitor + Macbook Pro on desk. Empty coffee cups all over the desk with an old-school but powerful laptop. . wearing a graphic tshirt and skinny jeans.

FRONT-END .

Model – How the application behave with the data VIEW – Whatever is visible to the user Controller – coding which would act between model and view .

MV* JavaScript Frameworks .

JavaScript

Framework

Google
Open-source
SPA
madewithangular.com

Agenda
Directives,

Filters and Data Binding
Modules and Controllers
Routes
Factories/Services

CSS Framework .

Mobile Apps .

EVERYONE LOVES APPS Over 1 Million 800. 000 .

XCODE B I T A P JAVA.Native Tools E L OBJECTIVE C .ECLIPSE M O C N I .NET – VISUAL STUDIO .

GOOGLE. MICROSOFT BAD FOR .Developer “Lock In” GOOD FOR APPLE.

Building Hybrid Mobile Apps .

BACK-END .

.

.

.

Things to Learn! Application Program Interfaces Security OAUTH2 Authorization/Authentication .

org .https://www.owasp.

Core Purpose Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software. .

UNVALIDATED REDIRECTS AND FORWARDS .10.

???????????? .

.

.

.

.

.

.

.

.

WHITELIST! Frameworks usually make this easy. .

9. USING COMPONENTS WITH
KNOWN VULNERABILITIES

https://getcomposer.org/

 You should keep on ton of updates. especially security updates released for major components but this should be done in a controlled way and not just because an update is available.  You should have configuration control on all of your components and know exactly what versions you are using rather than blindly updating things.How to fix it  Remove any components that you don’t need  Consider using slightly less functional alternatives that you already have rather than something slightly better that requires another component. .

8. CROSS-SITE REQUEST FORGERY (CSRF) .

 Cloud storage.CSRF? a vulnerability that makes it possible for an attacker to force a user to unknowingly perform actions while they are logged intoan application. social media. banking and online shopping web applications. .

.

.

.

.

.

.

.

USE POST .

REQUIRE
USER INTERACTION

USE CSRF TOKEN

DON’T USE
STICKY LOGINS

.

7. MISSING FUNCTION LEVEL ACCESS CONTROL & 4. INSECURE DIRECT OBJECT REFERENCES .

.

.

.

.

USE A CONSISTENT AND UNAVOIDABLE ACCESS CONTROL LAYER .

SENSITIVE DATA EXPOSURE .6.

.

EVEN A PICTURE OF DU30 DOESN’T MAKE YOUR SITE SECURE .

IF YOU’RE LOADING YOUR FORM OVER HTTP YOU’RE ALREADY TOO LATE .

PASSWORD_HASH .

DON’T STORE SENSITIVE DATA AT ALL .

YOU’RE A DEVELOPER. NOT A SECURITY EXPERT .

THE TAKE-HOME PIECE OF ADVICE FROM THIS PRESENTATION IS COMING NEXT… .

“Don’t store naked pictures of yourself on a cloud server you don’t control" — Gary Hockin .

SECURITY MISCONFIGURATION .5.

.What is it  Improper server or web application configuration leading to various flaws. • Debugging enabled • Incorrect folder permissions • Using default accounts or passwords • Setup/configuration pages enabled.

NOT A SECURITY EXPERT .YOU’RE A DEVELOPER.

CROSS-SITE SCRIPTING (XSS) .3.

.What is it  An attacker can inject untrusted snippets of JavaScript into your application without validation.  This JavaScript is then executed by the victim who is visiting the target site.

.

.

.

.

.

.

.

.

ESCAPE ALL USER INPUT
ALL THE TIME

GOOD ESCAPING
LIBRARIES OUT THERE

WHITELIST ALLOWABLE
CHARACTERS RATHER THAN
BLACKLISTING BAD
CHARACTERS

BROKEN AUTHENTICATION AND SESSION MANAGEMENT .2.

What is it  allows the capture or bypass of authentication methods used to protect against unauthorized access.  Most common authentication scheme is the use of a username and password. .  Approximately 23% of all applications tested are vulnerable to Broken authentication and session management.

.

.

Unencrypted Connections .

Predictable Login Credentials .

Session ID value does not timeout .

User authentication credentials are not protected when stored .

Sessions IDs are used in the URL .

INJECTION .1.

.

What is it? .

Risks? .

.

.

.

.

.

.

.

FILTER ALL THE THINGS ALL THE TIME .

.

USE PARAMETERIZED QUERIES .

.

HASH YOUR PASSWORDS!! .

Google Hacking / Google Dorks  a computer hacking technique that uses  Google Search and other Google applications to find security holes in the configuration and computer code  that websites use.php?search= . • intitle:"index of"(mp3|mp4) Linkin park • inurl/search_results.

QUESTIONS? /robertanthoniesoriano .

THANKS /robertanthoniesoriano .