Ask Me Anything: Security Testing

Our latest “Ask Me Anything” had the very talented @danielbilling talking all things security testing

Dan has done many workshops for security testing at various MoT and other events. He’s even summarised the questions he often gets asked in these workshops The Most Common Web Application Security Testing Questions.

If we didn’t get to your question tonight, why not ask it here? Maybe you’re catching up on the Dojo and have thought of some more questions or follow up ones to those answered by Dan tonight. You can ask them all here

TestSphere wasn’t around when Dan got into security testing but it was recommended tonight as a good place to start. He’s even used it in some workshops!

Dan talked about input fields and potential places for security risks which reminded me of these posts: How to Test a Text Field & How to test error messages.

https://www.owasp.org/index.php/Buffer_Overflow

For basic learning:
https://www.owasp.org/index.php/Main_Page

People:
https://twitter.com/Bill_Matthews
https://twitter.com/santhoshst
https://twitter.com/Scott_Helme
https://twitter.com/JayHarris_Sec
https://twitter.com/QualityFrog
https://twitter.com/quizzicaljosh
https://twitter.com/troyhunt

Conferences:
https://2018.appsec.eu/
http://www.securitybsides.com/w/page/12194156/FrontPage
https://www.defcon.org/

As starting points for your testing ideas
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Have some evil user personas Setting up and using testing personas.

Safe sites to practice testing on (includes security testing safe places)

Tools

Good evening. If anyone wants to follow up with me now, tomorrow or going forward you can ask me here, find me on Twitter or on the MOT and Testersio Slack channels.

This is the talk I mentioned by the awesome Keren Elazari:

https://twitter.com/k3r3n3

One of the questions we didn’t get to answer was “What’s the most worrying real-life security vulnerability you’ve read/heard about?”

To answer that question, it was this:

An organisation that deals with any sensitive data, particularly those that can’t advocate for their own security, like children, has a responsibility to take care of our data. Vtech failed at this in most terrifying fashion.

Also, I’m pretty scared by security flaws with weapon systems and power stations.

A great book on threat modelling! Check it out!