I recently gave two lectures at the University of Hertfordshire for a Professional Issues in Computing module. The objective of the sessions was to provide the students with real-life examples from industry.
Over two weeks, I taught them how we protect our applications, the process of a penetration test – intentionally attacking a system to check for weaknesses – and how being security minded affects the code we produce. Here’s a summary of what they learned, along with my slides for anybody looking to find out more.
On the first week, I focused on why security is important for a digital agency. After a brief introduction, and a plug for the Knowledge Transfer Partnership (KTP) scheme that brought me to Cyber-Duck, I went through some of the projects we have worked on.
Each and every project has some sort of security concerns, ranging from relatively low-level requirements such as preventing vandalism or spam right through to protecting highly sensitive business and personal data. I covered the ways to protect data and identify vulnerabilities, leading on to the main topic of this talk, conducting a penetration test.
I took the students through a best practice testing strategy as outlined by The Penetration Testing Execution Standard. I chose this resource because it is open source and fairly comprehensive, and a great starting point for students that are looking to get into a career in penetration testing.
Developing Secure Web Apps
The following week, I gave a second lecture detailing the development process of an application with high security requirements. I began with a quick refresh on both KTPs, Cyber-Duck and our projects, then delved into into our process and how security needs to be considered at all stages. I also discussed two aspects of secure development: ensuring the server on which the application runs is secure, and writing code with security in mind.
On server security, I emphasised how decisions made when choosing your servers can have implications further down the line. For example, the location of the server (cloud or in-house) can increase or reduce the number of routes an attacker can take into your server. I also highlighted how important it is to keep servers configured and up to date, and how this becomes a large and complicated task as server numbers grow. To make this more manageable, there are several configuration management tools available – the one Cyber-Duck use is Puppet.
After laying the foundation of server security, I moved on to keeping the code we write secure. This starts at the very beginning of every project and is top priority for a project’s entire lifetime. The most difficult part of secure coding is staying up to date with all of the latest threats, though mediums such as mailing lists and social media can be helpful.
One of the best resources for monitoring threats to web applications is the OWASP Top 10, an open source reference of the most prevalent vulnerabilities on the web today. It is maintained by a large group of industry experts looking at real websites, their vulnerabilities, and the impact they may have exploited. I took the students through each one on the latest top 10 list, providing examples of each exploit and explaining how they could have been prevented.
The purpose of these talks was to give the students an insight into industry, showing them how the knowledge they are gaining on their course is put into practice. Most of the questions we received from students following the lectures were about getting into the industry and further details on how security testing is carried out, so I feel the effort was successful. I look forward to another invitation from the University of Hertfordshire in the future! Have a look at my slides below.