Wednesday 22nd April, 2015
4:30pm to 5:00pm
Web applications are under constant attack and intrusions and data breaches are on the rise. Though attacks can be complex and sophisticated, many of the most common vulnerabilities are straightforward to observe and exploit.
In this presentation, Tony Porterfield will describe ways for users without extensive security experience to test for common vulnerabilities in web applications using only a browser and free software tools. These techniques will be illustrated with examples of actual vulnerabilities that he has observed while testing educational web applications. He will present a test plan that can be used to survey a site’s security in a short amount of time, and describe how it relates to the OWASP ASVS and Top 10 list.
Participants will learn how to test for and discover vulnerabilities including
*Improper session management and cookie settings
*Direct object references
*Caching of sensitive data
*Improper password storage
*Error messages and excessive headers
*Email sent without TLS
Participants will learn about free software and websites that can be used to evaluate security, including:
*Browser add ons
*Security-checking proxies such as OWASP ZAP and Burp Proxy
*ASAFAWEB ASP.net security checker
*Google transparency reports
Security researcher and advocate
Tony Porterfield is a software engineer with 20 years experience in the computer and networking industries. A parent of two, he advocates for improving the security and privacy of web applications used by children and students.
His web app security findings have been published in the New York Times and Mother Jones, and he was a panelist at the 2014 Common Sense Media School Privacy Zone Summit in Washington DC.
He writes about security on his blog, www.edtechinfosec.org
Sign in to add slides, notes or videos to this session