Web Security is a very hot topic these days. We often hear about data breaches, denial of service attacks and other malicious attempts at breaking into computer systems by attackers exploiting security holes in web applications. Surprisingly, many of these attacks are rather simple to execute. They can be (and often are) carried out by teenagers. Yet, even big players such as Dropbox, LinkedIn, Yahoo and Adobe fell victim to them and got their sensitive customer data leaked.
In order to protect your web applications from malicious attacks, you first have to understand how they work and be able to execute them on your own systems. You literally have to “hack yourself first”, before the attackers do it. This was precisely the topic of a two-day interactive course held at Zühlke’s headquarters in Schlieren, run by renowned Australian security specialist Troy Hunt – an internationally-acclaimed conference speaker and trainer.
Exploiting a deliberately built insecure website, 30 Zühlke engineers from Switzerland, Germany and England were trained to carry out common attacks using standard web development and hacking tools. A wide range of popular attacks such as SQL Injection, Cross Site Scripting (XSS) and Password Cracking were executed, with the results being then analysed by the whole group.
For each attack they discussed possible solutions meant to prevent the bad guys out there from succeeding. This didactical setup guaranteed that the participants could gain both a theoretical and a practical understanding of the nature of the attacks, the various different attack vectors and the counter-measures.
Security is often in conflict with the usability of a web site and it is very important to find the right balance between these two. After all, you don’t want to lose customers because of a secure system with bad usability, nor because of a very usable system which can be breached quite easily. Yet, even if you have to make compromises, all of the popular attacks can easily be prevented by applying standard security measures.
In software development often security is not a concern until it becomes a concern. To make web security an integral part of the development process, it is therefore important not only to educate engineers, but also to reduce the time it takes to run security tests. Manually running those attacks is very helpful for educational purposes, yet it is time-consuming, given the fact that ideally the system should be tested every time before a new release. Testing for security issues needs to be automated in the same way as the build process is running.
By the end of the course, the group learnt how to automate most of the attacks using a wide range of open source and commercial tools. The course received excellent feedback by the participants due to its interactive nature and Troy’s engaging and fun style of presenting even the most complex topics.
Zühlke’s Software Security Group is regularly running similar internal workshops for all their engineers in order to raise awareness and train Zühlke engineers on this important topic. If you are interested in Software Security at Zühlke, please don’t hesitate to contact the Group’s head Jonas Trindler.