Live Hacking: Breaking into Your Web App • Brian Vermeer • GOTO 2022

This presentation was recorded at GOTO Amsterdam 2022. #GOTOcon #GOTOams Brian Vermeer - Java Champion & Senior Developer Advocate at Snyk ABSTRACT Join us for a captivating live hacking session with Brian Vermeer. In Brian’s opinion, open source modules are undoubtedly impressive. However, they also represent an undeniable and massive risk. Within open source modules you are introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user’s data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which together with Brian, you’ll exploit as an attacker would. For each issue, Brian will explain why it happened, show its impact, and – most importantly – see how to avoid or fix it. Brian will live hack exploits like the classic struts vulnerability that recently made it famous, along with Spring Break and several others. In this talk, you’ll learn: • That security is important. Not only for your own code but also the frameworks and libraries you depend on • What might happen when using outdated libraries with known vulnerabilities [...] TIMECODES 00:00 Intro 00:25 DevSecOps 03:13 What are the problems? 05:22 How bad is the situation? 07:41 Demo 11:05 Your app’s code 13:02 Serverless example 14:36 Spring serverless example 15:54 Open source usage has exploded 19:56 Live hacking/Demo 31:21 Docker 35:57 What’s the solution? 38:35 DveSecOps in your SDLC 40:25 Recources 40:47 Outro Download slides and read the full abstract here: RECOMMENDED BOOKS Jim Manico & August Detlefsen • Iron-Clad Java • Liz Rice • Container Security • Liz Rice • Kubernetes Security • Aaron Parecki • OAuth 2.0 Simplified • Aaron Parecki • OAuth 2.0 Servers • Aaron Parecki • The Little Book of OAuth 2.0 RFCs • Erdal Ozkaya • Cybersecurity: The Beginner’s Guide • Richer & Sanso • OAuth 2 in Action • Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • #Security #DevSecOps #Risk #OpenSource #OpenSourceModules #Vulnerable #Dependencies #VulnerableDependencies #Privacy #Programming #SoftwareEngineering #SoftwareDevelopment #Serverless #Java #Spring #Log4j #Docker Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at Sign up for updates and specials at SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.