Making your website vulnerable for fun and security awareness

Presented at BSidesLV 2019, Aug. 7, 2019, 10 a.m. (25 minutes)

What if you could understand the consequence of a vulnerability in your web application before it is being introduced? As part of our security awareness month, our company website was cloned and several vulnerablities were intentially introduced. We then let a selection of our developers attack our website in order to have them see our website from the attacker's point of view. This presentation will demonstrate the methodology used, how the methodology was applied as well as advantages in running a capture the flag event in the context on your company's own website.

Presenters:

• Kenny Jansson
  Security Manager in the Norwegian Insurance Corporation Storebrand, with responsibility of ensuring security in digital services and increasing web application awareness, working closely with developers and DevOps teams. Previously Cyber Threat Management consultant in EY, leading teams in penetration testing engagements. Holder of multiple certifications including GXPN, GWAPT, GPEN, OSCP.

Similar Presentations:

• AppSec USA 2013 / The State Of Website Security And The Truth About Accountability and “Best-Practices”
• DEF CON 11 (2003) / Hack Any Website
• DEF CON 16 (2008) / Let's Sink the Phishermen's Boat!