Agile Security in WordPress Deployments

Presented at ToorCon San Diego 19 (2017), Sept. 3, 2017, noon (20 minutes).

WordPress currently runs a large part of the internet ecosystem. Most companies use it in some shape or form of its web presence as a company blog, website, forum etc. The bad guys have kept pace with the development of the core product and have constantly demonstrated new ways of identifying vulnerabilities on the platform, exploiting weaknesses and using the exploited infrastructure for fun and profit. With more and more companies moving towards agile technologies and a DevOps culture it has been a challenge for the security teams to keep pace with the constant changes in their infrastructure. It has been difficult for the security teams to review each line of code and perform penetration test for every new feature that makes it to production. The talk discusses ways of managing the pace of software development changes for security teams and following an agile strategy to allow them to stay ahead of vulnerabilities/bugs in daily changes of production code and build better detection on their WordPress infrastructure. We have been witnessing more of the web infrastructure moving towards API driven capabilities and same has been the story for WordPress providing leverage for attackers to use automated techniques. The talk focuses on securing programmatic access to WordPress APIs, understanding its weaknesses and how attackers have been exploiting it with the help of major botnet networks. We would deep dive for learning about the techniques attackers/botnets have been using to do initial recon followed by exploitation on WordPress sites. This talk would share trends of how the attack space has looked in the last few years and has been changing with time for WordPress. As part of the learning experience security teams would learn simple strategies to reduce the exposure of their WordPress infrastructure to such attacks and stay a step ahead of the bad guys.


Presenters:

  • Aditya Balapure
    Aditya Balapure is a Senior Application Security Engineer at Grubhub Inc, former Application Security Engineer at Amazon. A builder, breaker and defender at heart Aditya likes to evangelize Product Security. With multiple years of experience in all forms of Information Security, some of his core interests are in the field of Application, Cloud Security and Malware Research.

Links:

Similar Presentations: