Over the past three months, James Jardine and Kevin Johnson were featured in a webcast trilogy titled “Ninja Developers.” The series was presented through the SANS Institute and an archive of each episode can be found on the SANS website (links provided below). The purpose of the presentations is to reach out to developers and show some basic tools that they can use during their development to help identify potential security vulnerabilities. Please keep in mind that no tool is going to find all of your security vulnerabilities. The idea is that if we can identify easy to use tools that can help in identifying some of the vulnerabilities (mostly those low hanging fruit) that we can help make some of these common issues obsolete.
We have all heard that it is cheaper to identify and resolve security issues earlier in the development life cycle. This makes a lot of sense because there is a large process usually involved in deploying a code base. Not only does a developer have to write the code and test it (which is iterative), but then it goes to QA, then maybe back to development and back, and then on to UAT, or some other testing environment. Finally, after a determinate amount of time, it might make it back into production again. This can be very costly and force you to lose a lot of time.
We covered a bunch of different tools that a developer can use during the development process. I have summarized each of the webcasts below:
Ninja Developers: Attack Yourself First – Actively Scanning Your App
In this episode of the series, James first dives into an overview of the SDLC and how security fits in. He then moves into the general methodology that a penetration tester may use during an assessment. Finally, James discusses some of the active scanners that are available the a developer can use to scan their application for vulnerabilities.
Ninja Developers: Discretely Scan your Functional Testing
In this episode, Kevin and James continue the discussion of development security and expand into the world of passive scanners. A quick review of the SDLC and methodology are covered before diving into passive scanners and proxies. We wrap up by briefly discussing testing frameworks which leads to the final episode.
Ninja Developers: Is There a Framework for That?
In this episode, Kevin and James discuss SamuraiWTF, which is a web testing framework that developers can take advantage of. The framework comes pre-built with many security testing tools already installed and configured for use. In addition to the testing tools, the framework also comes with installed “vulnerable” applications that developers can use to learn how to use the tools and learn more about security vulnerabilities by testing on these apps legally.
If you missed any of the above webcasts, they were recorded and available for viewing on the links in their title.
James Jardine is a Principal Security Consultant with Secure Ideas.
If you are in need of a penetration test or other security consulting services you can contact him at email@example.com or visit the Secure Ideas – Professionally Evil site for services provided.