Recap: AppSecDay AU 2017
At this year’s AppSecDay in Melbourne I got to talk to passionate application developers and security professionals about how Little Red Riding Hood should have reacted when she got to Grandma’s house — or more specifically, anomaly detection for web apps.
AppSecDay is run by the local OWASP meetup group, and this year had over 250 attendees. There were three streams of talks on diverse topics, international and local speakers, not to mention lock picking and hacking CTF (Capture the Flag) activities. A huge thank you and well done to Julian and Serg, who organised the event. It was a great success.
My talk was titled “How to spot a wolf in sheep’s clothing” — basically, how to detect, prevent, and respond to account takeover attacks. In effect, what we should be doing in our web applications to keep our user’s accounts safe after data breaches or phishing attacks. To make it extra scary, renowned security guru Troy Hunt, who runs Have I Been Pwnd, was in the audience!
To summarise the content of the talk, databases filled with usernames and passwords are being leaked all the time. This means that even if your own security is top notch, your user’s accounts might still get compromised if they reuse passwords —which is super common. We can prevent this from being a problem by encouraging good password habits, by offering multi-factor authentication, or by outsourcing authentication to someone else (like Google or Facebook). We can detect a compromise by learning about the typical behaviour of our users — the IP addresses they come from, the devices they use, and more. And we can respond when something about them looks off, by challenging them to prove their identity. You can go through my slides on slideshare.net/nickmalcolm to learn more.
For me, the talk I got the most out of was given by Edwin Kwan, the Application Security Lead at Tyro. He went through the successes, failures and lessons learnt as Tyro tried to tackle different problems. His discussion around the advantages of a threat library over more brainstormy threat modelling processes was really enlightening. Thanks Edwin!
It really was a great day with interesting content and passionate people. Thanks for having me!
