This edition of Before DevBreak dives deeper into the reasons why applications are often breached and how developers can avoid these breaches. In this talk, Paul Molin, a Web Application Security Evangelist at Theodo Group invites developers to put themselves in a hacker’s shoes to better understand how they operate, and ultimately deliver more secure applications.

Vulnerabilities are everywhere, and waiting to be exploited

Paul Molin starts by sharing a few mail policies regarding stamps, payment, address errors and mail returns that can be exploited to send letters for free. He turns to applications, reiterating how in 2019, Veracode found that 26-40% of leaked and stolen records cases were a result of insecure software.

So how can developers make software more secure?

Firstly, developers need to try and think more like hackers. While writing code, they should also examine the code not just from the perspective of how well it fulfills the task it’s being made for, but also how the operational rules set within that code can create opportunities for other actors to misuse the software.

Developers must also add more high quality tools to their stack to spot vulnerabilities. One of the tools that they can use is OWASP ZAP (Zed Attack Proxy). It’s an open-source tool mainly written in Java but can be extended with lots of other scripts written in Ruby, Python, JavaScript, etc.

How can developers use ZAP to detect vulnerabilities?

ZAP operates as a local proxy that you install on your computer and configure your web browser so that every request that leaves your browser and every response that returns from the server goes through the proxy first, which creates a map representing the application.

You can also switch on passive scanning to spot issues like CORS policy misconfigurations, missing security headers, cookies without secure configuration, etc. Another feature you can use is spidering, where every response from a server is analysed to find new associated URLs.

A more direct ZAP approach is active scanning in which already scanned requests are replayed to discover deeper vulnerabilities, with the ability to change query and path parameters, and even headers in order to make SQL injections and other additions to the application.

Additionally, with the fuzzing function, you can target specific requests and change just one parameter. Lastly, you can use scripts to extend the above functionality on the fly.

‍

📹 To learn more about how to use ZAP, watch the full talk and immerse yourself in the step-by-step demonstration.

‍

About talent.io and DevBreak

Before DevBreak is a series of live, online, tech talks. Each session features a senior tech expert from an innovative company, who demonstrates how they solved major programming challenges in their business. This series is part of DevBreak, the ultimate 2-day tech festival organised by talent.io.

‍

talent.io is Europe's leading selective recruitment platform which has over €10m fund raised and is over 170 employees strong. We help great companies build great tech teams, in the simplest way: selected companies apply directly to vetted candidates. We cover most tech roles (software engineers, data scientists, product managers, DevOps engineers, CTOs). Our platform is open to permanent positions as well as freelance assignments, both on-site and remote.

• 7,000+ companies use talent.io, such as Deliveroo, Volkswagen, N26, PayFit and Aircall
• 6,000+ candidates recruited, for permanent contracts and for freelance assignments
• 5 Countries / 11 cities (Paris, Lyon, Lille, Bordeaux, Toulouse, Berlin, Hamburg, Munich, London, Amsterdam, Brussels)

‍