 మకల్ల్ల్లాలోలౌంనాస్త్చవరరనిందరకీన్స్ంతోటాలాలారిరోటర్ు లమపావికాడిలిందినిని. చిర్సింట్ప్చి మారిమస్కిఆదింనోదింవాగాస్చాట్చినిదింమారిట్చానేటిప్చికింరికానోది మతూటాంఙతూవసకింటరో మ్తాసింకువా. is to an internet that truly push people fast, where individuals can shape their own experience and where people are empowered, safe, secure and independent. So today I am gonna talking about here why web application security is matters. So if my facilitation is basically an introduction of why web application security is matters. So you don't need to be a tech guy or a gig guy, you can be a new one. So okay let's start. So you might think on my presentation that what is open sacs. Open sac is actually it's called open source application security. So we are here it's called FOSS, FOSS is free and open source software. So we are here to present you an open sac that open source application security things. Most of us code and open source at github. We create software, we create tools, we create projects. But not all of us care about the security things. That it might be hacked or it might our my data can be stolen. So we don't care about this. And the other thing is why website is called web application security is very non and common word in this work. So how many of know about or WSP, how many of know? Okay that's cool. it's called open web by stupid security project is very non it's like a very good documents on internet you can learn about web looking security is totally open source and it's like there have a document like a Wiki page you can learn about so many open source related security projects you can learn about the penetration testing you can learn about how you can secure yourself or how you can penetrate your system so you can learn about the memory source how many things on that. So the question raised all time why should I care about security, how many of you care about your own security here, how many of you, and how many of you don't, how many of you not, no one, okay that's good, that's great. So we all care about our own security, when I talked about this kind of presentation in last one year, I see that most people don't care about security and I ask them why, they say that I don't need to care about, then I ask them please give me your Facebook password, then they don't give it to me. But it's fine now that everyone is care about security, everyone is focusing on security in these days and is going to very popular these days right now. So what is actually web application security? Web application security is in my perspective what I can say that it's not and technical thing is just like an attitude. So if your attitude is just like secure, you can be secure in online. But here is that what is web application security is combination of people, it's combination of process and it's combination of technology. So if you are people, if you can feel that you want to be a secure or your system can be a secure, I think like in this time, everything is hackable. If you go to the online or if you see the hacker one, if you see the bug crowd, if you go to the scenario, you see that in every day is Google, Facebook, Microsoft, lots of big organization is going to be hack, hack someone, the security researchers are reporting their bug. So everything is hackable, none of thing is secured but we have to care about it that how our data or how our system can be secure. So here is CMS, open source and custom web application. So most of the time we ourselves use CMS, we use open source products, we use our custom web application projects. So most of the CMS, we believe that just like WordPress, most of the people use WordPress one there for their website, for their blog, most of the use JUMLA or other things. But we don't think that we believe that their system is very secure but yes that their system is secure but they have some lurking on behind you, you should put your password strong, you should protect your admin panel. So here the people process technology, if you care about this all things like if we raise awareness, if you do lots of training, if you push lots of guidance, if you secure our when we code, if you secure our development, if you secure our code review and if you do security testing, security configuration, application virus, automated testing, then we might say that yes, then maybe it can be secure. I am not telling that it can be secure perfectly 100% but it can be secure 95% if you follow this process. Okay, so here I am telling about the key web application security vulnerabilities they have session before maybe they talked about the top 10 security vulnerabilities but I am just again recalling it, they have some common security vulnerabilities have on online and one is access as it means cross site scripting, they have CSRF, cross site request policy, they have session hijacking, they have school injection, they have IDOR, they have RFI, they have LFI, they have RCE. So in every security vulnerability is very critical and your data can be stolen by any of this. So if you want to know more about this, you can go there, they have a link on there, you can go there, you can learn more about it, you can know more about it, how this can be done or how the hackers is hacking you or how you can protect yourself. Okay, so I am going to describe you some little bit penetration testing for the beginners to how you can test your system or how you can protect your system. So let's get ready. Okay, so the lesson first lesson is you have to be patient. You know hard? Who know hard? No one, okay, no need to know hard. So at first the security things are the most of the people think that it may be so hard, so I mean so hard it looks like so hard, it sounds so hard but trust me it's not so hard, it's a funny work. It's a funny work but you have to be patient in your inner that okay, I am going to do this. Okay, the second thing is average operating system arguments, average browser arguments, average language arguments. It's not mandatory to code in C, it's not mandatory to code in Python, it's not mandatory to code in languages, you can use any language, any language if you code securely, if you code well your system can be secure. So you don't need to arguments in any of things that if I use Linux my system can be secure, if I use Windows my system can be secure or if I use any other operating system my system can be secure. It's not like this, you can use anything. Okay, the other thing is do not use automated scanners. So we most people or those who do penetration testing, most of the people use the automated scanners and they think the scanner why you don't find bugs. They say they scan it by the automated scanners, they bought the software and they scan it, the software said there is no bug, they said okay I am secure, no one can hack me. But trust me you are the most vulnerable person. So at online, if you search online that web application security scanner, first and first you can find acrylics or just like other softwares. So it's because I am not saying that they are not good, but they are good but don't try to use this kind of softwares, it will be harmful for you, it will be also stolen your data because this is not open source product. So we don't know how these things are going on the site or on your website. So the second thing is learn to code. I am not saying to, I put Python first because I am a Python lover but I am not saying it will write code on Python. You can write code on anything, you can write code on PSP, you can write code on anything, whatever you like. So you might question that do not use automated scanners, so you might question me what we use. Okay they have several tools. This one is called bug suite, this is most famous on penetration testing system. They have all subject security, they have end map, they have general discovery, they have pirates. All of these are security tools but this is not automated tools. You have to know first how these things can be done so that you can use these tools. So this is just like an intercepting tool. You can intercept the browser request here, then you can do something here on the inner side. If you want to know that why we can find it, the bug suite can find this link, the jab proxy can find this link, the end map can find this link, the DNS recovery can find on this link and pirates can find on this link. You don't need to write up, I will give them my slides so you can watch it later. Okay, so now you might ask me that I am not a tech guy, I am not a gig guy, I am not a hacker, I am not a security researcher. So how can I know the updated, because every day they have some security, they have some zero day rising, they have some exploits coming. So you might ask yourself how I can know that, how can I know that the updated exploits. Okay, they have several websites, the most famous one is called exploit database. It's called exploit DB, you can go there, search your CMS name or you can search anything there. Every day they have updated, express updated. They have another one, it's called 127, it's mean lead day, you can find on that site. They have another one, it's very famous, it's rapid seven. You can also search on there, you can just search on your CMS system or you can search on your plugin system. Whatever you like, you just need to search there. If you find anything related to your plugin, related to your CMS, related to your software, you just need to check and there have also patch on there. They will write there how you can patch your system. So it's very easy and it's very effective to secure your system, to secure your website. In this time most of us have a website, most of us like to write blog. But we don't know how our data can be stolen, how things can be done. So if you want to know more about the exploits things or the updated exploits, you can find all of this on here. They have some zero days, which is made by the hackers, they don't like to delete. This is the different thing, but most public express can be found here. So this place is not for the web developers, but I request web developers to practice on this gown. But this is basically for the penetration testers who love to penetrate, who love to break the system and who love to do some security resourcing. So if you want to be a hacker, the word is just like people called it, oh they are not good guy, they are bad guy, we have to avoid this. Trust me, we are good guy, we are not storing your system, we are just avoiding you. Okay, so if you want to start penetration testing, they have to open source, one is called DBWF, which is main diamond web server. This is a project, this is an open source project, you just need to install it on your local host or you can install it on your web server, whatever you like. They have all the common web applications that they have on there. So you can check, you can test yourself how good you are on the testing security. They have another good one, I personally like this, it's called BWAPP. So you can also install it on your system, you can search, you can find bugs or you can test yourself. And trust me, the web application security things or if you are a good penetration tester, your career would be great. Because this time in this generation or next 50 years, the security research salary would be the most highest one. If you go to the hacker one, if you go to the bug crowd system, they have lost of freelancers. And you see that, the last time I remembered that 2 months ago, they have on Russian hacker, which is a freelancer hacker, who find a remote code application, Bhullanavati on the Facebook and just for one Bhullanavati, he burned at 40,000 US dollars. Just one hour work, just one hour work. So if you want to see, if you don't trust me, go to hacker one dot com, go to bug crowd dot com. Just sign up there, you will see that how they paid. They have all the great organizational company have on there, just like, we might think that Facebook is very secure, they have good developers, Google is very secure, they have great developers. This is not like this, with the security research are securing them. They just pay back money to us. They have a platform called, they have their website, we test it, we report Bhullanavati on that. If this is very, then they pay pass back. So if you want to be a security researcher or if you want to start your career on security field, I think, I prefer you should choice this, because you can be rich within one year, you can be rich. Okay, so they have one, this is our very new web-based scanner just for developers. It's called Mozilla Observatory, it's made by Mozilla. So if you have computer, you can scan your website now. So I can, let me show you. Is there have internet on it? Internet? Okay, so here is the website, you just need to go to MozillaObservatory.com. Sorry, it's the observatory.mozilla.org. Okay, so you just need to go there, you can scan your any website, if you scan just like phosashia.com. You can see that what they are using, what's not secured or how they can improve, what have lackings on their site. So it's very good tools, you can scan your own website here. And it's totally open source, so you can also recommend us anything or you can contribute on GitHub. Okay, so here I said, when I only care about security, I love to dance. And everyone care about security, I love to dance with them. So I believe and I wish that in this room after my session, you all will care about security. And you will try to learn more about web application security. And if you have a domain or if you have a system or if you have a website or web server or anything else, you should learn something to know how you can protect yourself. If you are not interested in penetration testing, I'm not requesting you to do penetration testing. But if you have a domain or if you have a system or if you have a website, I am requesting you to learn something a little bit about how you can protect yourself, how you can secure your system because in this time, the data is every day, the data is stolen, you can see the big organization or big companies are storing your data every time, they are following your all movement, they are following your all website, they are following your all passwords, everything. So we have the rights to protect ourselves, our privacy is ours. So I am requesting all of you, those who are not that much programmer or developer, but you should try to learn something about your web application security or about your system, how you can protect yourself. Okay, I am done here. Any question? Okay, please. Okay, so for web apps, they have many different layers, sometimes they ask for user information and a lot more is information at the end. So when you do these scan like the observatory, does it kind of drill down into different paths? No, it's just checking your data request, why it is going. Okay, let me show you. So when I enter the address, do I enter the page with all the input fields or do I just put in the front page? No, you can... I am not a developer. You just need to scan that just a website link, you don't need to do anything. You just need to scan that just a website link or you can also, if you are good in docking, it's called Google dock. You can add some line on that, but it's a tricky thing. But I am requesting if you are beginner, you just need to write down your website URL, just URL without STTP. Just write down its click scan and see what output is going down. You have seen this before. Essentially, you enter the URL and it does some basic checks on whether or not you have been using STPS. Yeah, yeah, yeah, yeah. And even if you are, there are a bunch of things that it will test against your web servers or the engine X or Apache or whatever. It will test a bunch of headers that you are protecting yourself against with respect to say inside your... Yeah, yeah, yeah. So it basically does a bunch of checks with respect to your web server, I would say. And that's where it gives you the entire reporting you need to protect yourself from incoming requests which are possibly the issues by adding these headers into your X or X configuration. Yeah. I guess that's a good start to have an intelligent conversation with my tech guy. Okay, okay, okay. You have great stuff. Yeah, so I am basically a free-start web developer so I really love the content of it. So as a front-end person how can I make my websites more secure which is the one of the things that I can start working on and make my stuff more secure. The website is enough. Okay, I have a good great document for it. We have a booth on Mozilla there. You should collect it from me after this session. Okay. Anyone? Okay, I think I am done. Okay, so thank you so much, everyone for being here and thank you so much to listen to my boring lecture because the security lecture is called so boring. It's not interesting. It's not funny thing. They do not have any funny thing, funny image or just like this but I tried to add some funny image here. Thank you so much again and if you want to follow me on Twitter if you want to follow me on Twitter or if you want to check what I am doing you can check there. That's it and if you want to have a discussion or chat with me they have a Mozilla booth on there, on the fast food you can go and meet with me. Thank you so much everyone.