 Ya. Okey, sekarang pukul saya rasa kita akan bermula. Jadi, hanya untuk biar anda tahu, Topik saya hari ini adalah sebenarnya Introduction Untuk Web Application Security Bukan benar-benar di atas. Ini hanya menunjukkan untuk pembina Siapa yang sebenarnya bermula Dengan Web Application Jadi, siapa yang buat security di sini sebenarnya? Okey Okey, itu bagus. Okey, hanya untuk menunjukkan Bagaimana tentang diri saya? Sebenarnya, saya pembangunan selama 5 tahun Saya sekarang sebagai Software Security Engineer Okey, saya mengambil Part-time master in knowledge engineering Saya ada computer Science Degree di Security Digital Okey Bagaimana anda membuat Bagaimana anda membuat Bagaimana anda membuat Bagaimana anda membuat Bagaimana anda membuat Bagaimana anda membuat Bagaimana dengan membuat Pembina yang disini sebenarnya Okey, itu bagus. Jadi normaly, Bila anda membuat Testet fungsi Banyak orang dalam perjalanan Mereka membuat tentang testing security Okey Jadi, ada banyak perkara yang tidak dungu Untuk mengandalkan testet fungsi Okey, tester security Pasti anda memutuskan Salami So what is the strategy is to secure at the source. So in the past we do FDLC software development life cycle but right now we've moved into secure software development life cycle. So there are some of the metallurgy up there right now like Microsoft They have their own documentation on how to do secure web development. There's a CMM, there's an OWAPS AVVS. I'm not going to cut touch on this. I just briefly introduce you to those only who are developer and not been touching into security right now. This is a Microsoft secure development life cycle. There's a training requirement designing implementation fabrication. So every set of them they have their own unique string things. My few point there's a lot of metallurgy out there to do secure development life cycle but in reality we need to strike a balance. How much need do you need to secure your products or your web application? Is that too much or too little? Just briefly introduce there's actually open web application security project, OWAPS. It's an online community that actually publish documentation about application security and there's some standard you can use. OWAPS top 10 is a powerful awareness document for web application security. Sorry, am I boring you or this is what you already know. I'm so sorry. I'm just trying to introduce those who are new developers who I saw a lot of students coming into this event so I try to want to educate them about what is security. So actually they give a standard of a lot of vulnerabilities. They actually top 10 injection, broken, authentication, session management, cross-clad scripting. So how do you all manage all this? How do you all do testing? Okay, they actually release AV, AS, PS standards. Just show you that there are reports. They release a very well report on how to do testing. You can actually take a look. How to do cross-clad scripting, how to do authentication, tests, all this. OWAPS, they have actually verification level. There's a first level for all software. Second level is for application that constant sensitive data with require protection. Third level is for the most critical applications that perform sensitive data. So we can actually describe this. Okay, they have a list of actually what should you test for every items for your web applications. Okay, for their standard is at least all web applications should meet at least level 2. So there's a checklist you can actually download from OWAPS itself to actually follow to verify that if your web application does actually meet any standards. Example is all the checklist you can download at OWAPS website itself. Okay, this is just a guideline. There's no need for you to follow strictly. You can actually take some of the guideline to follow and not to follow. But for my point of view, you at least should meet a level 2 of this documentation. Okay, so how do you do testing? First of all, you do recon, you do mapping, you do discovery. Okay, exploit is for pen tester. We're going to touch on this. So how do you do recon within their website? Actually, there's a lot of tool up there actually to actually help you do mapping and discovery. For example, there's MNAT and ZEMMAT to pop up maybe to identify what are the servers your web application using. Is there anything you can use as an opening? For example, there's, I take our event website. Okay, we go ahead and scan their ports. Okay, this is a website I use normally to scan whether on this website what is open, what type of port is open, is it secure. Okay, when we do a sort of study of the website first before we do anything more in depth. Okay, we can see that the server types. Okay, you can do some specific server type of attack in a while. We know their servers. We know what is open. HTTP is open. HTTPS is open. So for some other website, they are less secure. You can actually see if the SMB is open, they are trying to steal your data. How many of you know the Microsoft authentication attack? Okay, by having an SMB image in the website I actually can get your window locking account. Window life locking account is your password hash. So before you actually go into all this website do you actually study what is happening on the website itself? So I suggest before you do anything always scan through what they are trying to do. Okay, I actually do a mini project outside on how today, how the hacker actually steal your window password. There's an SMB protocol. Actually 3.0 is over the neck. Actually you can steal their locking password hash. And then with the session key you can actually reverse the password and he got all your access to your Microsoft account. So these are the servers detail of our current website. So from all this, you can actually map out what you want to do. Okay, the next stage of this I will say is to use some free availability available software. So how many of you use Perth's Zem Sorry, Overwatch Zem. It's good. So you don't know how to use correct. It's a very powerful tools. I recommend Zem because it's open source and free. Overwatch actually give these free tools compared to Perth's. Perth's you need to have license. There's actually free trial version. But I don't think it's that useful actually because you can't save the reports itself. So let me take some random website and attack. Not recommend to do but I just for demo only. He actually can map out the whole website tough and folders. Example this is the website you want to do. You actually can attack and do a spider crawl. For this, there's actually a more in-depth tutorial can get online or go and visit on how to do actually most website do authentication. Okay. Do authentications. So you need to configure Zem to actually use your web browser as a proxy to actually map out two Ajax spider ring and do password authentication So this is a very good tool that you should explore if you are new to web security. Okay. For time consuming purposes you can actually have reports on what type of security loophole it is. I did some scan for some of the website way beforehand. And this is the vulnerabilities by the host itself and this is their report. You can see what you should actually close up. What is critical in your web system. What should you do and actually give you suggestion on how do you actually do the catching or cover up this problem. So a lot of problem today is actually web security. It's not actually the vulnerability of things but actually the developer itself it's important to do something like they forget to do verification or inputs. So they actually libraries from OWAPS itself you can actually use as a guide like development guide. They actually have open libraries itself for you to use for your development. They will check your input string all these. Anybody got any question at this amount of time? I can or anything you want to know am I too dry or this is what you already know? Okay Okay, I recommend you to actually go and look read up on OWAPS actually. They are very good templates and a lot of open source tools you can use from this. You scan it every other month in your experience what would be the recommended period of time to create an update if we need to run the scan. Actually if you are going for a project security every time you do a release you do a release but there's a point come to the point that how much work do you want to do releasing the product first or securing a product you must try to balance too much security delay the timeline and delay the whole project it's more harder to do exam then too little you come from ability so you must try to balance know what is your asset know what you want to protect normal website or systems normal data not very sensitive maybe you just want to do the top 10 vulnerabilities the top 10 like SQL injections authentications cross-track scripting top 10 maybe solve quite a lot of problem those out or outside of the top 10 real hacker trying to do hacker your side that type of people very extreme case maybe you need to consider after you release your product any other questions maybe for new people that is still there for web security so beside of us do you look into have you some tool to help methodology i think that you should follow some methodology first identify what are the use cases like there is a microsoft stlc the secure development life cycle you don't need to follow strictly but it's good to understand what they are looking out for i suggest at least 50% what they actually talking about you should actually consider implementing so if for people who using a gel methodology there is something don't forget the even user user story so you must always consider from other side normally people only consider the functionality the features of the product you cover functional test for all your the features itself that don't follow your user guide user that don't follow your recommendation they always try to do something out of the box so you must remember to actually consider that area also so any last question before i finish yes it's a skill invention developer detail yes but for all loss probably some old range it's actually standard for developer to follow and for operation to to use as a guide to test the system itself so you can consider a lot of good information from this community it's not too much for me thank you