WhiteHat Security Trainings

Due to the requirement in my department (VIP/Automattic), I’ve had a chance to work through a few security training courses on whitehatsec.com. This post is more a concise summary for what I’ve got from them.

These are the courses I’ve finished:

  • OWASP Top Ten for Developers
  • Building Secure JavaScript Applications
  • Defensive Enterprise Remediation Series
  • Integrating Security Throughout the SDLC
  • Threat Modeling

The first three courses are more practical for developers with exploitation examples and solutions. The last two ones are more about procedure, strategy, and planning.

Three developer-focused courses are actually very basic. That is, if you’re a seasoned developer, you may be familiar with all of them and know how to avoid them. Even for me, while I am not considered myself a seasoned developer, I just do not know much about XXE (XML External Entity). The second course JavaScript is mostly a repeat of the first course but with a concentration on NodeJS and front-end JavaScript frameworks (React, Angular, jQuery, etc).

Some common ideas include:

  • Do not trust data provided by users.
  • Always sanitize and escape data.
  • Always start with the mindset that our code can be hacked at any point/level. For example, some people think a firewall is enough to block all malicious requests. However, that’s not true. Firewall can only block requests at the packet/network level, it can not know whether or not data is safe for your application layer.

In case, you’d like to enhance your knowledge of your specific platform and languages, I think you may still want to look at their security guides and training. We can try fixing security on our own, however, it’s always better to use methods/libraries that have been proved effectively to prevent security.

For WordPress, these are good resources:

The two last courses provide some ideas and tools to execute security in your organization

I found them quite overlapping each other but it’s still good to learn. These two courses are totally new to me. Generally, to implement security procedures into your Software Development Life Cycle (SDLC) and organizations, you need to a formal checklist and model to assess, detect, and qualify potential security issues.

Also, it’s good to have a read for OWASP Software Assurance Maturity Model (SAMM)

Finally, at any organization, I think the most important thing is still about leaders’ mindset regarding the security issue. Without a correct mindset and understanding its importance, any theory can not be executed properly.

Some quicklinks and keywords

Resources:

Keywords:

  • SAST (Static application security testing)
  • DAST (Dynamic application security testing)
  • Thread Modeling
  • Rainbow attacks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s