Notes from OWASP Helsinki chapter meeting 36

OWASP Helsinki chapter meeting number 36 was held 12.2.2019 at Veikkaus premises in Pohjois-Haaga. The theme for this meeting was about software security and the topic was covered with two talks and with a card game. Here’s my short notes.

What Every Developer and Tester Should Know About Software Security

The event started with “What Every Developer and Tester Should Know About Software Security” by Anne Oikarinen from Nixu. The main point was that information security isn’t something you can sprinkle over your applications – security needs to be baked in. Take security into account in every step of your software development process, focusing on design and development.

The talk was a great overview to software security and covered the topic from three perspectives: security requirements, threat modeling and security testing. It was nicely practical and theoretical and gave good tips to tools and how to approach the issue. The presentation slides can be seen on SlideShare.

#OWASPHelsinki meeting 36 at @veikkaus_fi started with “What Every Developer and Tester Should Know About Software Security” by @Anne_Oikarinen. Good practical overview to security requirements, threat modeling and security testing. Build security in. #infosec@OWASPHelsinki

@walokra
Building security in: start with security requirements and threat modeling
Venn diagram of building security in
Follow standards and best practices
Use tools for improving software security yourself

Security in Agile Development

Joakim Tauren from Visma continued the event with “Security in Agile Development”and told how they manage security in large scale. The sofware security team provides security as a service to produc teams and utilize OWASP SAMM to empower teams. The in-house built system to manage security maturity matrix was cool.

Next up at @OWASPHelsinki meetup was “Security in Agile Development” by @JoakimTauren from @Visma. Security as a Service. Empower teams. Transparency. In-house tool for security maturity matrix. Effective leadership of self-managing work teams. #infosec#OWASPHelsinki

@walokra
Security as a Service
Empowering teams
In-house built tool for managing security maturity index
You have tools to help you on the way

OWASP Cornucopia

The event was wrapped up with OWASP Cornucopia – a live card game session. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.

#OWASPHelsinki meetup 36 came to conclusion with a live game session of #OWASP Cornucopia: https://www.owasp.org/index.php/OWASP_Cornucopi …. Mechanism in game format to assist software development teams identify security requirements. @OWASPHelsinki had clever Star Wars themed system to audit. #infosec

@walokra

The game plays like card game with six suites and cards from one to ace like normal deck of cards. Cards have security themed questions and the players try to answer in the given context if the issue at hand is a problem to be look into. In this case the context was Death Star themed with given architecture diagram.

The card deck can be printed from OWASP site.

But what does cornucopia mean? In modern depictions, the cornucopia is typically a hollow, horn-shaped wicker basket filled with various kinds of festive fruit and vegetables. In this context it would relate to can of worms :)

OWASP Cornucopia in Death Star architecture

Monthly notes 37

January is turning over to February and Winter with freezing weather and lots of snow has enlightened our days. Here’s some reading for the moments when Winter wonderland is too much and warm mug of coffee and fireplace is the place to be.

Issue 37, 31.1.2019

Web and mobile development

PWAs on iOS 12.2 beta: the good, the bad, and the “not sure yet if good”
“The first beta of iOS 12.2: the first version since PWA support that responds to all the critics by offering solutions to the two biggest problems on PWAs on iOS.”

Hartington’s tweet’s thread has some information.

Microservices

Choose your tools wisely.

Tools of the trade

Lifehack.
“To test the flow of a potential scenario, storyboarding and comics can really add an extra dimension that your users can relate to (or not) and provide feedback on the types of activities, thoughts and feelings they would be experiencing along the way. “

Privacy and security


Something different

2018 Retrospective

The year has changed and it’s time for traditional retrospective of post done in 2018. By numbers 2018 was total of 23 articles which 11 articles were Monthly notes. I visited couple of conferences and some meetups, did software development and tested technology stuff. Business as usual and I presume that it’s going to continue this way also this year.

Monthly notes

It has been proved to be a good way to ensure that I keep reading what happens in software development and also think about it when I collect interesting articles to my Monthly notes series. The series continued with 11 posts.

Meetups

During the year I attended couple of meetups and if you follow me on Twitter you might have noticed that I went to more meetups than I wrote about. There are several interesting events in Helsinki you can attend almost monthly but you’ve to be quick to participate because usually events fill up quickly. But although the event seems to be full, there’s often spots left as some people don’t cancel if they can’t make it.

Information security related meetups are always interesting and I participated couple of OWASP Helsinki meetings.

OWASP Helsinki chapter meeting 34: Secure API told about “Perfectly secure API” and “Best friends: API security & API management”. The event gave good overview to the topics covered and was quite packed with people. Eficode’s premises were modern and there was snacks and beverages. And also a sauna.

Have you ever wondered how to become a bug bounty hunter or wanted to organize a bug bounty program? OWASP Helsinki chapter meeting 35: Bug Bounty programs told all about bug bounty programs from hacker and organizer point of views with topics of “Hunting for bounties in a web browser”, “How to become a bug bounty hunter” and “Running a successful bug bounty program”.

In August I attended React Helsinki August 2018 meetup at Smartly.io. Topics covered “Splitting React codebases for increased development speed”, “Making your own Ignite generator – for React Native” and “Use GraphQL!”. There are links to recordings of the presentations.

Meetups and conferences are also nice way to both freshen your thinking, hear how other’s do things, get new ideas and meet people working in the same field.

Conferences

Last year there was lots of interesting conferences in Helsinki. In the Spring there was React Finland 2018 conference which told what’s hot in the React world. The two day conference covered topics of React on day one and day two was React and React Native. The two conference days were packed with great talks and new information.

Where the React Finland was a conference from developers to developers, the opposite was Red Hat Forum Finland 2018 which was held at Finlandia-talo. The mainline was “Ideas worth exploring. Come with questions. Leave with ideas.” The event was divided to keynote and to four breakout sessions. I chose to get hands-on with OpenShift.

The developer conference theme continued in Autumn with GraphQL Finland 2018. The first of its kind event in Finland brought a day of workshops and a day of talks around GraphQL. The event was organized by the same people as React Finland and it showed, in good ways. The talks were interesting, atmosphere was cosy and after party was bookie. All of the talks were live streamed and they’re available on Youtube

Software development as usual

I managed to write couple of articles regarding software development and topics surrounding it.

Writing documentation is always a task which isn’t much liked and especially with diagrams and flowcharts there’s the problem of which tools to use. I wrote about generating documentation as code with mermaid and PlantUML as an alternative to crafty Draw.io. Using mermaid or PlantUML has the advantage that you can see the changes clearly in human readable text format and maintain source-controlled diagram.

Developing modern web applications you often come to around checking REST API responses and parsing JSON values. If you’re allowed to install extra tools or use Python then things get easier as you can use command line and combine jq and Python to extract JSON values. And a further note you can also use jp, command line interfacee to JSMESPath.

A more practical approach to visualize things was when I did a build monitor with Raspberry Pi and touch screen. Information is a great tool in software development and it’s useful to have easy access to it. Using build monitor to show continuous integration status and metrics from running services helps you notice problems and get them solved quicker.

And as we know learning and staying current in software development is important and expanding your horizons can be achieved with different ways. One good way I have used is following different news sources, newsletters, listening podcasts and attending meetups.

Awesome times ahead

Years change but the blog stays pretty much the same. Also this year plans are to continue as before, write about technology, collect interesting articles, learn new things about software development and of course ride mountain bike.

Stay tuned by subscribing to the RSS feed or follow me on Twitter. Check also my other blog in Finnish.