Hackers of India

Secure Coding: Fix From The Root

By  Saddam Hussain   Gopika Subramanian  on 23 Sep 2023 @ Nullcon

Abstract

This talk aims to overcome the drawbacks of the current approach of teaching application security by blindly attacking applications to analyze vulnerabilities. This results in engineers being unable to figure out the proper fix for the vulnerabilities and hence allowing attackers to exploit the same.

The talk will help security enthusiasts, developers, and students to identify the root cause of the vulnerability in the code, patch it, re-deploy the application, and finally verify the fix. One will learn to find vulnerabilities from both an attacker’s and a defender’s point of view which would help in a swift SDLC of fixing and moving forward instead of traditional pentesting procedures of fixing the issues at the end of the cycle.

The demonstration will be done using a vulnerable e-cart application with microservice architecture which is deployed using docker where the vulnerable code is attacked and replaced with secure code snippets, compiled, deployed, and pentested again to demonstrate how fixing a vulnerability at the root saves engineers time and efforts.