Hands-on secure software development from design to deployment
Modern software development processes (e.g., agile, devops) are designed to be fast and productive. As a result, we are now able to ship new software versions every hour, but it is also easy to forget about security entirely. At the same time, most of the software running in the wild use pieces of legacy codes that make our systems even more fragile. In addition, these new development processes are really difficult to be aligned to the expectations of legacy environments.
In this workhop, we give a hands-on walkthrough over the main SDLC phases (i.e., design, development, code review, deployment) where participants need to attack, fix and rewrite the legacy code of a realistic application (i.e., website of a spaceline company). This application is discussed feature by feature together with the corresponding security issues. The legacy code uses Java Servlets and JSP, while the new code has to be built over the popular Spring Framework and Thymeleaf. To be effective at the workshop, please check these technologies beforehand.
The goal of the workshop is to demonstrate (with real exercises) that:
- implementation bugs are only one part of security problems
- don’t touch the keyboard until you have designed your system with security in mind
- code review is a must
- no framework is a silver bullet
In the second part of the workshop, participants are invited to join a small CTF on the avatao platform.