Show 3: Interview – Sijmen Ruwhof

Portrait Sijmen Ruwhof

Not all security analyst out there have a strong development background that help them relate to the developers perspective.  But when security analyst do, it translates in their capabilities to not only approach their analysis, but also in their teaching and training to developers, you know the ones writing the potentially vulnerable code?  Well, I got to sit down with a security analyst that has a strong background in both areas.

Sijmen Ruwhof has been working in the development and security space for the past 17 years and we had a great time talking about a plethora of topics that directly related to developers in their pursuit to write more secure code.  Sijmen shares software security best practices, changes he sees in the security landscape, and recommended tools just to name a few.

Don’t miss out, tune in to hear what he has to say.

[headline tag=”div” css_class=”h2″ color=”color2″]Show Notes[/headline]
[section_headline tag=”h3″ lined=”yes” color=”color2″]Who’s Sijmen and How It All started (00:2:15)[/section_headline]
Sijmen talks a bit about his background in security and software development.
[section_headline tag=”h3″ lined=”yes” color=”color2″]Sijmen’s Driving Motivators for Staying up with Security Knowledge (00:05:30)[/section_headline]
Running a business, being adept at security analysis and keeping your development chops sharp is a lot of balls to juggle.  Sijmen talks more about the driving motivators behind what he does.
[section_headline tag=”h3″ lined=”yes” color=”color2″]What does the Software Security Landscape Look like in the Future (00:9:00)[/section_headline]
Some changes in the security landscape are obvious, but not all.  We talk more about what we see in the coming years.
[section_headline tag=”h3″ lined=”yes” color=”color2″]#1 Change in the Security Space Sijmen Has Seen (00:14:30)[/section_headline]
Looking back, security didn’t have the awareness factor it is starting to gain recently.  Sijmen reflects on some the changes he has seen since the early years.
[section_headline tag=”h3″ lined=”yes” color=”color2″]Talking $$ Dollars and Sense with the Client about Security (00:23:00)[/section_headline]
Technical details doesn’t always sell the correct path when it comes to working with clients. Its strategy and tactics when relaying the importance of development  decisions from a security perspective that is the focus.
[section_headline tag=”h3″ lined=”yes” color=”color2″]Why Hasn’t Security Been a Focal Point from the Beginning? (00:30:30)[/section_headline]
Where did we go wrong? Or did we? We look at how and why security never is a focal point from a developers foray into  programming.
[section_headline tag=”h3″ lined=”yes” color=”color2″]Recommended Tools: (00:37:00)[/section_headline]

Testing Tools

[list type=”circle” color=”color1″]
  • Zap (OWASP) – (Free) Penetration Testing tool.
  • Nexus – Network scanning at various levels and domains.
  • NMAP – (Free / Open source) Network scanning and Security Auditing.
[/list] [section_headline tag=”h3″ lined=”yes” color=”color2″]Security support Tips for Team leads and Project members (00:40:11)[/section_headline] [section_headline tag=”h3″ lined=”yes” color=”color2″]Security areas companies routinely overlook 00:(42:41)[/section_headline]

Tools Mentioned

[list type=”circle” color=”color1″]
  • Acrunex – Various tools, including Website Vulnerability Scanner.
  • HP WebInspect – HP WebInspect is an automated and configurable web-application security-testing tool that mimics real-world hacking techniques and attacks.
  • Netsparker – Application Security Scanner.
  • W3aF – (Web application attack and audit framework)
[/list] [section_headline tag=”h3″ lined=”yes” color=”color2″]Most common issues and threats in the wild (00:44:30)[/section_headline]

Threats and Issues

[list type=”circle” color=”color1″] [/list] Tools Mentioned

[list type=”circle” color=”color1″]
  • SQLMap – (Open source) Penetration testing tool that automates the process testing and exploiting SQL injection flaws. Warning: Havoc will ensue.
[/list]

 

Additional Recommendations 

[list type=”circle” color=”color1″] [/list] [section_headline tag=”h3″ lined=”yes” color=”color2″]Stay up-to-date with the hacking community (00:47:50)[/section_headline] [list type=”circle” color=”color1″]
  • Your everyday google search
  • OWASP – Open Web Application Security Project
  • Kali Linux – Linux distribution with the sole focus of providing security penetration testing tools.
[/list] [section_headline tag=”h4″ lined=”yes” color=”color2″]Sijmen’s Knowledge Resources (00:54:00)[/section_headline]

Twitter is Sijmen’s go to, up-to-date information on web security.  He has also provided his direct list of experts and related professionals that he follows:

 

About the author

Max McCarty

Max McCarty is a software developer with a passion for breathing life into big ideas. He is the founder and owner of LockMeDown.com and host of the popular Lock Me Down podcast.