Show 3: Interview – Sijmen Ruwhof

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | RSS

Not all security analyst out there have a strong development background that help them relate to the developers perspective.  But when security analyst do, it translates in their capabilities to not only approach their analysis, but also in their teaching and training to developers, you know the ones writing the potentially vulnerable code?  Well, I got to sit down with a security analyst that has a strong background in both areas.

Sijmen Ruwhof has been working in the development and security space for the past 17 years and we had a great time talking about a plethora of topics that directly related to developers in their pursuit to write more secure code.  Sijmen shares software security best practices, changes he sees in the security landscape, and recommended tools just to name a few.

Don’t miss out, tune in to hear what he has to say.

[headline tag=”div” css_class=”h2″ color=”color2″]Show Notes[/headline] [section_headline tag=”h3″ lined=”yes” color=”color2″]Recommended Tools: (00:37:00)[/section_headline]

Testing Tools

[list type=”circle” color=”color1″]

• Zap (OWASP) – (Free) Penetration Testing tool.
• Nexus – Network scanning at various levels and domains.
• NMAP – (Free / Open source) Network scanning and Security Auditing.

[/list] [section_headline tag=”h3″ lined=”yes” color=”color2″]Security support Tips for Team leads and Project members (00:40:11)[/section_headline] [section_headline tag=”h3″ lined=”yes” color=”color2″]Security areas companies routinely overlook 00:(42:41)[/section_headline]

Tools Mentioned

[list type=”circle” color=”color1″]

• Acrunex – Various tools, including Website Vulnerability Scanner.
• HP WebInspect – HP WebInspect is an automated and configurable web-application security-testing tool that mimics real-world hacking techniques and attacks.
• Netsparker – Application Security Scanner.
• W3aF – (Web application attack and audit framework)

[/list] [section_headline tag=”h3″ lined=”yes” color=”color2″]Most common issues and threats in the wild (00:44:30)[/section_headline]

Threats and Issues

[list type=”circle” color=”color1″]

• Missing software updates (I don’t think companies realize how significant this is, such a low hanging fruit with high devastating potential)
• SQLi
• XSS

[/list] Tools Mentioned

[list type=”circle” color=”color1″]

• SQLMap – (Open source) Penetration testing tool that automates the process testing and exploiting SQL injection flaws. Warning: Havoc will ensue.

[/list]

 

Additional Recommendations 

[list type=”circle” color=”color1″]

• Content Security Policies (CSP) 

[/list] [section_headline tag=”h3″ lined=”yes” color=”color2″]Stay up-to-date with the hacking community (00:47:50)[/section_headline] [list type=”circle” color=”color1″]

• Your everyday google search
• OWASP – Open Web Application Security Project
• Kali Linux – Linux distribution with the sole focus of providing security penetration testing tools.

[/list] [section_headline tag=”h4″ lined=”yes” color=”color2″]Sijmen’s Knowledge Resources (00:54:00)[/section_headline]

Twitter is Sijmen’s go to, up-to-date information on web security.  He has also provided his direct list of experts and related professionals that he follows:

• TheHackersNews
• SCMagazine
• SecurityWeek
• i0n1c
• 0xcharlie
• manicode
• ivanristic
• ydklijnsma
• rootkovska
• RSnake
• troyhunt
• mikko
• kaepora
• kevinmitnick
• briankrebs
• hdmoore
• jeremiahg
• schneierblog
• shodanhq
• haveibeenpwned
• OWASP
• NMap
• metasploit
• SwiftOnSecurity