Not all security analyst out there have a strong development background that help them relate to the developers perspective. But when security analyst do, it translates in their capabilities to not only approach their analysis, but also in their teaching and training to developers, you know the ones writing the potentially vulnerable code? Well, I got to sit down with a security analyst that has a strong background in both areas.
Sijmen Ruwhof has been working in the development and security space for the past 17 years and we had a great time talking about a plethora of topics that directly related to developers in their pursuit to write more secure code. Sijmen shares software security best practices, changes he sees in the security landscape, and recommended tools just to name a few.
Don’t miss out, tune in to hear what he has to say.[headline tag=”div” css_class=”h2″ color=”color2″]Show Notes[/headline]
Testing Tools[list type=”circle” color=”color1″]
- Zap (OWASP) – (Free) Penetration Testing tool.
- Nexus – Network scanning at various levels and domains.
- NMAP – (Free / Open source) Network scanning and Security Auditing.
Tools Mentioned[list type=”circle” color=”color1″]
- Acrunex – Various tools, including Website Vulnerability Scanner.
- HP WebInspect – HP WebInspect is an automated and configurable web-application security-testing tool that mimics real-world hacking techniques and attacks.
- Netsparker – Application Security Scanner.
- W3aF – (Web application attack and audit framework)
Threats and Issues[list type=”circle” color=”color1″]
- Missing software updates (I don’t think companies realize how significant this is, such a low hanging fruit with high devastating potential)
- SQLMap – (Open source) Penetration testing tool that automates the process testing and exploiting SQL injection flaws. Warning: Havoc will ensue.
Additional Recommendations[list type=”circle” color=”color1″]
- Your everyday google search
- OWASP – Open Web Application Security Project
- Kali Linux – Linux distribution with the sole focus of providing security penetration testing tools.
Twitter is Sijmen’s go to, up-to-date information on web security. He has also provided his direct list of experts and related professionals that he follows: