Web Security: Everything we know is Wrong (Belfast)

The premise behind this joint ISACA / MTUG talk is to challenge both the technical controls we recommend to developers and also our actual approach to testing. This talk is sure to challenge the status quo of web security today.
“Insanity is doing the same thing over and over and expecting different results.” – Albert Einstein
We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability?

Our testing methodologies are non-consistent and rely on the individual and the tools they use. Some carpenters use glue and some use nails when building a wooden house. Which is best and why do we accept poor inconsistent quality?

Fire and forget scanners won’t solve security issues. Attackers take time and skill but our industry accepts the output of a software programme to help ensure security?

How can we expect developers to listen to security consultants when the consultant has never written a line of code? Why don’t we ask ‘How much code development have you done, seen as you are assessing my code for security bugs?”


About the speaker

Eoin is an international board member of OWASP, The Open Web Application Security Project (owasp.org), and during his time in OWASP he has lead the OWASP Testing and Security Code Review Guides and also contributed to OWASP SAMM, and the OWASP Cheat Sheet Series.

Eoin is a well-known technical leader in industry in the area of software security and penetration testing, and has led global security engagements for some of the world’s largest financial services and consumer products companies. He is the CTO and founder of BCC Risk Advisory Ltd an Irish company who specialize in secure application development, advisory, penetration testing, Mobile & Cloud security and training.


About Microsoft Technology User Groups

The Microsoft Technology User Groups (MTUG.ie) is an association of technology users groups from around Ireland and Northern Ireland that run events related to Microsoft technologies. The member user groups all cater for a wide range of technical roles that work with Microsoft tools and technologies, including both developers and IT Professionals. MTUG.ie members also act as hosts to Special Interest Groups (SIG) from around the country.


About ISACA Ireland

ISACA (www.isaca.org) is a professional body for Information Security, Governance Risk and Compliance (GRC) professionals. There are over 110,000 members globally in 200 chapters across 180 countries including Ireland where there are currently over 470 members.  ISACA Ireland (www.isaca.ie) holds regular educational seminars and workshops for the benefit and advancement of the local information security community. Provides professional development, advice and support for members and those considering joining the professional body and / or taking the CISA, CISM, CGEIT & CRISC examinations.