InfoSec is a mindset, not a series of checkpoints

In the last couple of years, security has been at the forefrontof the industry discussions. Companies and individuals alike have finallyunderstood that it is a necessity in today’s world, with software security,especially, being of utmost importance.

Many software development companies are now fully aware of the significance of best practices and are keen to spread their knowledge to help others develop software based on core security principles.

Earlier in April 2019, the IT community in Iasi had the opportunity to learn how to build secure applications and protect sensitive data during DevExperience’s 4^th edition. Six months later, during the Cybersecurity Awareness Month, Maxcode dedicated the entire 2^nd edition of their Innovative TechTalks conference to cybersecurity.

At the event, security experts and software developers were given the floor to discuss about their experiences and best practices on dealing with technology, industry attacks and cybersecurity in general.

Topics that were addressed range from industry’s most common attacks and signs we’ve been hacked to open-source code security and best practices in web application security. All presentations have been highly entertaining and full of revealing insights into the hallmarks of software and web security thinking.

Attacks of the industry & Signs we’ve been hacked

After a brief yet compelling welcoming speech from the CEO ofthe organizing company, the first speaker to address the attendees was PaulaJanuszkiewicz, CEO and Founder of CQURE. Together with her team, they offercompanies cybersecurity services, including penetration tests, audits, architectureconsulting as well as trainings and seminars.

Paula had two amazing sessions on industry attacks and symptoms that we’re being hacked. During the first presentation, she focused on the most common types of attacks and reasons why that might happen. Spoiler alert: lousy passwords and too much social media are two of the reasons :)

Paula began her presentation with a short general introductionto cybersecurity and its evolution to the current days as well as theimportance of security professionals.

According to the industry statistics, by 2019 the market will need 6 million security professionals. But only 4 to 5 million of them will have the needed qualifications.

Pertinent examples, relevant statistics and tangible advice on how to prevent attacks were the highlights of the talk. Deliberately or not, she also managed to draw laughter from the audience with her well-placed jokes and quirky experiences while doing social engineering on behalf of her customers.

The aim of the keynote was to emphasize the biggest missteps in infrastructure security that, from an attacker’s perspective, can be pretty much always exploited. I am sure the attendees have had the chance to gather a series of suggestions and ideas on how to reach the next level of security in their workspaces. To come to their assistance, Paula left us with a list of cybersecurity questions we should ask ourselves in order to build easier-to-defend code and increase the level of data and system protection. Here are some of them:

• Do we treat cybersecurity as a business or IT responsibility?
• Do our security goals align with business priorities?
• Does our business culture support a secure cyber environment?
• Do we focus on security compliance or security capability?
• Do we regularly evaluate the effectiveness of our security?

The second presentation held by Paula was a bit more on the technical side and contained a beautiful demo on how to detect cybercriminal activities on your network or computer. Surprisingly, your disk drive contains a lot of juicy information that can reveal a lot of secrets and history about what happened in the past.

Open-source is the engine that pushes the IT industry forward

Another engaging session was the one given by Maxcode software developer Adrian Marinică, who addressed the topic of package management security. A lot of developers use open-source code, but does any of them really think about the risks they expose their application to? Adrian made a gripping case for package manager security, discussing their main vulnerabilities, how to read red flags and how to protect your code from exploits.

Account takeover and typo-squatting are only some of the threats that we need to mitigate when using open-source software. What might happen if you manage an open-source package and your account is taken over, you ask? Well, endless data, extraneous dependencies, depend on everything and unresolvable dependencies rank first in the list of consequences. Your application might not be permanently affected and your attacker might not have any material gain from this, but it would be quite fun for them to know you’ll be struggling for a while.

However, not all is without hope, and Adrian managed to end the presentation on a positive and optimistic note. The solution is not to stop using open-source packages altogether, but find ways to prevent risks. And for this, he has a list of great advice which you can see in the image below.

Practical Security in WebApplications

International speaker Chris Holland discussed about effective methods to identify and avoid the most common and devastating security pitfalls in web applications. He pointed out that it is necessary to understand the importance of building a secure software from the beginning rather than regret it later. With this in mind, Chris tackled some of the business risks a company is exposed to and indicated how they can be avoided. Chris has been kind enough to share the entire presentation with the participants, so I’d also like to give you the opportunity to read more on this.

Among his fitting advice, he strongly recommended the audience to keep up-to-date with everything that happens in the industry and read the relevant websites from their area of interest, including that of OWASP.

Other presentations from this year’s Innovative TechTalks covered topics such as Security Best Practices in Azure and 0 to 1000 tests: The journey of Unit Testing in a Legacy Application. Although it did not address a security-related theme, the last presentation won our attention by tackling the struggles of working with legacy code and showing us how we can “do something about it” by carefully testing our work and by embracing our profession as software developers.

With such great topics and talented speakers that can share their experiences and best practices, we are looking forward to what the next edition might bring.

During the event, Press on Security had the pleasure to discuss a bit more with Paula Januszkiewicz about her company CQURE and what it means to be a woman in an industry that is quite male-dominant. Don’t miss the interview coming up soon!

Innovative TechTalks is an invite-only one-day event, created by developers for developers, in order to mediate a practical exchange of technology related information and ideas. Organized by Maxcode, it is aimed at bringing you closer to some of the best developers in Iași, as well as to distinguished international speakers.

Maxcode is a software development company with offices in Romania and The Netherlands. Their approach to software development caters to web, desktop and mobile financial solutions. The company is a constant presence in the IT community, always encouraging people to get together and discuss industry solutions while also sharing knowledge and best practices.