Learn how to conduct effective product security testing in this conference talk from Converge 2018. Explore the complexities of product security, understand common coding mistakes, and discover why not all devices prioritize security. Gain insights into continuous improvement models, the importance of strong passwords, and software updates. Delve into the process of conducting security product reviews, including initial system investigation, product analysis, and the OWASP Top 10. Examine various analysis techniques such as static analysis, dynamic analysis, and vulnerability composition analysis. Discover tools like Dot Peek, Burp Suite, and Visual Studio for security testing. Cover topics including decompiling, fuzzing, manual hacking, and code review. Learn about ethical considerations in security research and effective reporting methods. Gain a comprehensive understanding of product security testing and its role in the broader security landscape.
How to Conduct a Product Security Test and How it Fits Into the Larger Security Strategy
via YouTube
Overview
Syllabus
Intro
We are here to help
Product complexity
Background Knowledge
Security Concerns
Continuous Improvement Models
Wasps
Why do coding mistakes happen
Not every device is built with security
Use strong passwords
Software updates
Protecting intellectual property
Security researchers
How we conduct security product security reviews
Initial system investigation
Additional domain knowledge
Product analysis
WASP Top 10
Dot Peek
Decompile
Static Analysis
Static Analysis Tools
Gartner Magic Quadrant
Vulnerability Composition Analysis
Vulnerability Composition Analysis Output
Static Analysis Tool
Visual Studio
Dynamic Analysis
Web Interface
Fuzz Testing
Manual Hacking
Burp Suite
Code Review
Proof of Concept
Command Injection
Keep it Ethical
Reporting
Summary
