Notes from YOW! 2014: Troy Hunt on Security: ‘Hack Yourself First’

I attended YOW! Sydney 2014 and thought some people might get something useful out of my notes. These aren’t my complete reinterpretations of every slide, but just things I jotted down that I thought were interesting enough to remember or look into further.

Troy Hunt (@troyhunt) spoke about “developers building up cyber-offence skills and proactively seeking out security vulnerabilities in their own websites before an attacker does”. (Slides, Video)

Hackers Are Security Experts

A stereotypical security hacker, using a computer in a dark room while wearing a guy flakes mask and a black hat.He started out with the obvious but perhaps too often forgotten observation: “You can’t defend your app unless you actually understand how the hacker’s technology works.”

He described how hackers only need to “get it right” once. Those developing and deploying the system need to get it right every time. (This is sometimes called the “Fortification Principle”. Apparently DARPA are working on evening out the playing field.)

Know Where Security Applies

He asked: If your company has a Twitter account, who chose the password? The marketing intern, or the Security team? Continue reading