NDC Security 2018 - Overview and Key Takeaways

While in Sydney I was lucky enough to have attended the first and second NDC Conferences. After moving up to Brisbane, did not think I could attend one of these soon. However, then comes a nice shorter version of NDC specific to Security - NDC Security. As the name suggests, this conference is particular to security-related topics with a 2-day workshop and 1-day conference, as was held in Gold Coast, Queensland.

The Workshop

Troy Hunt and Scott Helme ran two workshops and I attended Hack Yourself First by Troy. The workshop covers a wide range of topics and is perfect for anyone who is into web development. The best thing is that you only need to have a browser and Fiddler/Charles Proxy (depending on whether you are on Windows or Mac land). One of the interesting thing about the workshop is that it puts you first into the hackers perspective and forces you to exploit existing vulnerabilities in the sample site designed specifically for this. Once you can do this, we then look at ways of protecting ourselves against such exploits and other mechanisms involved.

The workshop highlights how easy it is to find and exploit vulnerabilities in applications. Some tools detect vulnerabilities and exploit them for you if you input a few details to them. You necessarily need not know the vulnerabilities itself or how exactly to exploit them. Such tools make it easy for people to use them on any website that is out there on the web. Combined with the power of search engines it makes it quite easy to make your site vulnerabilities to be easily discoverable.

The Conference

There were six talks in total and below are the ones that I found interesting.

• Scott Helme Talk: CSP XXP STS PKP CAA ETC OMG WTF BBQ…
• Talk: Dependable Dependencies
• Everything is Cyber-broken

The whole web is on a journey towards making it more secure. So it is an excellent time to move on to HTTPS if you are not already. Even after enabling HTTPS, it is a good idea to make sure you have got all the appropriate security headers set. Making sure that the libraries that you depend on are patched and updated is equally essential. There are incidents of massive data breaches because of vulnerabilities in third-party libraries and not keeping them updated.

Functionality need not be the only reason to upgrade third-party libraries. There might be security vulnerabilities that are getting patched which is an equally good reason to update dependent packages

The harder thing is to keep track of the vulnerabilities that are getting reported and always checking back with your application's dependencies. There is a wide range of tools that help make this easy and seamlessly integrate within the development workflow. It can be included as early as when a developer intends to include a library into the source code, or in the build pipeline or even for sites that are up and running. The earlier such issues get detected in the software development lifecycle, the less costly and impact it has on time and cost.

Tools

• Sonarwhal
• Snyk
• Retire.js
• Netsparker
• OWASP Zed Attack Proxy Project
• Ultimate List of Security Links

The conference ended with a good discussion between Troy and Scott on how everything is Cyber broken. It touches upon the value of Extended Validation (EV) Certificate and how CA's are trying to push for them while browsers are more and more going away from them. It also touches on various proponents of HTTP and the wrong messages that are getting spread to a broader audience and also about certificate revocations and a lot more. It was a fun discussion and a great end to the three-day event.

Location and Food

NDC Security was held at QT Gold Coast, Queensland and well organized. Coffee and drinks were available all throughout the day with a barista on the last day (which was cool). Food was served at start, breaks, and lunch and was good. The conference rooms were great and spacious and had reasonable good internet. Did not face much connectivity issues and everything ran smoothly.

One of the things I first did after coming from the conference was to move this blog over to HTTPS. I had been procrastinating long on this, but there were enough reasons to make a move now. Also, there are a bunch of things that catch my eye at client places and other web sites that I visit often. Attending the conference and workshop has been a great value add and recommend to anyone if you have a chance to attend that. For the others, most of the content is available in Pluralsight.

PS: Special thanks to Readify for sending me to this conference and also providing a 'paid vacation (accommodation)' in Gold Coast. It was a nice three-day break for my wife and son also.