Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Nick Pettit interviews Jared Smith about his upcoming OWASP Top 10 Vulnerabilities course and Craig interrupts to tell you about how there's an XKCD comic for everything.
Hi, I'm Craig. 0:00 Welcome to the Treehouse Show. 0:01 The Treehouse Show is our weekly conversation with the Treehouse community. 0:02 [MUSIC] 0:07 In this episode, we have a special guest in our Orlando office. 0:09 Guest teacher and security expert, 0:12 Jared Smith is in filming his latest course about the OWASP Top 10. 0:14 OWASP stands for Open Web Application Security Project. 0:19 It's an organization that provides unbiased and 0:22 practical information about the security of web apps. 0:24 Every year, 0:27 they release their list of the top 10 most critical web application security risks. 0:28 Over to you, Nick. >> Well, hey everybody. 0:34 I'm Nick Pettit and I'm here with Jared Smith, who is a security expert, 0:36 and he's very into, what, OWASP Top 10? 0:43 How- >> Web security. 0:47 >> So I guess, first, 0:49 before we get into all that, 0:50 how would you describe yourself? >> I would say, 0:52 I'm mostly application security and 0:56 general computer security expert, but I do a lot of software engineering, so 1:00 it's important to understand that even, really be competent security, and 1:04 that's where my focus has been. >> Cool. 1:07 So how did you get into that, I mean how did you even get into 1:10 Computer Science in the first place? >> So I started out in physics, and 1:14 physics has this great thing where you have to do a lot of programming these days 1:18 to do the more experimental work. 1:21 And I had to take a CS course when I was an undergrad, and I took the CS course and 1:23 I was like, physics is not as fun as CS, so I switched to CS, and 1:27 I've been doing it ever since. >> Yes, true. 1:30 Very true. 1:33 I don't know. >> [LAUGH] 1:33 >> But I'm always 1:34 gonna champion Computer Science. 1:36 So you got into physics and realized that you wanted to do Computer Science more. 1:39 What then led into security, specifically? >> Yes, so there's 1:46 these things called Capture the Flags or CTFs, kinda like hackathons for security. 1:51 So someone will set up a bunch of challenges that say, hey, 1:56 download this file and exploit it. 1:59 Or some of them are like here's a Gameboy Advance-like RAM and 2:01 you need to reverse engineer it and beat the game without actually playing 2:04 the game because you can't beat it by playing it. 2:07 Or they break some cryptography thing. 2:09 So I did that and got into it, and then, I was hired at Cisco Systems and 2:11 I did pen testing there after they built from us, the internet. 2:15 And then since then I've been doing security research at 2:20 Oak Ridge National Lab, I'm leading projects in digital forensics and 2:22 malware analysis. >> Okay, very cool. 2:26 So what is OWASP Top 10, and 2:30 how are you involved in that? >> Yeah, so OWASP Top 10 is 2:32 a framework for encapsulating the top 10 web application security vulnerabilities. 2:37 Things that can affect all users today on websites. 2:42 And in general, it provides a way to say, here's the top 10 things, 2:47 keep an eye on them, here's how to fix them. 2:50 How I've been involved in it? 2:53 Just in security, if you're doing any sort of application security, and 2:54 you do web stuff, that comes up all the time. 2:57 Because these pop up 2:59 all over the place still today. >> And 3:01 what are some of the things on the list? 3:03 I imagine there's probably like cross site 3:04 scripting, SQL injection. >> SQL 3:08 injections. >> Whoa. 3:11 Hey guys, can I interrupt real quick? 3:12 You guys ever see that XKCD comic, the one about the SQL injection? 3:14 For those of you watching along who don't know what a SQL injection attack is, 3:17 it's when a hacker figures out a way to run code on your server, 3:21 by passing in SQL code through a form field or URL. 3:25 SQL or S-Q-L, stands for Structured Query Language, and it's what's 3:28 used to talk to databases, you know, to get stuff in and out of your applications. 3:32 Well, anyways, one of my favorite XKCD comics does this so good. 3:36 And the set up is a mom get's a call on the phone, and 3:40 she's like. >> [SOUND] 3:42 >> Hi, this is your son's school. 3:43 We're having some computer problems. >> And 3:44 then the mom's all- >> No, 3:46 did he break something? >> And the guy says, did you really name 3:48 your son Robert Single Quote Parentheses Semicolon Drop Table Student Semicolon? 3:51 >> And that's the SQL there. 3:56 That's kind of what one of those attacks look like, like that code, 3:57 if it made it through a form submission and 4:01 the proper security wasn't in place, it would drop or raise all of the students. 4:03 So the mom's like, yes, Little Bobby Tables. 4:07 And the school is like, well, we lost all the records, 4:09 I hope you're happy. >> And 4:12 she goes >> And 4:13 I hope you learned to sanitize your database inputs. 4:14 >> [LAUGH] So, 4:16 good, sorry to interrupt, continue. >> So like- 4:17 >> SQL injection. 4:20 >> SQL injection, 4:21 there's things like even as much as like misconfiguration, 4:21 so if you don't convey your things properly, things are gonna happen. 4:24 And there's things like sensitive data exposure, so if you don't encrypt, 4:27 social security numbers and date of birth, and that gets leaked, and 4:31 they don't have your key. 4:35 Then they're gonna have those things in plain text, then they can publish that 4:36 along with your credit card numbers. >> That's not good. 4:40 So did the security risk change a lot from year to year or 4:45 is it just kind of standard forever? >> Yeah, so it's actually interesting. 4:50 It does has changed a lot, for example, 4:55 between the last update in 2013 and 2017, a few things changed. 4:57 Things that popped up. 5:02 Now, they're talking about insufficient login, monitoring. 5:03 So finally, they're focusing on, hey, not only do you need to have these security 5:07 things implemented, but if you don't log what happens in your app, 5:11 then if you do get breached, how do you know what happens. 5:14 But a lot of the issues in websites popped up a long time ago in the 90s, and 5:17 in the early 2000s have kind of tapered off. 5:20 But an interesting thing is that things like IoT and other new emerging 5:23 areas are making the same mistakes that were made back in the 90s all over again. 5:28 So it's kind of just a cycle as I've seen that keeps popping out and 5:32 see where it goes from here. >> Is there anything on the list right now 5:35 that is surprising to you or unexpected? >> It's still surprising to 5:39 see things like SQL injection. 5:44 Because we have so many ways to prevent not sanitizing data, 5:46 but it happens time and time again, and it just keeps happening. 5:51 I mean, just as recently, 5:54 the Equifax breach was supposedly from SQL injection in an Apache project. 5:55 So it just so 6:01 happens when we build on top of millions of lines of other people's code, 6:02 eventually, something's gonna be found. >> It's a lot of points of failure 6:05 >> Yeah. 6:08 >> I'm sure. 6:08 So you're doing this OWASP Top 10 course. 6:10 What is something from that that you hope 6:14 everyone takes away from it? >> Yeah. 6:18 Absolutely. 6:20 I really hope people just become aware more of security. 6:21 I give a lot of conference talks and the thing that happens, 6:24 is that people are just blown away that security is even a field. 6:27 And people that I've met from Facebook and Google that are application developers 6:31 really don't even know the basics of securities. 6:35 So being ahead of that train is really valuable for 6:38 getting jobs in the field of Computer Science and Software Engineering. 6:41 And just for your moral sake of protecting the people you build applications for. 6:45 >> Very cool stuff. 6:49 Well. 6:50 Thank you so much for being here. >> Yeah, absolutely, thank you so much. 6:51 [MUSIC] 6:56 >> Thanks for watching the Treehouse Show. 6:59 To get in touch with the show, 7:00 reach out to me on Twitter or email us at email@example.com. 7:01 See you next time. 7:05 I'm gonna go read some more XKCD. 7:06
You need to sign up for Treehouse in order to download course files.Sign up