Nick Pettit interviews Jared Smith about his upcoming OWASP Top 10 Vulnerabilities course and Craig interrupts to tell you about how there's an XKCD comic for everything.
Hi, I'm Craig. 0:00 Welcome to the Treehouse Show. 0:01 The Treehouse Show is our weekly conversation with the Treehouse community. 0:02 [MUSIC] 0:07 In this episode, we have a special guest in our Orlando office. 0:09 Guest teacher and security expert, 0:12 Jared Smith is in filming his latest course about the OWASP Top 10. 0:14 OWASP stands for Open Web Application Security Project. 0:19 It's an organization that provides unbiased and 0:22 practical information about the security of web apps. 0:24 Every year, 0:27 they release their list of the top 10 most critical web application security risks. 0:28 Over to you, Nick. >> Well, hey everybody. 0:34 I'm Nick Pettit and I'm here with Jared Smith, who is a security expert, 0:36 and he's very into, what, OWASP Top 10? 0:43 How- >> Web security. 0:47 >> So I guess, first, 0:49 before we get into all that, 0:50 how would you describe yourself? >> I would say, 0:52 I'm mostly application security and 0:56 general computer security expert, but I do a lot of software engineering, so 1:00 it's important to understand that even, really be competent security, and 1:04 that's where my focus has been. >> Cool. 1:07 So how did you get into that, I mean how did you even get into 1:10 Computer Science in the first place? >> So I started out in physics, and 1:14 physics has this great thing where you have to do a lot of programming these days 1:18 to do the more experimental work. 1:21 And I had to take a CS course when I was an undergrad, and I took the CS course and 1:23 I was like, physics is not as fun as CS, so I switched to CS, and 1:27 I've been doing it ever since. >> Yes, true. 1:30 Very true. 1:33 I don't know. >> [LAUGH] 1:33 >> But I'm always 1:34 gonna champion Computer Science. 1:36 So you got into physics and realized that you wanted to do Computer Science more. 1:39 What then led into security, specifically? >> Yes, so there's 1:46 these things called Capture the Flags or CTFs, kinda like hackathons for security. 1:51 So someone will set up a bunch of challenges that say, hey, 1:56 download this file and exploit it. 1:59 Or some of them are like here's a Gameboy Advance-like RAM and 2:01 you need to reverse engineer it and beat the game without actually playing 2:04 the game because you can't beat it by playing it. 2:07 Or they break some cryptography thing. 2:09 So I did that and got into it, and then, I was hired at Cisco Systems and 2:11 I did pen testing there after they built from us, the internet. 2:15 And then since then I've been doing security research at 2:20 Oak Ridge National Lab, I'm leading projects in digital forensics and 2:22 malware analysis. >> Okay, very cool. 2:26 So what is OWASP Top 10, and 2:30 how are you involved in that? >> Yeah, so OWASP Top 10 is 2:32 a framework for encapsulating the top 10 web application security vulnerabilities. 2:37 Things that can affect all users today on websites. 2:42 And in general, it provides a way to say, here's the top 10 things, 2:47 keep an eye on them, here's how to fix them. 2:50 How I've been involved in it? 2:53 Just in security, if you're doing any sort of application security, and 2:54 you do web stuff, that comes up all the time. 2:57 Because these pop up 2:59 all over the place still today. >> And 3:01 what are some of the things on the list? 3:03 I imagine there's probably like cross site 3:04 scripting, SQL injection. >> SQL 3:08 injections. >> Whoa. 3:11 Hey guys, can I interrupt real quick? 3:12 You guys ever see that XKCD comic, the one about the SQL injection? 3:14 For those of you watching along who don't know what a SQL injection attack is, 3:17 it's when a hacker figures out a way to run code on your server, 3:21 by passing in SQL code through a form field or URL. 3:25 SQL or S-Q-L, stands for Structured Query Language, and it's what's 3:28 used to talk to databases, you know, to get stuff in and out of your applications. 3:32 Well, anyways, one of my favorite XKCD comics does this so good. 3:36 And the set up is a mom get's a call on the phone, and 3:40 she's like. >> [SOUND] 3:42 >> Hi, this is your son's school. 3:43 We're having some computer problems. >> And 3:44 then the mom's all- >> No, 3:46 did he break something? >> And the guy says, did you really name 3:48 your son Robert Single Quote Parentheses Semicolon Drop Table Student Semicolon? 3:51 >> And that's the SQL there. 3:56 That's kind of what one of those attacks look like, like that code, 3:57 if it made it through a form submission and 4:01 the proper security wasn't in place, it would drop or raise all of the students. 4:03 So the mom's like, yes, Little Bobby Tables. 4:07 And the school is like, well, we lost all the records, 4:09 I hope you're happy. >> And 4:12 she goes >> And 4:13 I hope you learned to sanitize your database inputs. 4:14 >> [LAUGH] So, 4:16 good, sorry to interrupt, continue. >> So like- 4:17 >> SQL injection. 4:20 >> SQL injection, 4:21 there's things like even as much as like misconfiguration, 4:21 so if you don't convey your things properly, things are gonna happen. 4:24 And there's things like sensitive data exposure, so if you don't encrypt, 4:27 social security numbers and date of birth, and that gets leaked, and 4:31 they don't have your key. 4:35 Then they're gonna have those things in plain text, then they can publish that 4:36 along with your credit card numbers. >> That's not good. 4:40 So did the security risk change a lot from year to year or 4:45 is it just kind of standard forever? >> Yeah, so it's actually interesting. 4:50 It does has changed a lot, for example, 4:55 between the last update in 2013 and 2017, a few things changed. 4:57 Things that popped up. 5:02 Now, they're talking about insufficient login, monitoring. 5:03 So finally, they're focusing on, hey, not only do you need to have these security 5:07 things implemented, but if you don't log what happens in your app, 5:11 then if you do get breached, how do you know what happens. 5:14 But a lot of the issues in websites popped up a long time ago in the 90s, and 5:17 in the early 2000s have kind of tapered off. 5:20 But an interesting thing is that things like IoT and other new emerging 5:23 areas are making the same mistakes that were made back in the 90s all over again. 5:28 So it's kind of just a cycle as I've seen that keeps popping out and 5:32 see where it goes from here. >> Is there anything on the list right now 5:35 that is surprising to you or unexpected? >> It's still surprising to 5:39 see things like SQL injection. 5:44 Because we have so many ways to prevent not sanitizing data, 5:46 but it happens time and time again, and it just keeps happening. 5:51 I mean, just as recently, 5:54 the Equifax breach was supposedly from SQL injection in an Apache project. 5:55 So it just so 6:01 happens when we build on top of millions of lines of other people's code, 6:02 eventually, something's gonna be found. >> It's a lot of points of failure 6:05 >> Yeah. 6:08 >> I'm sure. 6:08 So you're doing this OWASP Top 10 course. 6:10 What is something from that that you hope 6:14 everyone takes away from it? >> Yeah. 6:18 Absolutely. 6:20 I really hope people just become aware more of security. 6:21 I give a lot of conference talks and the thing that happens, 6:24 is that people are just blown away that security is even a field. 6:27 And people that I've met from Facebook and Google that are application developers 6:31 really don't even know the basics of securities. 6:35 So being ahead of that train is really valuable for 6:38 getting jobs in the field of Computer Science and Software Engineering. 6:41 And just for your moral sake of protecting the people you build applications for. 6:45 >> Very cool stuff. 6:49 Well. 6:50 Thank you so much for being here. >> Yeah, absolutely, thank you so much. 6:51 [MUSIC] 6:56 >> Thanks for watching the Treehouse Show. 6:59 To get in touch with the show, 7:00 reach out to me on Twitter or email us at email@example.com. 7:01 See you next time. 7:05 I'm gonna go read some more XKCD. 7:06
You need to sign up for Treehouse in order to download course files.Sign up