During this years edition of the innovation festival Trondheim Playground, Girl Geek Dinners Trondheim announced a hacker workshop. Host for the event was the IT Consultancy company Webstep. Even if you don’t work with IT security in you job, the benefits of knowing how a hacker thinks can make you and your employees understand the importance of following a security policy, and how to develop or buy better and more robust applications.
First talk was an intro to IT security by cryptologist Lillian Kråkmo from Cybehave. Lillian gave us examples of recent event in the Norwegian news on companies getting hacked and politicians not following security guidelines.
IT security is always a trade-off between functionality, security and usability – you cannot get the best of them all at the same time. To asses the rist you have to look at the value, threats and vulnerabilities of each case, also a trade-off. But remember that you are the always the biggest security threat. IT security is a process or internal culture, not a product you can buy. Here are the top ten vulnerabilities according to OWASP 2017:
The workshop was lead by Cybehave‘s founder and IT security expert, Håkon Olsen. He guided us through the OWASP Juice Shop project. There are 40 possible security weaknesses to find in the app. If you want to test it at home, we recommend making a free account with Heroku, follow instructions to deploy the app here, and download the browser Firefox (best developer tools) and/or helper tools like cURL.
We learned about XSS, SQL-injections, bad hashing algorithms, the importance of data validation at server level, monitoring network data like cookies & tokens. However, no one got through all the 40 challenges during the workshop, so we will keep on hacking at home.
GGD organizers: Kristina Brend & Nina Beate Solberg Susegg