As October marks European Cyber Security Month (an awareness campaign that promotes the importance of information security), Innovative TechTalks 2019 invited local and international tech industry experts to discuss some of the biggest threats facing organisations, and how developers can prevent and/or defend against them. It turned out to be a day filled with interesting and practical tech-talks. Let us see what the most important takeaways from our wonderful speakers were.
Maxcode is about growth
Innovative TechTalks 2019 started with a welcome note by the CEO of Maxcode, Jules van den Berg. He took the stage to share his thoughts on how the company has evolved in the past 15 years, alongside the city of Iasi. The two key factors to steady development are financial investments and the people who strive to become better and innovate constantly.
Prevention is the first key to success
The first session was held by Paula Januszkiewicz, CEO and Founder of CQURE, and focused on the most common attacks of the industry. As a world-class cybersecurity specialist with more than 15 years of experience in this domain, she gave us valuable insights on social engineering techniques. In addition, Paula tackled the subject of what a cybersecurity position truly entitles and talked about the current global gap of nearly 5 million cybersecurity specialists worldwide.
As there are still a lot of attacks that should not happen anymore due to weak passwords, the reckless use of USB sticks, connections to unknown Wi-Fi networks, phish biting and even being a little too social in the workplace, Paula advises organisations to adopt two essential mindsets:
- Awareness comes with experience
- Culture comes with understanding
Paula’s second presentation was more technical. Her demos showed how the memory and disk of your PC or laptop can leave traces of cybercriminal activities or can be used in cyber-attacks. If you want to see how much you really know about Windows security, take this quiz developed by Paula and her team at CQURE Academy.
Is reusable code so safe?
Adrian Marinica, software developer at Maxcode, started his session by saying that nothing is unbeatable, not even a fortress, if you attack it from the inside. His main topic was package management security and focused on the dangers of using open-source code. Among the main vulnerabilities, Adrian mentioned the lack of financial incentives, which lead to less-secure apps, and the fact that a big number of software developers does not necessarily translate into a more secure open-source code.
How can we prevent typo-squatting, forced account takeovers and other threats? Adrian shared with the Innovative TechTalks 2019 attendees some great tips, such as always double-check the open-source package’s origin before installing, avoid packages with binary or obfuscated code, and constantly check for vulnerabilities in your dependencies.
Most of the security practices are already there
After a tasty lunch break, Ciprian Grigore, software developer at Maxcode, held a session on the best security practices in Azure. He began by underlining the importance of the DevOps culture and the benefits of the cloud, where the responsibility is shared between the implementer and the cloud provider, whose top priority is and should be security.
Ciprian then moved on to explain the best tools and practices in Azure, with the help of a playful acronym: CASINO. Some of the main Azure security capabilities to keep in mind:
- Computer and keys – choose a key management solution, such as Azure Key Vault;
- Application – use Web Application firewall, regularly run tools for vulnerabilities, use Layered Security Architecture, and have the diagnostics logging enabled;
- Storage and data – protect data by using encryption with Azure SQL;
- Identity and access management – use Azure Active Directory and Role Based Access Control;
- Networking – optimise uptime and performance, and disable RDP/SSH access to virtual machines;
- Operations – automate the build and development of services with Azure Resource Manager, and monitor the performance of your apps with Application Insight.
Web apps are uniquely vulnerable
Chris Holland, Director of Engineering at Trinet Cloud and NDC speaker, took us on a learning path to improved security for web applications. As software is everywhere, in every industry (banking, automotive, etc.), it is necessary to understand the importance of building a secure app from the very beginning. With more than 23 years of experience in this field, Chris explained that, when it comes to organisations, hackers are interested in the core business data. And there are two main ways to get to it: go after the employees of the company or attack its public apps.
Chris highlighted the importance of human education as a long-term strategy to improve security. Some of the tips he considers most usable are: checking the top projects on OWASP regularly, knowing and using the security tool selections for specific programming languages, checking for vulnerabilities and doing automated penetration tests routinely, and, most importantly, managing the user authentication process carefully (keep the failure messaging vague, pay attention to account recovery steps and password policies). After all, InfoSec is a mindset.
Do something about it
The last session of the day was held by Iulia Dormenco, software developer at Maxcode. Although the topic was non-security related, we were all very excited to hear about her team’s struggle and win over legacy code testing. Iulia walked us through the steps of implementing unit testing, starting with awareness, cleaning and rewriting tests, building the knowledge in the team and eventually enforcing the new practices.
This whole process led to today’s approximately 1000 unit tests and more than 300 integration tests, a constant source of useful and fast feedback. The most important thing that Iulia taught the attendees is that our attitude toward a project is equally important in a software developer’s profession. So “do something about it to make sure you are building the right thing and the thing right”.
None of this would have been possible without the presence of such outstanding speakers and engaged attendees. We would like to thank you all for taking part in the second edition of Innovative TechTalks.
We will see you next year! Stay tuned, stay innovative.