I’m looking forward to reconnecting with everyone next week at AppSec California. I hope you’ll join me for my talk, Hackazon – Stop Hacking Like It’s 1999! In this talk, I’ll give a detailed overview of Hackazon, a new open source vulnerable web application that reflects the technologies used in today’s rich client and mobile applications. Hackazon is an on-line storefront that has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.
During this talk, we’ll take the time machine back to 1999 to review what kinds of application security issues we were GETing and POSTing about in 1999. Then we’ll come back to present day times to see how our security testing tools have changed (or haven’t) to keep up with today’s dynamic applications.
The IT security community has really been lacking the tools needed to train and test our teams to secure modern web and mobile applications as well as the rapidly proliferating web services. While the industry has been using test applications to enable penetration testers to build skills and evaluate testing tools, most of the vulnerable test applications (WebGoat, DVWA and Hackme Casino) simply don’t reflect today’s applications. Even though Google’s new Firing Range test app from Google is a handy “test bed” style application, it is also based on a mostly web 1.0 environment. Hackazon fills the gap between today’s applications and yesterday’s vulnerable test ones.
Security testing is a game of coverage. When large portions of applications go untested, there is too much unknown risk. Unknown risk is what keeps security professionals up at night. Security teams today are responsible for mobile applications, rich client interfaces and RESTful interfaces that are too frequently going untested. Its time for that to change.
Hackazon is a much needed tool that enables security experts to actually learn to test the applications they are now responsible for in today’s world.