Web Application Security in a nutshell

I created this presentation for two purposes: On the one hand it can be used as an ultra-compact introduction to Web Application Security. It is best combined with a live-demo, e.g. using my own Juice Shop vulnerable webapp.

On the other hand it turns out to be useful for refresher sessions, e.g. with former participants of my Web Application Security Training Workshop. Here I usually just walk through the presentation and afterwards let the participants have a hands-on-hacking-session on the Juice Shop for reinforcing their knowledge.

You can view or download the PDF version on Slideshare or you can view the original HTML-based presentation here:


Web Application Security Introduction

This is the minified introduction talk to Web Application Security derived from my Training Workshop slides (https://de.slideshare.net/BjrnKimminich/web-application-security-21684264) – It gives a short motivation why Web Application Security is a high priority today and then goes through three of the most prominent vulnerabilities of web apps: 
– SQL Injection 
– Cross Site Scripting (XSS) 
– Cross Site Request Forgery (CSRF) 
It will be explained how each of these technically work, what damage they can cause and how to avoid them in your own applications. The talk concludes with a summary of existing measures to increase application security and explains why none of these is a 100% solution. To keep you on the topic for a while after the talk, a “hacking homework” is presented where a vulnerable local web shop is supposed to be hacked in various ways. 

For a full-grown coverage of the topic feel free to check out my Web Application Security Training Workshop slide deck: https://de.slideshare.net/BjrnKimminich/web-application-security-21684264. 

/!\ Performing attacks on any website or server you do not own yourself is a crime in most countries!

Quo pertentas, OSS? – How Open Source can benefit from well-crafted Tests

 This talk illustrates how a suite of well-written tests can benefit any Open Source project on multiple levels*: 

  • improve maintainability of the code-base
  • help increase the truck factor** of the project
  • “after-the-fact” tests help understand existing code and serve as documentation
  • Behavior Driven Development (BDD) concepts can help create specification-like tests

The idea of adding BDD-style unit tests was introduced into the actively developed OWASP ZAP project end of 2012. It will be explained 

  • how the ZAP team approached this task initially
  • what the improvements for the project were so far
  • where we are going with automated testing in the future

Disclaimer: Some source code will definetely be shown during this talk, but you won’t need to be a Java expert to follow the story! Having some general programming experience is totally sufficient! 

*= surprisingly also works for proprietary software projects! 
**= number of contributors that could be (fatally) run over by a truck without effectively killing the project

Practicing Advanced Unit Testing with the TCG Kata

Doing Code Katas alone or in a Dojo can help sharpen our elementary skills as software developers. Practicing IDE shortcuts and TDD mini-step cycles is very useful for the daily business, yet I find some existing Code Katas too far away from real-life programming situations. That’s why I came up with the Trading Card Game Kata – which is (very loosely) based on Blizzard Entertainment’s free-to-play online-game “Hearthstone – Heroes of Warcraft”. This Kata is focused on practicing TDD in a slightly more complex (but not complicated) situation where you might have to think about rules like Single Responsibility Principle or Command Query Separation and might even feel the urge to use a Mocking framework at some point.

First I will introduce the ideas of Katas and Dojos in general and explain the TCG Kata rules to you. Then I will demo some real-life best-practices for writing good developer tests, using my TCG Kata sample solution as a showcase. This will include:

  • Picking the right Test Double
  • Test Data Builders
  • Behavior Tests with BDDMockito
  • Prose-like Assertions with Hamcrest
  • Readability Sugar

The full Kata ruleset and a sample solution in Java 8 can be found on https://github.com/bkimminich/kata-tcg.

Agile on Mars!

These are the slides of my session at Agile Saturday IX on 28th Sep 2013 in Tallinn, Estonia. I was invited there to give an entry level introduction talk into the ideas and methods of Agile Software Development.

You are an expert in TDD & Pair Programming, hold a Scrum Master certificate and know the Agile Manifesto from heart? Then this talk is probably too basic for you! Everyone else in invited to jump head-first into a journey through space, learning about many core agile methods and concepts on the way, like: Iterations, User Stories, Planning Poker, Test Driven Development, Pair Programming, Collective Code Ownership, Continuous Integration and more! Our journey will end on Mars where we will use SCRUM to conceive, build and continually improve the first Mars Station of mankind! Well, at least sort off..