Joshua Beck
Application Security Engineer
Raleigh, North Carolina, United States
Actions
As a Staff Application Security Engineer for John Deere's Intelligent Solutions Group, Josh has expertise in developing and securing cloud native web applications. His approach to security is grounded in personal relationships and an intimate understanding of target systems at the code level. Josh has a number of security & cloud certifications, and is a published creator of multiple challenges on HackTheBox. He uses these experiences and his passion for cyber security to encourage secure development and a safer future for everyone online.
Links
Area of Expertise
Secure Code Review - Juice Shop
Description
OWASP’s Juice Shop is one of the most famous insecure web applications around. You may have heard of it; you may have even spent significant time hacking it. But have you ever dug deeper? Have you ever looked under the hood at what makes it so insecure?
Join Joshua Beck, a Staff Application Security Engineer with John Deere, as he dives head first into the insecure and fruit scented waters of the Juice Shop: walking through the code and comparing it to what the user sees on the front end, providing the audience a complete picture of the life cycle of a vulnerability through a target system.
Detailed Overview
https://github.com/juice-shop/juice-shop
The OWASP Juice Shop is a vulnerable web application, which contains (among other items) a web application element a user interacts with, and a gamified portion which monitors and provides feedback on vulnerabilities located. These two pieces can be explored in concert to understand how this application works at a fundamental level, and can be walked through to explain in deeper detail how a vulnerability exists and can be found within a code base.
The presentation starts by examining the server.ts file for this application, which contains many of the API routes the web front end uses. The presenter will show on the web application front end how these endpoints can be called. Then will begin a walkthrough of some of the vulnerable elements.
https://github.com/juice-shop/juice-shop/blob/b156c969d7bc8f24544f162f482c6285f58b4285/server.ts#L69
After discussing the initial server page, the presenter will walk through the complete lifecycle of a vulnerability, by submitting a malicious payload to the website, showing the vulnerable output, then walking through the code base to understand what went wrong and where in the code the vulnerability really exists.
As an example, the presenter will show off vulnerable code snippets like this:
https://github.com/juice-shop/juice-shop/blob/b156c969d7bc8f24544f162f482c6285f58b4285/routes/search.ts#L23
The above link is a SQL injection vulnerability, which is accessed via search functionality on the website.
After this walkthrough, the presenter will walkthrough how to secure the aforementioned examples, and will wrap up with general secure coding advice like:
1. Validate and sanitize inputs.
2. Creating architectures which are more secure from the start.
3. Security focused testing and code review.
NOTE: This presentation can be made to be either a beginner or intermediate level talk, depending on conference need. It can also be made into a longer form interactive workshop, as the length is flexible and audiences tend to enjoy spending time working with the Juice Shop Site.
Cloud Security 101
Join application security engineer Joshua Beck as he provides a simple overview of cloud security concepts, including application security, secure architecture, IAM and Infrastructure/Policy as Code.
Directed at students and professionals with limited cloud experience, or those who want a fly-over view of the aspects of a robust cloud security program.
3rd Annual North Carolina Cybersecurity Symposium Sessionize Event
Triangle InfoSeCon 2023 Sessionize Event
North Carolina Cybersecurity Symposium Sessionize Event
Joshua Beck
Application Security Engineer
Raleigh, North Carolina, United States
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top