BI and Tech

AppSec EU security event takeaways

Written by Neil Musgrove, Software Developer at Panintelligence 

I’m part of the development team and my speciality is application security. I recently attended AppSec EU and in this post I'll share some highlights from the event.

Why attend the OWASP AppSec EU Security event?

I recently attended the OWASP AppSec EU conference in Belfast. OWASP is a not-for-profit charitable organisation that promotes security within the software industry and lays out standards which we aim to adhere to. The AppSec EU event run by OWASP is a regular conference which combines talks by leaders in the field of application security with training courses. I was in Belfast for 5 days where I enjoyed beautiful weather and fantastic hospitality from the friendly locals. If you've not been to Belfast I highly recommend it!

Learnings to apply

One of the main threats to web applications is cross-site scripting (XSS). In short, XSS is the ability in a web app for an attacker to execute his custom Javascript on the user’s browser – very dangerous! After 3 days of watching, learning and hacking I came away with an enhanced understanding of the technical detail and mitigations. When building a web application, like our Business Intelligence dashboard, it has to support many different browser vendors and versions. Alongside the usual considerations (formatting, etc.), this poses a security challenge. Some of the more advanced XSS vectors that currently exist, take advantage of peculiarities in specific browsers. As security developers, we need to be aware of as many of these as possible and how we can deal with XSS in a way that defends against all the different types of attack.

Hear more from AppSec EU

The last two days were conference days, and I spent both days attending numerous talks on various tracks around both technical detail as well as procedural improvements. I also generated many ideas of how we can improve our agile development processes at Panintelligence to ensure we keep abreast of developments in security and are able to apply them to future product releases.
Here’s a sample of one of the talks

Most of the conference talks were recorded and are available here. You can get started with the one below: