Making the Most of Security Tests

Explore the intricacies of various security testing methodologies through a real-world red team attack scenario in this 51-minute conference talk. Delve into the differences between security code reviews, white box testing, penetration testing, and red teaming, and learn when to apply each approach. Follow the attacker's journey from exploiting a user-facing XML-RPC interface to gaining root access on a database server and exfiltrating target data. Gain insights into how different tests enhance product security knowledge, the requirements for actionable results, and the importance of cross-team collaboration. Discover the benefits of expanding security tests beyond product features to encompass deployment environments, supporting processes, and personnel. Understand how to leverage test results to make informed decisions about additional security investments and improve overall product security.

Intro
Risk Management metrics
Assessment landscape
Initial attack
Reversing Java client
xml-rpc invocation
SQL select
Educated guess
SQL union
Let's try UNION
Invoke UNION
What next?
Stop guessing - just read it bit by bit
Database source code
White box injection
privileges
Post-credits scene
The results