Jennifer Bonine: That is a really ... I noticed that even here, at Disneyland, that American Express, I use American Express a lot, and I literally as soon as the credit card left my hand, I would see it come through on my mobile app, to say, "You were just charged," and how much it was. It's so fast. The speed of that is amazing to me. You're not waiting, and you're not having to go to a website, scroll through transactions.
Mike Benkovich: Or, finding out at the end of the month, "What was I doing twenty-nine days ago?"
Jennifer Bonine: Yeah. "Did I really do that or was that someone else?"
Mike Benkovich: "Fifteen hundred dollars for tires?"
Jennifer Bonine: Exactly, exactly. So, in your talk you'll kind of talk through some of those hacker tricks and stuff, and how that stuff happens.
Mike Benkovich: Just kind of get down that path and have the conversation about what kinds of things should you be thinking about, because we're not going to be able to say, "Okay, these are all the things that are going to happen." It's a, "Here's the top things." All we can do is just take what we know, and ...
Jennifer Bonine: Raise awareness for it. We were talking about ... It's interesting when you look at the history of some different, varying types. There's more specialized testing, so to speak; it's like it's the Holy Grail of, like ... I'm kind of afraid to dabble in that because I don't know what to do, so getting people into things, like, "It's okay, here's some things to think about for security," that are pretty basic, that you should be checking on your apps and your websites that have payment forms, and all of that. I think it's great, because a lot of people are kind of like, "Well I don't know what to do, so therefore I'm just not going to think about it, because it seems too complex, or it seems outside my realm or scope."
Mike Benkovich: That's one of the things ... I was walking around the Expo here, and there's all kinds of vendors. There's a lot of things out there that can automate some of this penetration testing, and these different kinds of exploits. Like for cross-site request forgery, that's an attack where they send you a phishing email—you're already logged into some site, and by virtue of already being logged in, this other thing can send a request that uses your credentials, that stored state information. That's kind of a bad thing. But there's tests and things that are out there, and these suites and tools to automate scanning your software to find those kinds of things and point out what it is you need to do.
Jennifer Bonine: And automate kind of that manual testing effort of what's going on around it, as well.
Mike Benkovich: When you build software, it's so much componentry now. I'm going to go out and download this component, and put jQuery, and put Backbone, and Ember, all of these different things, and (a) it's hard to keep up with all these different names. The other thing is, some of these have known vulnerabilities. There's a couple of them, I think Spring and there was something on Apache, something CBG, which is like a service sweep, that had known exploits, or known vulnerabilities, but still there's twenty-two million downloads and embedded in the application. That actually made it on the OWASP list, is using components with known vulnerabilities. There are things out there you can use to say, "Okay, don't build, or break to build if it has that stuff going on."