Secure and Merry Christmas

As you have seen and read, it has been a diversity in the topics of this calendar, and this is also why the field of security is as complex as it is.

Now that we have introduced you to a lot of different topics and attacks, you might want to test some of this knowledge. As you might remember from the post Tia wrote about OWASP ZAP, it is illegal to attack other web applications without permission. That is why we proposed for you to start with OWASP Juice Shop.

After you are finished with OWASP Juice Shop, you should go and try the attacks on your own code. If you try to look at your code as an attacker, you start to see weaknesses you missed as a developer.

Remember, it is much cheaper to find the vulnerabilities yourself, than reading about them on the front page of a newspaper.

If you want more challenges during the Christmas celebrations, it has become very easy to get the permission to hack other web applications. Companies have realized that they will get attacked at some point, and it is better to have hackers work for them, instead of against them. Many companies are actually paying for the bugs you find, which is a nice carrot (or candy cane) to motivate you.

Two of the largest sites where you find companies to attack are Bugcrowd and HackerOne. Both of these have a variety of different companies. It is a difficult challenge to find bugs, but it is fun to attack large companies like Spotify and Nintendo.

Some companies handle the bug bounties themselves, or does not allow you to attack them at all, but they still want you to report bugs if you happen to find them. A new standard called security.txt is getting some traction. It is located in the .well-known directory of sites. Like the robots.txt describes what search engines are allowed to do on the site, security.txt can describe what security researchers are allowed to do and how to report bugs. As an example you can look at the security.txt at Google here https://www.google.com/.well-known/security.txt.

We also have a security.txt, at https://security.christmas/.well-known/security.txt. It is very slim, but it gives an email you can contact directly about security concerns. This is very nice to have in a large company, where real security concerns could get lost in large customer service department.

Hopefully you have learned a lot throughout this calendar, and we hope you have a good and secure Christmas celebration.