adamgoucher · August 23, 2012 11:37 · timkoopmans · Aug 23, 2012
diff --git a/qsta.txt b/qsta.txt
 Security Testing
 ----------------
 - its not paranoia if they really are after you
 - https://www.owasp.org (top 10 is 2 years old, but still relevant)
 - (a1) sql injection
  - parameterized sql
  - code review
 - (a2) xss
  - all input safe
    - <script>alert('hello');</script>
  - all output is escaped
 - (a8) leakage
  - what does the url tell someone? id? url components?
  - use guids for all facing id's
 - logs
 - workflows
  - one-time events
 - privacy
  - pii
  - credentials
  - billing
  - letter vs. spirit of the law
 - firebug
 - (a9) transport level
  - encryption everywhere [in production]
 - third party crap
  - do you know what you are collecting for others?
 - mobile
  - do you understand the device's security model
  - (no you don't)
 - ops
  - servers configured correctly?
 - trust
  - do you trust your employees
  - do you trust yourself?
  - (indian call center story)
 - http://www.blackhat.com/
	Security Testing
	----------------
	- its not paranoia if they really are after you
	- https://www.owasp.org (top 10 is 2 years old, but still relevant)
	- (a1) sql injection
	- parameterized sql
	- code review
	- (a2) xss
	- all input safe
	- <script>alert('hello');</script>
	- all output is escaped
	- (a8) leakage
	- what does the url tell someone? id? url components?
	- use guids for all facing id's
	- logs
	- workflows
	- one-time events
	- privacy
	- pii
	- credentials
	- billing
	- letter vs. spirit of the law
	- firebug
	- (a9) transport level
	- encryption everywhere [in production]
	- third party crap
	- do you know what you are collecting for others?
	- mobile
	- do you understand the device's security model
	- (no you don't)
	- ops
	- servers configured correctly?
	- trust
	- do you trust your employees
	- do you trust yourself?
	- (indian call center story)
	- http://www.blackhat.com/