Anirudh Anand

Security Analyst, Flipkart

About speaker

Anirudh is a security researcher with a primary focus on web applications. He has been submitting bugs and contributing to security tools for over five years. In his free time, he participates in CTF competitions. His bounties involve vulnerabilities in Google, Microsoft, LinkedIn, Zendesk, SendGrid, GitLab, Gratipay, and Flipboard. He was presented in a multitude of regional conferences including Ground Zero Summit Delhi 2015 and Xorconf 2015.
November 16
16:00 — 17:00
Main Track
English
The current approach of teaching application security involves blindly attacking applications which are intentionally vulnerable (like DVWA/Webgoat). This approach has the inherent drawback of never guiding users on how to fix the vulnerabilities being exploited. Hence, as far as developers/students are concerned, their takeaways are limited to identification and exploitation.

In this talk, we plan to introduce a new method in teaching/learning security with a hands-on approach, the use of which can teach users both offence and defence (focusing equally on both) in one place. In order to achieve this better teaching mechanism, we have created a framework making use of Docker containers as an effective sandbox environment through which users are given vulnerable source code which they are to fix and submit. The submitted code is then automatically executed inside the container and the results are analyzed through a series of unit tests.

Kurukshetra (the framework we are introducing) would immensely help the companies by teaching secure coding practices to developers in an effective way, which in turn would reduce the number of vulnerabilities in the long run.