Question

WHAT YOU WILL LEARN IN THIS CHAPTER:

• Web Development
• Information Gathering
• DNS
• Defense in Depth
• Offense: Burp Suite

I was flying on a Delta flight from Atlanta to Denver this past summer and had been upgraded to first class. I recognize that some people hate flying and, like my husband, hate being talked to by strangers on a flight. My normal mode of operations is to smile and say hello and leave it there. If my seat mate says hello back, then conversation may ensue. Otherwise, I'm happy to put my noise‐cancelling headphones on and watch a movie. On this flight, I found my flying companion was a web application developer and was flying to Denver to meet with venture capitalists to show them the final product. Of course, being a geek, I'm terribly interested and ask all sorts of questions. To most of them, he answered, “That's proprietary, and I can't share.” Toward the end of our trip, he asked me what I did. I told him I work for Rapid7 as a consultant and teach security classes—mostly vulnerability management and Metasploit, but I dabble in application security and incident detection and response. To that, he replied, “What's that?”

That is the mind‐set of some web application developers I have met. They are full of wonderful ideas and a vast knowledge of coding, but when it comes to security, not a single clue. How can you deliver an application and not factor in security? What was even more eye‐opening was seeing the advertisement during the Super Bowl the following year for the application this guy helped create. My immediate thought was that I hoped he remembered our conversation on the value of the software development lifecycle (SDLC).