Cuboid Cylinder
Industry / Sep 08, 2020 / 3 min read

An expert perspective with Sam Stepanyan

We were joined by Sam Stepanyan, OWASP London Chapter Leader, for our August Ask Me Anything event over on our community Slack channel. Sam is an Independent Application Security Consultant with over 20 years of experience. He has a background in software engineering and web application development. This is from working for various financial service institutions specialising in Application Security consulting, Secure Software Development Lifecycle, developer training, source code reviews and vulnerability management. He is also a Subject Matter Expert in Web Application Firewalls and SIEM systems.

We were very lucky to have Sam Stepanyan join us so we could ask our previously unanswered security questions. Sam shared his expertise on topics ranging from getting started with DevSecOps, where you can learn more about cyber security, and the little things you can do to keep your devices safe. We’ve put together this article to give an overview of the evening. The Tecknuovo team have put together questions and answers that we found particularly fascinating. The entire transcript is still available to read on the Slack workplace. It’s in the #ask-me-anything channel if you’d like to take a deeper dive into Sam’s advice.

Getting started with cyber security

Cyber security is a dynamic field. New vulnerabilities are announced daily, getting started and staying up to date with potential concerns can seem a touch daunting. Having so many different possible directions in such a field is a good thing in Sam’s eyes, as it allows people to discover the area that best suits them.

“If you like to investigate things – we have Digital Forensics. This is where you would investigate and help solve computer crimes. On the other hand, we have the penetration testing area where you would try to hack into an organisation and then compile a report of all the vulnerabilities you have found. We also have defensive security on the opposing end where you will be tasked to protect the organisation from hackers and data breaches. There is also a Risk Management and Compliance area where you will be creating policies for your organisations to keep everyone secure and learning various laws and regulations which the organisation needs to comply with such a PCI DSS (Payment Card Industry Data Security Standard, GDPR etc). So, the very first step I would say is to choose what is more appealing”

Luckily, there are plenty of free online learning resources available online, from Udemy to Pluralsight, plus YouTube videos. OWASP also has their ‘Top Ten’ project which gives a comprehensive overview on the top ten Web Application security risks. Perfect for a beginner who wants to see which area of cyber security works for them!

Virtual assistant sabotage

It’s quite common in the media to hear about the potential vulnerabilities with virtual assistants. Considering they are appearing on more and more household applications, it’s understandably a concern. We asked Sam if these vulnerabilities were creditable, and if virtual assistants really do pose a security risk.

Unfortunately, they do.

“One of the biggest issues with smart speakers that they can carry on listening even if you are not using them. Another danger is that hackers can get access to things like your purchasing history on Amazon and other places, your shopping lists and even more personal data like your calendar and places you have been or planning to go to!”

Sam shared a YouTube video with us that shows just how real these threats are. The video shows a vulnerability with a popular virtual assistant where the smart speaker. The speaker eavesdrops on the conversation and sends everything to the hacker. All the victim did was instal a seemingly harmless number game app.

What can I do to tighten security?

There’s a lot that someone can do to ensure that their security is up to snuff. This can be from an engineering perspective when it comes to building software and systems, and from re-evaluating personal habits.

“The problem with vulnerabilities is that many of them are due to the fact that nobody thought about potential threats during the product design phase.”

When it comes to protecting yourself against security vulnerabilities, you need to think like a hacker. Be on the watch for weaknesses as soon as you start planning your product. Including security and attacker stories in your sprints can be a helpful method of ensuring everyone on the team is aware of it and are actively fixing vulnerabilities as you go.

We highly recommend that you check out the entire transcript for more information on this topic. Sam provided a lot of very useful resources to better understand what technical roles can do. These resources include OWASP cheat sheets for architects and authentication, OWASP Software Assurance Maturity Model, and OWASP Application Security Verification Standard.

Want to learn more?

You can find the full Ask Me Anything with Sam Stepanyan on the community Slack channel. It’s in the #ask-me-anything channel. You can register to be part of the Slack workspace here.

Thank you to all who took part in the Ask Me Anything with Sam Stepanyan! A huge thank you to Sam especially for taking the time out for us to ask him our unanswered questions. It was great to be able to pick his brain! You can follow Sam on Twitter, @securestep9.

 

Join our mailing list

Get updates and insights direct to your inbox

Decades of experience transforming businesses - Let's talk about yours.

We build high-performing teams and technology for businesses of all sizes. From start to finish, you'll work directly with our Founders to ensure smooth, efficient, considerate and top quality delivery of your project.

For us, every new project starts with a conversation, so let's grab a coffee and talk about you.

Contact us
Learn more