1/61€¦ · — same app for verification — exposed secret information in the api — all...
TRANSCRIPT
![Page 1: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/1.jpg)
<EPAM> 1/61
![Page 2: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/2.jpg)
Vernon Kidd, Therac-25 and Nancy Liveson
<EPAM> 2/61
![Page 3: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/3.jpg)
About me
— Vladimir Ivanov
— Designing Mobile-centric solutions for living
<EPAM> 3/61
![Page 4: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/4.jpg)
We're in a disaster
<EPAM> 4/61
![Page 5: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/5.jpg)
What is IT-Industry?
— The sum of companies providing information and data based products and services added by IT-departments of other companies.
<EPAM> 5/61
![Page 6: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/6.jpg)
What is great about our industry?
— We are growing despite Brexit, the US - China trade wars and others2
— The developers are paid far from minimum wages(3000 vs 330) 3
— The remote style is conquering the world
3 https://www.iotforall.com/infamous-iot-hacks/
2 https://www.gartner.com/en/newsroom/press-releases/2019-01-28-gartner-says-global-it-spending-to-reach--3-8-trillio
<EPAM> 6/61
![Page 7: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/7.jpg)
However
<EPAM> 7/61
![Page 8: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/8.jpg)
However
— Security is a disaster
— Quality is a concern
— Bad diversity and inclusion
<EPAM> 8/61
![Page 9: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/9.jpg)
Security
<EPAM> 9/61
![Page 10: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/10.jpg)
Security
— Data breaches potentially affected > 1 billion users in 2018
— New breaches happen literally every day
— Mobile application security is a big concern since 2011
<EPAM> 10/61
![Page 11: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/11.jpg)
<EPAM> 11/61
![Page 12: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/12.jpg)
<EPAM> 12/61
![Page 13: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/13.jpg)
N26
— Same app for verification
— Exposed secret information in the API
— All powerful Support
— No notification about secrets changes
<EPAM> 13/61
![Page 14: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/14.jpg)
Luckily everything is fixed, but impression...
<EPAM> 14/61
![Page 15: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/15.jpg)
Firebase misconfiguration
— 2.6 million plaintext passwords and user IDs
— 4 million+ PHI records
— 25 million GPS location records
— 50,000 financial records including banking, payment and Bitcoin transactions
— 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens.
<EPAM> 15/61
![Page 16: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/16.jpg)
Vulnerabilities in Android
— Download provider allows for accessing all downloads(which can be used to hijack OTA update)
— Accessing protected data(like CookieData)7
7 https://ioactive.com/multiple-vulnerabilities-in-androids-download-provider-cve-2018-9468-cve-2018-9493-cve-2018-9546/
<EPAM> 16/61
![Page 17: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/17.jpg)
IoT
<EPAM> 17/61
![Page 18: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/18.jpg)
Top IoT hacks of 20183
— Mirai Botnet
— Jeep car hijacking
— Owlet wifi Heart Monitor for Babies
— Tesla stealing4
— Teledildonic
4 https://www.theverge.com/2018/10/22/18008514/tesla-model-s-stolen-key-fob-hack-watch-video
3 https://www.iotforall.com/infamous-iot-hacks/
<EPAM> 18/61
![Page 19: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/19.jpg)
<EPAM> 19/61
![Page 20: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/20.jpg)
Conclusion #1: We don't pay enough attention to the
security.
<EPAM> 20/61
![Page 21: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/21.jpg)
Quality
<EPAM> 21/61
![Page 22: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/22.jpg)
<EPAM> 22/61
![Page 23: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/23.jpg)
Business insider
— Two popups
— 25% of content is visible
— The page restarts on accepting cookies
— Debug output on the page
<EPAM> 23/61
![Page 24: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/24.jpg)
Frenchkit
<EPAM> 24/61
![Page 25: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/25.jpg)
Twitter App
— Newsfeed still lags on Samsung S9
— 8 cores are still not enough for twitter for smooth scroll!
<EPAM> 25/61
![Page 26: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/26.jpg)
Conclusion #2: Our apps are unstable, slow, creepy looking, lack functionality
or become incredibly complex.
<EPAM> 26/61
![Page 27: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/27.jpg)
Inclusion
<EPAM> 27/61
![Page 28: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/28.jpg)
<EPAM> 28/61
![Page 29: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/29.jpg)
If you lack diversity in your product teams, you're unable to build proper
products
<EPAM> 29/61
![Page 30: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/30.jpg)
Terms
— Inclusivity - ability of a group to include different people
— Diversity - property of a group including different people
<EPAM> 30/61
![Page 31: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/31.jpg)
Gender diversity
— Because it affects everybody.
— It's not about social justice, wage gap, etc.
<EPAM> 31/61
![Page 32: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/32.jpg)
Some stats
— Women occupy 7% of programming jobs in Russia, 20% in USA5
— Stackoverflow.com audience is only 9% women 6
6 https://www.ncwit.org/sites/default/files/resources/womenintechfactsfullreport_05132016.pdf
5 Different sources, like https://www.ncwit.org/sites/default/files/resources/womenintech_facts_fullreport_05132016.pdf , https://habr.com/en/company/moikrug/blog/329018/
<EPAM> 32/61
![Page 33: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/33.jpg)
More stats...
One large-scale study found that after about 12 years, approximately 50 percent of women had left their jobs in STEM fields—mostly in computing or engineering (Glass, Sassler, Levitte & Michelmore, 2013). As Figure 1.6 indicates, only about 20 percent of women working in other non-STEM professional occupations left their fields during the 30-year span covered by the study. Women in STEM also were more likely to leave in the first few years of their career than women in non-STEM professions.6
6 https://www.ncwit.org/sites/default/files/resources/womenintechfactsfullreport_05132016.pdf
<EPAM> 33/61
![Page 34: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/34.jpg)
Somehow we push away women
<EPAM> 34/61
![Page 35: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/35.jpg)
<EPAM> 35/61
![Page 36: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/36.jpg)
Death by a thousand cuts
https://speakerdeck.com/vixentael/a-death-by-thousand-cuts?slide=5
<EPAM> 36/61
![Page 37: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/37.jpg)
<EPAM> 37/61
![Page 38: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/38.jpg)
<EPAM> 38/61
![Page 39: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/39.jpg)
<EPAM> 39/61
![Page 40: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/40.jpg)
Some guys even claim the girls are weaker in logical
thinking...
<EPAM> 40/61
![Page 41: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/41.jpg)
Because they don't win the checkmate tournaments in
20th century! Facepalm
<EPAM> 41/61
![Page 42: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/42.jpg)
<EPAM> 42/61
![Page 43: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/43.jpg)
<EPAM> 43/61
![Page 44: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/44.jpg)
Conclusion #3 : Despite having insufficient
developers we push away a group with most potential,
which is plain stupid
<EPAM> 44/61
![Page 45: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/45.jpg)
Conclusion #3 : Despite having insufficient developers we push away a group with most potential, which is plain
stupid
BTW, there are agism, race prejudice and other problems, but gender is a worldwide thing.
<EPAM> 45/61
![Page 46: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/46.jpg)
If it's not enough...
https://tonsky.me/blog/disenchantment/
<EPAM> 46/61
![Page 47: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/47.jpg)
Life is Suffering
<EPAM> 47/61
![Page 48: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/48.jpg)
Amusement?
<EPAM> 48/61
![Page 49: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/49.jpg)
Responsibility
<EPAM> 49/61
![Page 50: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/50.jpg)
Slay a dragon!10
10 https://en.wikipedia.org/wiki/Princessanddragon
<EPAM> 50/61
![Page 51: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/51.jpg)
But how?
<EPAM> 51/61
![Page 52: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/52.jpg)
You make yourself strong, and knowledge and skill is
your sword.
<EPAM> 52/61
![Page 53: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/53.jpg)
Pass a security training
— https://training.cossacklabs.com/
— https://asap.kaspersky.com/en/
<EPAM> 53/61
![Page 54: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/54.jpg)
Read a damn book!
— iOS Application Security15
— Android Security Internals16
— Serious Crypto от @veorq
— Cryptography Engineering от @schneierblog
16 https://nostarch.com/androidsecurity
15 https://nostarch.com/iossecurity
<EPAM> 54/61
![Page 55: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/55.jpg)
Attend to a damn course!
— On udacity for example11
11 https://www.udacity.com/course/applied-cryptography--cs387
<EPAM> 55/61
![Page 56: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/56.jpg)
Encourage women and underrepresented folks
— Cut the unacceptable behavior
— Give women voice
— Help WomenWhoCode, WomenInTech, InfluenceHER and other communities
<EPAM> 56/61
![Page 57: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/57.jpg)
Fight for quality
— Require a UX engineer
— Use dogfooding
— Do not hesitate to object
<EPAM> 57/61
![Page 58: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/58.jpg)
Attend to a damn course!
— In Udemy for example12
12 https://www.udemy.com/sketchdesign/?altsc=381850
<EPAM> 58/61
![Page 59: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/59.jpg)
So
— Get ownership for your product13
— Standup for quality, security, inclusivity and other issues
— Learn
— Make the world around you a better place, at least not worse
13 https://www.amazon.com/Extreme-Ownership-U-S-Navy-SEALs-ebook/dp/B00VE4Y0Z2
<EPAM> 59/61
![Page 60: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/60.jpg)
<EPAM> 60/61
![Page 61: 1/61€¦ · — Same app for verification — Exposed secret information in the API — All powerful Support — No notification about secrets changes 13/61](https://reader036.vdocuments.mx/reader036/viewer/2022071107/5fe23cbd384165321e437276/html5/thumbnails/61.jpg)
Me
— https://twitter.com/vvsevolodovich
!
— https://medium.com/@dzigorium
"
— https://mobiusconf.com/cfp
<EPAM> 61/61