Tim NashSep 11, 2018

idea 3 is to take a plugin and actually deconstruct it, demonstrate the tools all the way through to hunt for a sql injection to see if it can be hacked and model it.

This I can conceivably see a real devy WordPress group going for but its hard to keep it interesting while also making it realistic its also a lot of work if no one wants it.

Show threadRoss WintleSep 11, 2018
@tnash I can’t see any of these working with a standard WordPress audience. Trying to think who does need this kind of knowledge? Large corporates that develop their own software? Universities? Hmm.
Show threadTim NashSep 12, 2018

@magicroundabout the problem is these should be standard dev things. Or at least have enough knowledge to choose to not do so and understand the risks and liabilities.

I honestly think no senior or lead developer at an agency should not have at least the basics of these talks down and as such should be well in the mid dev level.

Show threadTim NashSep 12, 2018

@magicroundabout When not if a site is hacked, custom code was written and the owners of the site are taken to court for the data breach which will occur more often.

They will come to the agency and look to recoup the costs. Unless the agency can demonstrate it took at least the most basic steps in secure, mapping and identifying treats and provided advice to the owners, they are going to be up shit creek without a paddle.

Show threadRoss WintleSep 12, 2018

@tnash I agree in the case of a large agency working for a large client with either lots of data or sensitive data. But I think these contexts are rare in the WP world.

And I agree that any dev (And site owner! See blog post yesterday) should have the basics of security under their belt.

But it's all relative. Brochure sites and blogs don't contain much data that would be problematic if leaked, and they don't generally have budget for the tools and processes you mention.

Show threadRoss Wintle

@tnash I think, basically, we agree that the audience for this is probably small.

How about a talk on the social engineering side? Why is having the same password on multiple sites bad. Kinda like threat modelling, but at a higher level. Start with "this person found this piece of information on your instagram feed."

Probably has wider applicability and greater impact.

(P.S. Did you actually advocate the use of a password manager at WP Bristol last month?! 😱)

Sep 12, 2018 at 11:44amWeb
Show threadTim NashSep 12, 2018

@magicroundabout
I did, though tempered with why it's paradigm breaking and how to use it combined with passphrases.

Social engineering is an interesting topic, hardest part even more then normal is convincing people to listen without getting clickybaity titles

10 of the silliest social engineering tricks and how you fell for them