Presentations

OWASP Software Assurance Maturity Model (SAMM) (slides only)

Brian Glas at GoSec Cyber Security Conference 2017, 08/30/2017

The mission of the Software Assurance Maturity Model (SAMM) is to be the maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.

Edge Cases in Web (Workshop) (slides only)

John Poulin at DEF CON 25, 07/29/17

Learn how to identify, exploit, and chain web-app vulnerabilities that you don't see every day. These vulnerabilities will include Server-Side Template Injection, Serialization vulnerabilities and more. We will identify how common protection mechanisms in languages such as Ruby on Rails, Flask and PHP can be bypassed/exploited.

IoT Attack Footprint

David Lindner at BSidesIA 2017, 04/22/2017

The Internet of Things (IoT) is not new terminology. However, the sheer amount of connected devices we have at home and at our businesses is growing exponentially and increasing the attack surface. Attacking and assessing IoT can easily lead us down a rabbit hole only to hit a wall on the other side. However we need to be extremely comprehensive in our methodology and not end up down that rabbit hole for too long.

Who Are You & What Can You Do? Auth Security

Kevin Cody at Steel City Information Security Meetup, 04/13/2017

Authentication and authorization are two critical components to any highly secure and easily usable application. But it’s easy to get lost in acronym soup. Worse, between misconfigurations and lack of appropriate threat modeling, federated identity services can add substantial risk to a previously secure system. Get details on how to effectively comprehend and avoid the security pitfalls in utilizing SAML, OAuth, OpenID, FIDO, Assertions, and more. Click here to view slides.

DevOops Redux (slides only)

Ken Johnson at Insomni’hack, 03/24/2017

DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.

DevOops Redux

Ken Johnson at CERN, 03/23/2017

DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.

Be offensive: Proactively assessing your iOS applications

David Lindner at Mobile+Web DevCon, 03/02/2017

Mobile application security encompasses many facets of security. Device security, application security, and network security all play an important role in the overall security posture of a mobile application. Part of being a developer of mobile applications is understanding how every security control works and how they all interact. The Open Web Application Security Project (OWASP) has aimed to help organizations understand the most prevalent mobile risks with their released OWASP Mobile Top Ten Risks. Developers should fully understand these risks and be more proactive in assessing their own applications prior to deployment.

DevOops: Attacks And Defenses For DevOps Toolchains (slides only)

Ken Johnson at AppSec California, 02/15/2017

DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.

AWS Survival Guide (slides only)

Ken Johnson at AppSec California, 01/25/2017

An increasing number of organizations are using AWS or are migrating to AWS. Security teams with traditional datacenter security knowledge are trying to catch-up and grasp the new attack surface, security concerns, and develop defensive techniques. Developers are often given the power to deploy infrastructure in ways that were previously restricted without the traditional insight and controls security would normally implement. At the same time, AWS customers are being exploited in ways that are easily preventable but highly damaging to the customer's organization; this fact is well documented.

Securing the Spark Fire Hose

Jack Mannino and Abdullah Munawar at LASCON 2016, 11/04/2016

Apache Spark is an awesome cluster computing framework used in big data analytics for stream and batch processing. Spark is used for machine learning and predictive analytics using large, streaming data sets from a variety of sources. Spark is often deployed with a distributed messaging system like Kafka, with a high-throughput NoSQL database like Cassandra, and distributed across a cluster of resources with Mesos. As you would imagine, each of these components can hold or process critical data at any given time and each plays a unique role in keeping our data rolling smoothly through the pipeline. We want to make sure that data remains safe at all times, jobs finish in a timely manner, and things remain stable when something goes wrong.