Presentations

IoT Attack Footprint

David Lindner at BSidesIA 2017, 04/22/2017

The Internet of Things (IoT) is not new terminology. However, the sheer amount of connected devices we have at home and at our businesses is growing exponentially and increasing the attack surface. Attacking and assessing IoT can easily lead us down a rabbit hole only to hit a wall on the other side. However we need to be extremely comprehensive in our methodology and not end up down that rabbit hole for too long.

Who Are You & What Can You Do? Auth Security

Kevin Cody at Steel City Information Security Meetup, 04/13/2017

Authentication and authorization are two critical components to any highly secure and easily usable application. But it’s easy to get lost in acronym soup. Worse, between misconfigurations and lack of appropriate threat modeling, federated identity services can add substantial risk to a previously secure system. Get details on how to effectively comprehend and avoid the security pitfalls in utilizing SAML, OAuth, OpenID, FIDO, Assertions, and more. Click here to view slides.

DevOops Redux (slides only)

Ken Johnson at Insomni’hack, 03/24/2017

DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.

DevOops Redux

Ken Johnson at CERN, 03/23/2017

DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.

Be offensive: Proactively assessing your iOS applications

David Lindner at Mobile+Web DevCon, 03/02/2017

Mobile application security encompasses many facets of security. Device security, application security, and network security all play an important role in the overall security posture of a mobile application. Part of being a developer of mobile applications is understanding how every security control works and how they all interact. The Open Web Application Security Project (OWASP) has aimed to help organizations understand the most prevalent mobile risks with their released OWASP Mobile Top Ten Risks. Developers should fully understand these risks and be more proactive in assessing their own applications prior to deployment.

DevOops: Attacks And Defenses For DevOps Toolchains (slides only)

Ken Johnson at AppSec California, 02/15/2017

DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.

AWS Survival Guide (slides only)

Ken Johnson at AppSec California, 01/25/2017

An increasing number of organizations are using AWS or are migrating to AWS. Security teams with traditional datacenter security knowledge are trying to catch-up and grasp the new attack surface, security concerns, and develop defensive techniques. Developers are often given the power to deploy infrastructure in ways that were previously restricted without the traditional insight and controls security would normally implement. At the same time, AWS customers are being exploited in ways that are easily preventable but highly damaging to the customer's organization; this fact is well documented.

Securing the Spark Fire Hose

Jack Mannino and Abdullah Munawar at LASCON 2016, 11/04/2016

Apache Spark is an awesome cluster computing framework used in big data analytics for stream and batch processing. Spark is used for machine learning and predictive analytics using large, streaming data sets from a variety of sources. Spark is often deployed with a distributed messaging system like Kafka, with a high-throughput NoSQL database like Cassandra, and distributed across a cluster of resources with Mesos. As you would imagine, each of these components can hold or process critical data at any given time and each plays a unique role in keeping our data rolling smoothly through the pipeline. We want to make sure that data remains safe at all times, jobs finish in a timely manner, and things remain stable when something goes wrong.

On being an Eeyore in Infosec

Stefan Edwards at GrrCON 2016, 10/07/2016

This talk will discuss why everything from clients to technology to community are completely broken, and how to accept this fact in order to lead a better more fruitful life. This talk focuses on what potential tools and policies exist that are "better", and discusses why they're not in general use. Click here to view slides.

DevOops Redux

Ken Johnson at DerbyCon 2016, 09/23/2016

In a follow-up to the duo's offensive focused talk "DevOops, How I hacked you?", they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. Click here to view slides.