Complete List of Resources
Jack Mannino and Abdullah Munawar at LASCON 2016, 11/04/2016
Apache Spark is an awesome cluster computing framework used in big data analytics for stream and batch processing. Spark is used for machine learning and predictive analytics using large, streaming data sets from a variety of sources. Spark is often deployed with a distributed messaging system like Kafka, with a high-throughput NoSQL database like Cassandra, and distributed across a cluster of resources with Mesos. As you would imagine, each of these components can hold or process critical data at any given time and each plays a unique role in keeping our data rolling smoothly through the pipeline. We want to make sure that data remains safe at all times, jobs finish in a timely manner, and things remain stable when something goes wrong.
Stefan Edwards at GrrCON 2016, 10/07/2016
This talk will discuss why everything from clients to technology to community are completely broken, and how to accept this fact in order to lead a better more fruitful life. This talk focuses on what potential tools and policies exist that are "better", and discusses why they're not in general use. Click here to view slides.
Ken Johnson at DerbyCon 2016, 09/23/2016
In a follow-up to the duo's offensive focused talk "DevOops, How I hacked you?", they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. Click here to view slides.
Ken Johnson at nVisium AWS Security Webinar, 06/15/2016
nVisium CTO, Ken Johnson, discusses his lessons learned and approach for hardening, monitoring, and disaster recovery as it applies to AWS Security. Click here to view slides.
Seth Law at JS.LA April 2016, 04/28/2016
It's 10pm, Do You Know Where Your Access Keys Are? (slides only)
Ken Johnson at AWS Loft NYC Meetup, 02/24/2016
We know that a large number of organizations are using AWS or are planning to. We also know that hackers are targeting organization’s AWS infrastructure. What you may not know, is how hackers are doing this and what you can do about it.
Testing Tools for iOS Applications (slides only)
David Lindner at OWASP MSP February Chapter Meeting, 02/17/2016
With the surge of mobile applications into the forefront of most any organization, making sure the applications are secure is becoming a pain point. Both internally developed and 3rd party mobile applications are being used by all sorts of businesses to be faster and more efficient in their day-to-day work. However, how do we test for vulnerabilities? What tools exist for testing of such mobile applications?
Seth Law at SF Swift Meetup, 01/14/2016
With the recent open-sourcing of Swift, the barrier to entry to create iOS and OS X apps has been lowered, but old vulnerabilities still exist and developers still make mistakes that violate users’ privacy and expose an organization to additional risk.
Mobile Top Ten Security Risks - iOS (slides only)
David Lindner at OWASP MSP January Chapter Meeting, 01/13/2016
With over 3.1 million applications in the Apple AppStore and Google Play Store, and more than 7.5 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. The Open Web Application Security Project (OWASP) has aimed to help organizations understand the most prevalent mobile risks with their released OWASP Mobile Top Ten Risks of 2014.
Battle-Hardened: Secure your Code (slides only)
David Vo at Austin Droids Meetup, 12/15/2015
Security, particularly in the mobile space, has become ever more vital. Most experts agree that app development is not doing enough to protect user data.
DevOps and Security (slides only)
David Vo at Austin DevOps Meetup, 12/14/2015
DevOps is the new Agile, allowing organizations to move faster, deploy code quicker, and create infrastructure instantaneously. Yet in the quest for continuous delivery, security can fall by the wayside, opening an organization up to data exposure and malicious exploitation.
John Poulin at LASCON 2015, 10/23/2015
Httpillage is a tool designed to distribute HTTP(s) based attacks across multiple nodes, in similar fashion to a traditional botnet C&C server. Common attacks such as online password brute-force, denial of service, and application enumeration are entirely possible to distribute, increasing speed and effectiveness.
Jack Mannino at LASCON 2015, 10/23/2015
As we started to connect more devices and use Machine-to-Machine (M2M) communications in the IoT world, protocols better suited than HTTP were needed to make it possible. These protocols were designed for constrained devices with less processing power, less power consumption, and frequent communications. Like many protocols that have come before them, there is always a little bit of security gray area and the potential to introduce interesting security flaws into concrete implementations. Implementing these protocols across many different programming languages, frameworks, and device platforms adds to the complexity of developing secure real-world systems.
David Lindner at LASCON 2015, 10/23/2015
By 2019, there will be half a billion wearable devices in use every single day. These wearable devices track everything from your heart rate, number of steps taken, distance you have traveled, GPS locations, insulin levels, etc. Wearable security encompasses many facets of security, and includes the security of other devices and communication protocols. Device security, application security, and network security all play an important role in the overall security posture of said wearables.
Ernie Miller at Keep Ruby Weird 2015, 10/23/2015
We're faced with choices every day. Sometimes the right decision is obvious, like, should I have a cookie? (The answer is ALWAYS yes). Sometimes, less so. This is a talk about the choices we make.
Seth Law at SF Bay ACM Chapter Meetup, 10/21/2015
Ever since the first security exploit, business and developers have been looking for effective ways to build security into products while maintaining realistic budgets and scope. Right after Robert Morris sent out the first virus into the world, vendors emerged to provide a technical solution to a technical problem. As the industry has grown, so have the number of solutions provided by companies to aid developers in producing secure code.
Secure Coding with Node.js (slides only)
Tim Tomes at BSides Augusta 2015, 9/12/2015
It's not hard to see the value of OSINT in Red Teaming or Network Penetration Testing, but where does OSINT stand when it comes to Application Security Assessments?
Ernie Miller at Full Stack Fest 2015, 9/2/2015
Since 1884, humans have been building skyscrapers. This means that we had 6 decades of skyscraper-building experience before we started building software (depending on your definition of “software”). Maybe there are some lessons we can learn from past experience?
Ernie Miller at Fog Creek Blog, 7/29/2015
In this interview, Ernie Miller talks about a development approach that prioritizes developer happiness and the human element of software development.
Jack Mannino and Anand Vemuri at MobileDC, 6/25/15
Mobile apps are everywhere. From banking to healthcare, users offer loads of personally-identifiable data through their mobile devices. The data collected allows businesses to provide timely, useful information to users. However, with this new convenience, comes a threat. The impact of a breach or exploitable vulnerability is largely dependent upon an application’s use case. Mobile app developers and companies must do their very best to protect their users' sensitive data. Click here to view slides.
Ken Johnson and Chris Gates at DevOps Day 2015, 6/12/15
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure. Click here to view slides.
Ernie Miller at Ancient City Ruby 2015, 3/27/15
Ruby rode the Rails rocketship to worldwide renown. What will happen to Ruby when Rails dies?
Seth Law at BSidesSLC 2015, 3/22/15
Strategies, tools, and techniques for implementing an effective application security program. Alternatively, a how to on preventing security vulnerabilities in code. Discussion of the processes and tools of what does and doesn't work when building an application security program.
Ernie Miller at Ruby on Ales 2015, 3/6/15
A development approach that prioritizes developer happiness and the human element of software development.
Geller Bedoya at OWASP DC, 1/29/2015
Content Security Policy (CSP) is an opt-in browser security mechanism that helps detect and mitigate injection vulnerabilities. Click here to view slides.
Ken Toler and Jonn Callahan at AppSec Cali, 1/28/2015
SQLViking is a tool for intercepting SQL queries. It is still very much in the beta testing stages and only supports the MySQL and SQL Server (Tabular Data Stream) network protocols at this time.
Ken Johnson and Chris Gates at OWASP DC, 1/7/2015
DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them.
Ernie Miller at RubyConf, 11/17/2014
Ruby rode the Rails rocketship to worldwide renown. What will happen to Ruby when Rails dies?
Tim Tomes at ISSA Journal, 11/2/2014
The ISSA Journal features WUDS, a wireless network auditing tool. Click here to view slides.
Michael McCabe and Ken Toler at LASCON, 10/24/2014
This presentation expalins what metaprogramming is, how it can get developers into trouble, and some general rules on how to mitigate these vulnerabilities.
Jack Mannino at LASCON 2014, 10/24/2014
Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.
Michael McCabe and Patrick Cooley at Bsides DC, 10/19/2014
As hardware is being demoted, the ‘stack’ and PaaS are becoming software. It brings up the question: how can security folks use this to our advantage? We want to show applications built with Docker containers and apply them to the same security challenges seen in more traditional environments. Why should developers have all the fun?
Tim Tomes and Benjamin Donnelly at DerbyCon, 9/27/2014
Weak security architectures have led us into a world of massive password breaches occurring at an alarming rate. Infrastructure and application authentication systems continue to rely on credentials stored in databases. While there are ways to mitigate risk to these systems, offline attacks against accessed credentials have remained possible... until today. Click here to view slides.
Tim Tomes at BSides Augusta, 9/13/2014
Tim Tomes presents his key research on encoding, encryption, and hashing, reminding us that when storing passwords we should always assume they could be compromised.
Jack Mannino and Abdullah Munawar at RVASec, 6/5/2014
As mobile dating applications grow in popularity, so does our interest in the security posture behind these apps. We wanted to take a look at numerous features within these apps to determine the good, the bad, and the ugly.
Jack Mannino at AppSec Cali, 1/27/2014
The OWASP Top 10 Mobile Risks were first created in 2011. However, a lot has changed over the past three years. The mobile platforms themselves have evolved, mobile threats have evolved, and app developers have experimented with crazy new things. As a result, the OWASP Mobile Security Project decided it was the time to take another look at the threat landscape.
Ken Johnson and Mike McCabe at AppSec Cali, 1/27/2014
The web development community has seen a rise in new web frameworks that provide small to large organizations with the opportunity to decrease development time and increase productivity. Frameworks such as Play! and Node.js as well as their supporting API(s) allow development staff to quickly and efficiently create and ship a product. But with these new frameworks come the same security issues that have plagued the web for years.
Jack Mannino at LASCON, 10/25/2013
Ken Johnson and Mike McCabe at LASCON, 10/24/2013
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails, solutions for remediation, and common attack scenarios.
Ken Johnson at OWASP DC, 4/5/2012
This talk demonstrates the lessons learned while implementing application security into an already highly successful and talented development process moving at the speed of light and with infinite energy.
Jack Mannino at BSides Atlanta, 11/1/2011
The Android Market has been notoriously polluted with malicious applications, and the Android ecosystem is fragmented beyond belief. On top of these problems, lots of developers are throwing common sense out the window when creating Android applications.