Complete List of Resources

Securing the Spark Fire Hose

Jack Mannino and Abdullah Munawar at LASCON 2016, 11/04/2016

Apache Spark is an awesome cluster computing framework used in big data analytics for stream and batch processing. Spark is used for machine learning and predictive analytics using large, streaming data sets from a variety of sources. Spark is often deployed with a distributed messaging system like Kafka, with a high-throughput NoSQL database like Cassandra, and distributed across a cluster of resources with Mesos. As you would imagine, each of these components can hold or process critical data at any given time and each plays a unique role in keeping our data rolling smoothly through the pipeline. We want to make sure that data remains safe at all times, jobs finish in a timely manner, and things remain stable when something goes wrong.

On being an Eeyore in Infosec

Stefan Edwards at GrrCON 2016, 10/07/2016

This talk will discuss why everything from clients to technology to community are completely broken, and how to accept this fact in order to lead a better more fruitful life. This talk focuses on what potential tools and policies exist that are "better", and discusses why they're not in general use. Click here to view slides.

DevOops Redux

Ken Johnson at DerbyCon 2016, 09/23/2016

In a follow-up to the duo's offensive focused talk "DevOops, How I hacked you?", they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. Click here to view slides.

AWS Security

Ken Johnson at nVisium AWS Security Webinar, 06/15/2016

nVisium CTO, Ken Johnson, discusses his lessons learned and approach for hardening, monitoring, and disaster recovery as it applies to AWS Security. Click here to view slides.

Secure Coding with Node.js

Seth Law at JS.LA April 2016, 04/28/2016

As we all knew it would, JavaScript has finally overtaken the server. This departure from the client to the server introduces a number of security issues and problems that the language does not handle by default. This talk will cover and demonstrate prevalent security vulnerabilities in Node.js applications. In addition, it will address existing security controls within JavaScript code through the use of an intentionally vulnerable Node.js application.

It's 10pm, Do You Know Where Your Access Keys Are? (slides only)

Ken Johnson at AWS Loft NYC Meetup, 02/24/2016

We know that a large number of organizations are using AWS or are planning to. We also know that hackers are targeting organization’s AWS infrastructure. What you may not know, is how hackers are doing this and what you can do about it.

Testing Tools for iOS Applications (slides only)

David Lindner at OWASP MSP February Chapter Meeting, 02/17/2016

With the surge of mobile applications into the forefront of most any organization, making sure the applications are secure is becoming a pain point. Both internally developed and 3rd party mobile applications are being used by all sorts of businesses to be faster and more efficient in their day-to-day work. However, how do we test for vulnerabilities? What tools exist for testing of such mobile applications?

Swift-ly Secure

Seth Law at SF Swift Meetup, 01/14/2016

With the recent open-sourcing of Swift, the barrier to entry to create iOS and OS X apps has been lowered, but old vulnerabilities still exist and developers still make mistakes that violate users’ privacy and expose an organization to additional risk.

Mobile Top Ten Security Risks - iOS (slides only)

David Lindner at OWASP MSP January Chapter Meeting, 01/13/2016

With over 3.1 million applications in the Apple AppStore and Google Play Store, and more than 7.5 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. The Open Web Application Security Project (OWASP) has aimed to help organizations understand the most prevalent mobile risks with their released OWASP Mobile Top Ten Risks of 2014.

Battle-Hardened: Secure your Code (slides only)

David Vo at Austin Droids Meetup, 12/15/2015

Security, particularly in the mobile space, has become ever more vital. Most experts agree that app development is not doing enough to protect user data.

DevOps and Security (slides only)

David Vo at Austin DevOps Meetup, 12/14/2015

DevOps is the new Agile, allowing organizations to move faster, deploy code quicker, and create infrastructure instantaneously. Yet in the quest for continuous delivery, security can fall by the wayside, opening an organization up to data exposure and malicious exploitation.

Httpillage: Calling all nodes

John Poulin at LASCON 2015, 10/23/2015

Httpillage is a tool designed to distribute HTTP(s) based attacks across multiple nodes, in similar fashion to a traditional botnet C&C server. Common attacks such as online password brute-force, denial of service, and application enumeration are entirely possible to distribute, increasing speed and effectiveness.

MQTT and CoAP: A Story about IoT Protocol Security

Jack Mannino at LASCON 2015, 10/23/2015

As we started to connect more devices and use Machine-to-Machine (M2M) communications in the IoT world, protocols better suited than HTTP were needed to make it possible. These protocols were designed for constrained devices with less processing power, less power consumption, and frequent communications. Like many protocols that have come before them, there is always a little bit of security gray area and the potential to introduce interesting security flaws into concrete implementations. Implementing these protocols across many different programming languages, frameworks, and device platforms adds to the complexity of developing secure real-world systems.

Mobile Landscape: The Security of Wearables

David Lindner at LASCON 2015, 10/23/2015

By 2019, there will be half a billion wearable devices in use every single day. These wearable devices track everything from your heart rate, number of steps taken, distance you have traveled, GPS locations, insulin levels, etc. Wearable security encompasses many facets of security, and includes the security of other devices and communication protocols. Device security, application security, and network security all play an important role in the overall security posture of said wearables.

Choices

Ernie Miller at Keep Ruby Weird 2015, 10/23/2015

We're faced with choices every day. Sometimes the right decision is obvious, like, should I have a cookie? (The answer is ALWAYS yes). Sometimes, less so. This is a talk about the choices we make.

Building Out an Application Security Program

Seth Law at SF Bay ACM Chapter Meetup, 10/21/2015

Ever since the first security exploit, business and developers have been looking for effective ways to build security into products while maintaining realistic budgets and scope. Right after Robert Morris sent out the first virus into the world, vendors emerged to provide a technical solution to a technical problem. As the industry has grown, so have the number of solutions provided by companies to aid developers in producing secure code.

Secure Coding with Node.js (slides only)

Seth Law at The SF JavaScript Meetup, 10/20/2015

As we all knew it would, JavaScript has finally overtaken the server. This departure from the client to the server introduces a number of security issues and problems that the language does not handle by default.

Recon ng and Beyond

Tim Tomes at BSides Augusta 2015, 9/12/2015

It's not hard to see the value of OSINT in Red Teaming or Network Penetration Testing, but where does OSINT stand when it comes to Application Security Assessments?

How to Build a Skyscraper

Ernie Miller at Full Stack Fest 2015, 9/2/2015

Since 1884, humans have been building skyscrapers. This means that we had 6 decades of skyscraper-building experience before we started building software (depending on your definition of “software”). Maybe there are some lessons we can learn from past experience?

Focusing on Developer Happiness with Humane Development

Ernie Miller at Fog Creek Blog, 7/29/2015

In this interview, Ernie Miller talks about a development approach that prioritizes developer happiness and the human element of software development.

Mobile Security: How to Protect User Data, Your Most Valuable Asset

Jack Mannino and Anand Vemuri at MobileDC, 6/25/15

Mobile apps are everywhere. From banking to healthcare, users offer loads of personally-identifiable data through their mobile devices. The data collected allows businesses to provide timely, useful information to users. However, with this new convenience, comes a threat. The impact of a breach or exploitable vulnerability is largely dependent upon an application’s use case. Mobile app developers and companies must do their very best to protect their users' sensitive data. Click here to view slides.

DevOops, I did it again

Ken Johnson and Chris Gates at DevOps Day 2015, 6/12/15

In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure. Click here to view slides.

Ruby after Rails

Ernie Miller at Ancient City Ruby 2015, 3/27/15

Ruby rode the Rails rocketship to worldwide renown. What will happen to Ruby when Rails dies?

Building AppSec In

Seth Law at BSidesSLC 2015, 3/22/15

Strategies, tools, and techniques for implementing an effective application security program. Alternatively, a how to on preventing security vulnerabilities in code. Discussion of the processes and tools of what does and doesn't work when building an application security program.

Humane Development

Ernie Miller at Ruby on Ales 2015, 3/6/15

A development approach that prioritizes developer happiness and the human element of software development.

Content Security Policy: Past & Present & Future?

Geller Bedoya at OWASP DC, 1/29/2015

Content Security Policy (CSP) is an opt-in browser security mechanism that helps detect and mitigate injection vulnerabilities. Click here to view slides.

SQLViking: Pillaging Your Data

Ken Toler and Jonn Callahan at AppSec Cali, 1/28/2015

SQLViking is a tool for intercepting SQL queries. It is still very much in the beta testing stages and only supports the MySQL and SQL Server (Tabular Data Stream) network protocols at this time.

DevOops, I did it again

Ken Johnson and Chris Gates at OWASP DC, 1/7/2015

DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them.

Ruby after Rails

Ernie Miller at RubyConf, 11/17/2014

Ruby rode the Rails rocketship to worldwide renown. What will happen to Ruby when Rails dies?

Inside and Outside the Wire with FruityWifi & WUDS

Tim Tomes at ISSA Journal, 11/2/2014

The ISSA Journal features WUDS, a wireless network auditing tool. Click here to view slides.

Ruby Metaprogramming: Here's How to Do It Wrong

Michael McCabe and Ken Toler at LASCON, 10/24/2014

This presentation expalins what metaprogramming is, how it can get developers into trouble, and some general rules on how to mitigate these vulnerabilities.

Securing The Android Apps On Your Wrist and Face

Jack Mannino at LASCON 2014, 10/24/2014

Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.

Doctor Docker: Building Your Infrastructure's Immune System

Michael McCabe and Patrick Cooley at Bsides DC, 10/19/2014

As hardware is being demoted, the ‘stack’ and PaaS are becoming software. It brings up the question: how can security folks use this to our advantage? We want to show applications built with Docker containers and apply them to the same security challenges seen in more traditional environments. Why should developers have all the fun?

Ball and Chain: A New Paradigm in Stored Password Security

Tim Tomes and Benjamin Donnelly at DerbyCon, 9/27/2014

Weak security architectures have led us into a world of massive password breaches occurring at an alarming rate. Infrastructure and application authentication systems continue to rely on credentials stored in databases. While there are ways to mitigate risk to these systems, offline attacks against accessed credentials have remained possible... until today. Click here to view slides.

The Adobe Guide to Keyless Decryption

Tim Tomes at BSides Augusta, 9/13/2014

Tim Tomes presents his key research on encoding, encryption, and hashing, reminding us that when storing passwords we should always assume they could be compromised.

How To Find Mobile Internet Love

Jack Mannino and Abdullah Munawar at RVASec, 6/5/2014

As mobile dating applications grow in popularity, so does our interest in the security posture behind these apps. We wanted to take a look at numerous features within these apps to determine the good, the bad, and the ugly.

OWASP Top 10 Mobile Risks: 2014 Reboot

Jack Mannino at AppSec Cali, 1/27/2014

The OWASP Top 10 Mobile Risks were first created in 2011. However, a lot has changed over the past three years. The mobile platforms themselves have evolved, mobile threats have evolved, and app developers have experimented with crazy new things. As a result, the OWASP Mobile Security Project decided it was the time to take another look at the threat landscape.

New Frameworks Old Problems

Ken Johnson and Mike McCabe at AppSec Cali, 1/27/2014

The web development community has seen a rise in new web frameworks that provide small to large organizations with the opportunity to decrease development time and increase productivity. Frameworks such as Play! and Node.js as well as their supporting API(s) allow development staff to quickly and efficiently create and ship a product. But with these new frameworks come the same security issues that have plagued the web for years.

Minding The Gap: Secure PhoneGap Apps

Jack Mannino at LASCON, 10/25/2013

PhoneGap is a popular framework amongst the mobile development community. PhoneGap allows developers to rapidly build cross-platform mobile applications using HTML 5, JavaScript, and CSS. Using PhoneGap plugins, developers can call native platform APIs from browser-like applications using JavaScript. This approach introduces both interesting as well as powerful vulnerabilities that are not typically as prevalent within native mobile applications, warranting a fresh look at the way we view the impact and likelihood of exploitation amongst PhoneGap applications.

Railsgoat - Rails attack and defense

Ken Johnson and Mike McCabe at LASCON, 10/24/2013

While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails, solutions for remediation, and common attack scenarios.

Baking In Security Sweet Secure Cupcakes

Ken Johnson at OWASP DC, 4/5/2012

This talk demonstrates the lessons learned while implementing application security into an already highly successful and talented development process moving at the speed of light and with infinite energy.

How Not To Build Android Apps

Jack Mannino at BSides Atlanta, 11/1/2011

The Android Market has been notoriously polluted with malicious applications, and the Android ecosystem is fragmented beyond belief. On top of these problems, lots of developers are throwing common sense out the window when creating Android applications.

  Contact Us