BOLA, IDOR, MA, BFLA. Welcome to the OWASP API Top 10!
A foundational element of innovation in today’s app-driven world is the API. From banks, retail and transportation to IoT, autonomous vehicles and smart cities, APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.
Passionate Enterprise Security Expert whose qualifications include a Bachelor of Science in Information Systems, Master of Business in Information Technology Management, and is a Certified Information Systems Security Professional (CISSP). Adam has a detailed knowledge of Enterprise Security best practices and technologies and has been focused on the creation and deployment of solutions protecting networks, systems, and information assets for Fortune 500 companies and Government Agencies. Adam has worked on Secret level clearance projects for the United States Government and the United Kingdom. Deploying security solutions and network technologies while protecting key government data and assets. In addition, Adam is a respected blogger and thought leader on Enterprise Security.
The Domain Password Audit Tool
Poor password habits often lead to system compromise. Password patterns like Fall2019, Winter2019, then Spring2020 are handy for end users but unfortunately are easy for an attacker to guess. The Roberts family has authored an open source tool called “The Domain Password Audit Tool (DPAT)” at and will be presenting how it can be used to understand weak password use in your domain environment. This information can be used as supporting documentation to improve domain password policies. The discussion will include background information on password hashing and how password cracking is accomplished by attackers.
Carrie Roberts @orOneEqualsOne Darin Roberts @MrOrOneEquals1 Cameron Roberts @JrOrOneEquals1
Carrie Roberts is a Red Teamer turned Blue for the Walmart Security Operations Center. She is always looking for new ways to catch the bad guys. Carrie has Masters Degrees in both Computer Science and Information Security Engineering, and holds many information security certifications including the prestigious GIAC Security Expert certification (GSE).
Darin Roberts is a Security Analyst for Black Hills Information Security where he performs a variety of Penetration tests. He has a BS in Computer Information Technology and holds several GIAC Security certifications. He writes helpful blog posts and contributes to open source tools.
Cameron Roberts is 17 and already contributing to security tools including the Domain Password Audit Tool! He wants to be a Red Teamer some day. This is his first time presenting at a security conference.
From Mattress sales to Infosec soldier
This session will cover my story of transitioning from a Mattress Salesman to a Security Analyst. I want the attendees to understand that anyone can make it in this industry if they have the drive and the passion. They should attend if they're still deciding on which path in infosec to take.
I like computers, drumming, and hockey.
$how Me the Money! (Getting Business Buy-in)
Having trouble getting execs to buy into the idea of security? Or they'll let you "do security" as long as they don't have to buy anything new? Do your users protest when you try to implement MFA...or really, anything? This talk is a crash course in getting business buy-in to securing your organization, and some social engineering tips on getting user buy-in, too. I'll share some spreadsheet tools that will help the business understand the value of security and see return on investment for security tools and personnel.
Raised in the wilds of Alabama by angry chickens and crazy people, Wolfpack-educated in the Tar Heel/Blue Devil state, and indoctrinated into Security by Silicon Valley appliance vendors (which are either wolves or angry chickens…maybe both), Carlota has returned to the east coast, where she runs a knowledge software and services company. When not picking other peoples’ brains for minutia, she strings beads, destroys cars, drinks whiskey and screams into the dark, dark void that is Twitter as @carlotasage. You can also find her on LinkedIn (https://www.linkedin.com/in/carlotasage/) and Medium (https://medium.com/@csage)
Security Operations as a Video Game
The interesting and ironic parallels between the challenges of daily security operations and strategy video games created over the last 20 years can be compelling. In the enterprise, 90% of security employees play video games and 60% play on a daily basis. Taking into account current challenges in security, primarily hiring and lack of employees, what can security teams learn from those parallels? And what role do vendors play in helping to solve these challenges?
This presentation will cover those similarities and the challenges along with sharing my experience being involved as an enterprise employee, interactions with both academia and the video game industry and now as a vendor.
Rob Fry is an accomplished executive, architect, inventor and public speaker with over 20 years of experience working with tech in an array of fields. Rob is best known for his contributions while working as the Platform Cloud Security Architect at Netflix where he was leading them on their move from data center operations to AWS. While there Rob also generated several patents across the business including the FIDO platform, an open-source data pipeline SIEM replacement platform for SOC-less operations. Prior to Netflix, Fry was Principal Architect at Yahoo, where he created configuration and automation frameworks in production environments including Flickr, Rhapsody and video search teams. In his current role as VP of Advanced Security Technology for Sumo Logic, he gets to work on his passion for the cybersecurity space where he oversees the product, engineering and threat teams who specialize in developing tools for SOC operations, security automation, threat detection, data analytics, machine learning, and cloud security. In his free time, he enjoys mentoring college students and working with universities on research and guiding technology companies and startups through their growth and innovation phases as an active participant on advisory boards and engineering steering teams.
MineMeld - there's gold in them thar hills!
MineMeld is an open source, extensible Threat Intelligence processing framework. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to security platforms such as firewalls or SIEMs. In this session you'll learn how to install MineMeld and set up common configurations. We'll also cover adding new and custom sources and how to integrate outputs into your tools.
Jason Reverri (nibb13)
husband, father, and infosec geek
Jumpstarting Your Appsec Program
As technology and software industries continue to grow at a breakneck pace, my infrastructure has moved to the cloud, and Code Rules Everything Around Me. Application security has become critical to get right. This session will cover how to jumpstart your application security program. We'll cover what elements an application security program absolutely must have to be effective, as well as different approaches an application security program can take to deliver results.
Julia Knecht & Jacob Lords
Julia is a Senior Application Security Partner at Netflix working to secure the apps that help make all of your favorite shows and movies possible! Julia previously managed product security and privacy engineering at Adobe.
Jacob is Sr Manager of Engineering at Adobe. He manages development and security teams on the Adobe Experience Platform. He was previously a developer on the Adobe Analytics product.
SSH Keys: Security Asset or Liability?
SSH keys are widely used in every enterprise to provide privileged administrative access. They are also used to secure machine-to-machine automation for important business functions. Despite the sweeping access they grant, most SSH keys are routinely untracked, unmanaged and unmonitored. Poor SSH key management practices expose businesses to costly security risks. It takes just one SSH key for a cybercriminal to access an organization’s network and pivot to gain further access to the most sensitive systems and data.
Most organizations leave it up to their system administrators to get and manage their own SSH keys, resulting in an ad hoc process using inconsistent security practices. Many keys are left unused and unmonitored, and some walk out the door with prior employees—whether maliciously or innocently. With no expiration and a lack of life cycle management, enterprises can wind up with literally millions of SSH keys and a broad attack surface for insider threats and cyber criminals.
Think of how much security you place around passwords and how often you rotate them. Now compare that to your SSH keys—the credentials that provide the most privileged access. And when unauthorized privileged access occurs through SSH key misuse, it often comes as a surprise. SSH keys generally go unaudited, creating blind spots in SSH key security.
This session begins by briefly describing the role of SSH in enterprise networks and how SSH is changing with expanding networks and machine growth. We’ll summarize the people and processes around SSH use and provide a detailed examination of SSH risks—discussing the common mistakes that almost all enterprises make around security, policy, and auditing practices when managing SSH keys. We’ll compare the adoption of best practices to survey results, highlighting gaps.
The session will then discuss solutions. We’ll note the SSH key risks that are not addressed by IAM/PAM solutions and why they are probably some of the biggest risks in your environment. The session will conclude with a 4-step approach enterprises can take to protect their SSH keys, including how this is incorporated into system processes, the SSH vulnerabilities to track and how to identify needed remediation. Learn how to take SSH keys from an operational liability to a security asset.
Bart Lenaerts is a Security Management Technology veteran with 30 years of experience with industry-leading vendors such as 3Com, Tippingpoint, Symantec, Intel and IBM Security. He is currently Security Strategist and Product Marketing Manager at Venafi, headquartered in Salt Lake City, where he leads go to market initiatives for SSH Protection as part of the Venafi Machine Identity Protection Platform. Throughout his career, Bart has worked with hundreds of security teams around the globe, researched new threat tactics and vulnerabilities, and co-designed tools, processes and solutions to reduce risk exposure. Twitter: @blenaerts1
It is the Year 2000, We Are Robots
OpenAI talked about the theoretical abuse cases for large language models - we will prove their fears to be legitimate. In this talk we'll explore the use of language models to generate synthetic phishing emails, and build chat-bots to add a personal touch to malware delivery.
Will Pearce is a Senior Security Consultant and Network Operator at Silent Break Security. His work involves security consulting, red team operations, and building offensive machine learning research into offensive operations. He is an instructor of Silent Break Security's popular Dark Side Ops training at Black Hat, DerbyCon, and other private companies across the globe. Will has spoken about, and released tools for Offensive Machine Learning at both BSidesLV and DerbyCon.
Rendering Ransomware Detection and EDR Products Blind
Remember WannaCry - the ransomware attack that two years ago infected Windows devices across 150 countries and resulted in an estimated damage of $4B?. What is often forgotten is that WannaCry was completely preventable. Microsoft had issued a patch two months prior to the attack. If you think WannaCry was bad, how about a technique that organizations do not have any protection from?
This talk will cover a Windows evasion technique called “RIPlace” that, when used to maliciously alter files, bypasses most existing ransomware protection technologies. In fact, even Endpoint Detection and Response (EDR) products are blind to this technique, which means these operations will not be visible for future incident response and investigation purposes.
The technique leverages an issue at the boundary between a Windows design flaw and improper error handling of an edge-case scenario by filter drivers of security products. While not a vulnerability per say, the technique is extremely easy for malicious actors to take advantage of with barely two lines of code. RIPlace abuses the way file rename operations are (mis)handled using a legacy Windows function.
I will review existing ransomware detection methods, the workflow of a typical ransomware and provide a live demo of RIPlace bypassing a number of anti-ransomware technologies.
Rene Kolga, CISSP, has over 15 years of cybersecurity experience in the areas of endpoint protection, insider threat, encryption and vulnerability management. He worked for both Fortune 500 companies and Silicon Valley startups, including Symantec, Citrix, Altiris and Nyotron. Rene earned his Computer Science degree from Tallinn University of Technology. He frequently speaks on security topics at industry conferences like Black Hat, BSides, InfoSecurity and (ISC)2 Security Congress. Rene spent 9 years in Utah and keep coming back for more :)
Where's my dough?! A look at web skimming attacks on e-commerce websites
The session is about an emerging threat called web-skimming that has been used to compromise millions of credit cards. Attendees will learn about innovative techniques hackers have used to steal credit cards from e-commerce websites and what developers should do to prevent web-skimming attacks.
An application security enthusiast that works at Salesforce Product Security, loves to code and helps devs code securely. Maker and breaker of all the things!
Twitter : @theClumsyCoder
Cloud-Based Contextual Analysis as Code
Explore the power behind software defined contextual analysis in the cloud that allows DevOps and Security teams to be more proactive without disrupting their day to day operations. Knowing all of the pieces of your environment is impressive, but knowing how they work together each day is another level that increases efficacy in decision-making and drives insights from analysis. In this session you will learn how centralizing your environment’s meta and configuration data and using a graph-based model is key to getting reliable answers to your security and compliance questions and simplifying your security operations. All of this based on our own experience as a security team of 2.
Erkang Zheng, CISO at LifeOmic and Founder and General Manager of JupiterOne, is an experienced leader in cybersecurity and brings 15 years of experience in all its domains from identity and access, penetration testing and incident response, to data, application and cloud security. Erkang is passionate about combining innovation and execution to deliver practical solutions that address cybersecurity challenges at their root cause.
Prior to LifeOmic, Erkang built the software security architecture and assurance practice for Personal Investing at Fidelity Investments that serviced over 12 million customer accounts. He also led a team of engineers working on customer protection solutions as well as patent-pending security research and products. Before Fidelity Erkang held key roles at IBM Security and at a number of tech startups. Erkang earned both B.S. and M.S. degrees in Computer Science from NC State University and holds several industry certifications such as CISSP.
Let's Get Cyberphysical: Securely Bridging The Air Gap
Typically Industrial Control Systems are air-gapped, meaning no connectivity to the internet AT ALL. However, to grow, become more efficient and smart, Industrial sites are now focusing on ability to remotely manage and aggregate data for analysis. If done correctly and securely, this yields much positive results for the organization employing this. But mostly it's not, and there are tens of thousands of SCADA and PLC devices open on the internet. I'll show you the result of conducting such folly, and ways to prevent your OT network from becoming a part of the statistic. I've built tools and methods to both test and secure your control systems and cyberphysical systems, and will demonstrate and share these with participants who're in need of help in this arena, or are just curious on how Industrial Controls Systems can be exploited.
Mike Curnow A.K.A. Takko_The_Boss
Mike lives to crush the deliberate denial of the EMERGENCY that is the Cyberphysical Security landscape. Just because it's difficult doesn’t make cognitive dissonance excusable. To facilitate the security of such, Mike speaks, writes and works professionally in the field to help people recognize and promote positive solutions that are desperately needed today. Mike works in the Cyberphysical and Financial Cybersecurity fields. As a truly multifaceted cyber-warrior, he currently serves as the Lead Security Operations Center Architect for Block Harbor Cybersecurity out of Detroit Michigan, and is the Chief Information Officer and co-founder of a financial analytics startup, RapidCat, based out of Raleigh North Carolina. After realizing glaring vulnerabilities in financial technologies and E-Commerce systems early on in his career, he's since pivoted from software development to securing systems to include (but not limited to) software, web applications and now his reach is in the Cyberphysical technology arena. He's a passionate researcher in exploring the increased attack surface that connected Cyberphysical devices present in our everyday lives, exploring what can go wrong and how to secure the Cyberphysical and Operational Technology (OT) attack surface that society relies on to push towards increased technological advance and keep people safe every day. Since cementing his expertise in this arena, he's since taken to the public stage, presenting his insights and findings through a number of talks, conferences and panels.
A Chain Is No Stronger Than Its Weakest LNK
Attackers continue to abuse Windows shortcut (LNK) files to gain initial access to their targeted networks, maintain persistence, and execute malicious scripts. This presentation will familiarize practitioners with the ways in which adversaries abuse LNK files, why detection rates for malicious LNK files are so poor, and provide them with the knowledge to hunt for and detect this behavior in their environment.
We will review examples of malicious LNK files and learn how to detect them by analyzing their static properties. We will also walk through the features of LNK files that we selected to build an expert-labeled training dataset and model to classify LNK files as malicious or benign. If organizations are able to detect malicious LNK files quickly and with precision, adversaries will be forced to abandon these procedures and into a narrower channel for detection.
A labeled dataset of malicious and benign LNK files will be released after the presentation.
David French is a Security Research Engineer at Elastic, focusing on analyzing adversary behavior and developing detections and threat hunting analytics. He formerly led threat hunting strategy and incident response at a large financial institution.
Crypto-Agility: Responding Quickly to Cyber Security Events
Today, organizations rely heavily on TLS and other encryption protocols to protect data inside and outside their network boundaries. However, most enterprises are at risk because they are not maintaining crypto-agility, which is the ability to quickly replace encryption certificates and keys in response to security events, including a certificate authority (CA) compromise, a vulnerable algorithm, or a cryptographic library bug. To achieve crypto-agility, organizations must not only be able to quickly respond to mass certificate replacement events but must also be able to demonstrate policy compliance of all certificates and identify any anomalies.
This session starts with an overview of the threats and risks that make crypto-agility a requirement for all organizations. The session will also highlight where organizations have had advanced notice of impending large-scale crypto incidents, but most were not, and are not, ready to respond. The session will help attendees evaluate the current certificate management maturity and crypto-agility of their organizations followed by a vendor-neutral actionable plan for achieving crypto-agility to successfully respond to certificate security events.
Dave Brancato, is the Senior Technical Marketing Engineer at Venafi, the founder of Machine Identity Protection headquartered in Salt Lake City, where he helps Global 5000 enterprises secure cryptographic keys and digital certificates. Dave has over 20 years of experience in cyber security as a hands-on practitioner in various roles including systems engineer, threat and risk manager and technical product manager, including extensive experience designing and deploying cryptographic infrastructure.
How to Use Code Signing to Protect your Critical Software Infrastructure
Nearly every business today is a software business. Either software is delivered as a product to customers, or it is used internally for critical business operations. Internally used software could be as simple as operating system shell scripts that copy databases or automate network operations, or as complex as enterprise-wide business infrastructure like accounting or CRM systems. If unauthorized changes are made to this software, either deliberately by a bad actor, or accidentally through employee mistake, there could be severe consequences for the business.
Code signing has been used for 3 decades to prevent cybercriminals from tampering with delivered software. It’s been an effective technique – so much so that cybercriminals now steal code signing keys to thwart the process.
Even though many businesses use code signing to prevent tampering with software that they deliver to their customers, many may not use it to protect their internal software infrastructure. Usually this is because it is just too difficult to support the volume of people who need to code sign, too risky to provide this many people with private code signing keys, or there is a lack of PKI expertise in the groups responsible for building software infrastructure.
In this session we will examine the risks of not signing internal software infrastructure code and the common challenges that businesses face when trying to roll out code signing to large audiences. We will provide best practices for how to effectively do this which is convenient for end users as well as satisfies the needs of the security team.
Eddie Glenn is the senior threat intelligence manager at Venafi headquartered in Salt Lake City and is responsible for researching the risks and threats of code signing and endpoint infrastructure. Eddie has more than 30 years of experience in enterprise software at companies such as IBM, Rational, and Wind River where he held a variety of senior level positions in product management and product marketing. Eddie is co-author of the Definitive Guide to Next Generation Fraud and has written for various industry publications. He has a Bachelor of Science degree in computer and electrical engineering from the University of Virginia, and an MBA from the University of Oregon.