Track: Security: Lessons Learned From Being Pwned


Day of week:

The Cyber is the Abominable Snow Monster chasing you down your perfect ski run. People get eaten by The Cyber every week. Most talk endlessly about the ever more ways it has developed of coming out of nowhere at and ruining your metaphorical SkiFree highscore. Instead, we talk about the times we almost got eaten whole, and, together we will learn how to fight it.

Track Host:
Christina Camilleri
Penetration Tester & Social Engineer @BishopFox
Christina Camilleri is a Security Analyst at Bishop Fox, a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. Christina’s primary areas of expertise are web application penetration testing, open-source intelligence (OSINT), and social engineering -- not only the psychological and physical involvement of social engineering, but also the manipulation and social influencing techniques that are able to exploit the behavior of others. She has attended and presented at local and international conferences on social engineering and has won highest scoring OSINT report for two years in a row in the DEFCON Social Engineering CTF. She’s an active and passionate contributor in the infosec industry, and a strong believer in user privacy, free expression, and innovation. Prior to joining Bishop Fox, Christina worked as an associate and senior information security consultant at BAE Systems Applied Intelligence, where she primarily concentrated her efforts in social engineering, digital forensics, and application and infrastructure penetration testing.

Trackhost Interview

What types of projects and questions are you focused on?

My specialty is social engineering and web application pentesting. I really enjoy looking at the human side of security as people usually get so caught up in focusing on the technology side of security and tend to forget about the people that are behind it.

Who is your target persona?

Developers with a security interest - those who want to hear about the breaking but also about the fixing moving forward. We’ll look at how developers and security people have moved past the mistakes and focus on how to more effectively move on with addressing security issues.

What are you goals for the track?

Sharing real world attacks and mistakes made on both the org and individual's perspective, as well as addressing overcoming the circular hatred between development and security processes. Developers build great programs and hackers break them - that much we know all too well. Mistakes happen, things go wrong - what’s important is what we do with what we learned and how we prevent similar vulnerabilities to appear again.

What do you want someone to leave from your track with?

I hope someone walks away from this track with a better understanding of the value of security for them, as a developer and their organisation. For security folk, to better understand that problems do happen, and what we’ve learned moving forward.

10:35am - 11:25am

Open Space
11:50am - 12:40pm

by Josh Schwartz
Director of Offensive Security @Salesforce

It is easy to think that securing a product relies on writing code without vulnerabilities and it's true that this is a very important aspect, but a secure product relies on more than just the code written. To an attacker every aspect involved in the development process, from the human element to the build pipeline, is fair game. In this talk we'll take a candid look at the real tactics, with examples, used to compromise and backdoor seemingly secure products by...

1:40pm - 2:30pm

by David Rook
Head of Application Security @RiotGames

In this talk, David will give you an overview of the Riot Games Application Security program. The talk will focus on the tech and social aspects of the program and why David feels both are important when it comes to writing secure code. Specifically David will talk about how we define Application Security at Riot, how we’ve grown to meet the demands of our fast paced engineering organisation, why we’ve hired software engineers into our team and the tools we’ve developed to help Rioters...

2:55pm - 3:45pm

by Wim Remes
CEO/Principal Consultant @NRJSecurity & Board Member (ISC)²

You know how it goes. There is always someone that finds out how to break all the hard work you and your team have put in developing a kick-ass application. Nobody likes to receive security bug reports but they are a reality we have to deal with. Penetration testers, bug bounty programs, independent researchers, and security incidents all provide us with invaluable information to develop better code. The question then becomes what we do with what we learned and...

4:10pm - 5:00pm

by Joe DeMesy
Security Associate @BishopFox

Authors: Shubs Shah, Matt Bryant, and Joe DeMesy

The evolution of the web has blurred the line between traditional web applications and native clients. In an effort to allow web developers to build powerful desktop applications quickly, web technologies have been put into standalone client-side containers, all the while security has remained an afterthought. In this talk we will demonstrate a new class of attacks, that can be leveraged to exploit...

5:25pm - 6:15pm

by Thomas Shadwell
Security Engineer @Twitch

An expression of function within a software ecosystem is inextricably bound to the lexicon used to express it. I explore how distinct, exploitable misuse patterns arise in software languages, and through example in Go – in particular a quietly prevalent and worryingly effective denial of service attack on Go systems affecting the Go toolchain itself – hope to begin greater discourse on the language's distinct security characteristics.