Conference:March 6-8, 2017
Workshops:March 9-10, 2017
Presentation: How to Backdoor Invulnerable Code
Location:
- St James, 4th flr.
Duration
Day of week:
- Wednesday
Level:
- Beginner
Persona:
- CTO/CIO/Leadership
Key Takeaways
- Understand what happens when you have a secure product built by insecure systems run by insecure humans
- Learn that a security product is more than just the coded features
- Focus on how to improve the state of security of a company
Abstract
It is easy to think that securing a product relies on writing code without vulnerabilities and it's true that this is a very important aspect, but a secure product relies on more than just the code written. To an attacker every aspect involved in the development process, from the human element to the build pipeline, is fair game. In this talk we'll take a candid look at the real tactics, with examples, used to compromise and backdoor seemingly secure products by exploiting the humans and systems that create them.
Interview
I run an offensive security team that consists of red team penetration testing and zero day research. I am focused on improving the state of security for my company through high impact adversarial simulations (Red Team penetration testing), shifting the paradigm of security assessments from rubber stamping towards realistic truth finding engagements, and building the best internal offensive security team in the private sector.
I have seen the pressure to build products quickly trump the intention to build products resiliently time and time again. When I see products being built securely, this normally means the actual code base creates a product that doesn’t have low hanging security flaws. Almost every time I encounter something like this the underlying process, humans, and systems that build, write, and store this code are woefully insecure. I want to share the lessons i’ve learned and teach developers that a secure product is more than just the coded security features, but every aspect that goes into the process.
I think my talk will be entertaining to anyone. Tales of social engineering are stories grounded around human interaction and anyone can relate to that. The more technical stuff requires some familiarity of the technology stack used to put together code.
I suppose, it’s a triple A+ Diamond Level Talk on the scale I made up just now. It has high level explanations and low level technical examples.
Hacking and cyber and a bunch of scary stories are in the news everyday now. I feel like the senior leaders in the development community could walk away with a more holistic view of security then subsequently architect and lead development projects that are more prepared to deal with the risks that they will face.
Corporate Politics.
Similar Talks
Tracks
-
Architecting for Failure
Building fault tolerate systems that are truly resilient
-
Architectures You've Always Wondered about
QCon classic track. You know the names. Hear their lessons and challenges.
-
Modern Distributed Architectures
Migrating, deploying, and realizing modern cloud architecture.
-
Fast & Furious: Ad Serving, Finance, & Performance
Learn some of the tips and technicals of high speed, low latency systems in Ad Serving and Finance
-
Java - Performance, Patterns and Predictions
Skills embracing the evolution of Java (multi-core, cloud, modularity) and reenforcing core platform fundamentals (performance, concurrency, ubiquity).
-
Performance Mythbusting
Performance myths that need busting and the tools & techniques to get there
-
Dark Code: The Legacy/Tech Debt Dilemma
How do you evolve your code and modernize your architecture when you're stuck with part legacy code and technical debt? Lessons from the trenches.
-
Modern Learning Systems
Real world use of the latest machine learning technologies in production environments
-
Practical Cryptography & Blockchains: Beyond the Hype
Looking past the hype of blockchain technologies, alternate title: Weaselfree Cryptography & Blockchain
-
Applied JavaScript - Atomic Applications and APIs
Angular, React, Electron, Node: The hottest trends and techniques in the JavaScript space
-
Containers - State Of The Art
What is the state of the art, what's next, & other interesting questions on containers.
-
Observability Done Right: Automating Insight & Software Telemetry
Tools, practices, and methods to know what your system is doing
-
Data Engineering : Where the Rubber meets the Road in Data Science
Science does not imply engineering. Engineering tools and techniques for Data Scientists
-
Modern CS in the Real World
Applied, practical, & real-world dive into industry adoption of modern CS ideas
-
Workhorse Languages, Not Called Java
Workhorse languages not called Java.
-
Security: Lessons Learned From Being Pwned
How Attackers Think. Penetration testing techniques, exploits, toolsets, and skills of software hackers
-
Engineering Culture @{{cool_company}}
Culture, Organization Structure, Modern Agile War Stories
-
Softskills: Essential Skills for Developers
Skills for the developer in the workplace
Conference for Professional Software Developers
