Track: Security: The Attacker's Mindset

Location:

Day of week:

How Attackers Think. Penetration testing techniques, exploits, toolsets, and skills of software hackers

Track Host:
Christina Camilleri
Penetration Tester & Social Engineer @BishopFox
Christina Camilleri is a Security Analyst at Bishop Fox, a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. Christina’s primary areas of expertise are web application penetration testing, open-source intelligence (OSINT), and social engineering -- not only the psychological and physical involvement of social engineering, but also the manipulation and social influencing techniques that are able to exploit the behavior of others. She has attended and presented at local and international conferences on social engineering and has won highest scoring OSINT report for two years in a row in the DEFCON Social Engineering CTF. She’s an active and passionate contributor in the infosec industry, and a strong believer in user privacy, free expression, and innovation. Prior to joining Bishop Fox, Christina worked as an associate and senior information security consultant at BAE Systems Applied Intelligence, where she primarily concentrated her efforts in social engineering, digital forensics, and application and infrastructure penetration testing.
10:35am - 11:25am

Open Space
11:50am - 12:40pm

by Josh Schwartz
Director of Offensive Security @Salesforce

It is easy to think that securing a product relies on writing code without vulnerabilities and it's true that this is a very important aspect, but a secure product relies on more than just the code written. To an attacker every aspect involved in the development process, from the human element to the build pipeline, is fair game. In this talk we'll take a candid look at the real tactics, with examples, used to compromise and backdoor seemingly secure products by...

1:40pm - 2:30pm

by David Rook
Head of Application Security @RiotGames

In this talk, David will give you an overview of the Riot Games Application Security program. The talk will focus on the tech and social aspects of the program and why David feels both are important when it comes to writing secure code.

Specifically David will talk about how we define Application Security at Riot, how we’ve grown to meet the demands of our fast paced engineering organisation, why we’ve hired software engineers into our team and the tools we’ve developed to help...

2:55pm - 3:45pm

by Thomas Shadwell
Security Engineer @Twitch

An expression of function within a software ecosystem is inextricably bound to the lexicon used to express it. I explore how distinct, exploitable misuse patterns arise in software languages, and through example in Go – in particular a quietly prevalent and worryingly effective denial of service attack on Go systems affecting the Go toolchain itself – hope to begin greater discourse on the language's distinct security characteristics.

4:10pm - 5:00pm

by Joe DeMesy
Security Associate @BishopFox

Authors: Shubs Shah, Matt Bryant, and Joe DeMesy

The evolution of the web has blurred the line between traditional web applications and native clients. In an effort to allow web developers to build powerful desktop applications quickly, web technologies have been put into standalone client-side containers, all the while security has remained an afterthought. In this talk we will demonstrate a new class of attacks, that can be leveraged to exploit...

5:25pm - 6:15pm

by Wim Remes
CEO/Principal Consultant @NRJSecurity

You know how it goes. There is always someone that finds out how to break all the hard work you and your team have put in developing a kick-ass application. Nobody likes to receive security bug reports but they are a reality we have to deal with. Penetration testers, bug bounty programs, independent researchers, and security incidents all provide us with invaluable information to develop better code. The question then becomes what we do with what we learned and...

Tracks