Could a scan of the Empire’s Death Star software have found the insider threat that Galen Erso left in the Death Star’s system? My hypothesis is that if the Empire had used a Static Analysis Tool for issues, then maybe the outcome of the Star Wars movies would have been different. The teacher will explain the terms “Secure Coding” or “Static Code Analysis” and give associated examples. SPEAKER Mary Waddick
Automated scanners won’t yield you bugs these days. They take tens of hours to get completed that too with a high false rate. You need a minimal smart scanner with easy installation, easy configuration, and relatively high accuracy while hunting for bugs. This talk is focused on creating such a browser extension to yield better results in less time. The browser extension requires less manual effort and produces more accurate results in just a few seconds.
New privacy laws such as the GDPR and CCPA have greatly advanced individual data rights, although the ability to request access to all personal information held by a company has created new attack vectors for OSINT. These data access requests are usually managed by legal or compliance teams without security review, increasing the potential for phishing, social engineering, and “legal DDoS.” This talk covers regional personal data access options, how most companies respond to data access requests, and exploits for common privacy vulnerabilities.
“I didn’t say that!” …The world will be forever changed by Deepfakes. A portmanteau of “deep learning” and “fake”, this trend refers to a new AI-assisted human image synthesis technique that generates realistic video face-swaps which can even be done in real-time. With modern face-swapping video technology, selfies can be used to create videos. A voice can be faked. A face can be faked. This is the new reality. What happens when we cannot trust what we hear and what we see?
Career development is typically seen as a progression of education, certification and job moves. For career development it is helpful to build both technical and non-technical skills in environments that challenge and support learning. One way to build these skills is through volunteering. Community involvement strengthens our community and provides opportunities to stretch and learn new skills. Having worked with a large community of long-time volunteers, I will share share their volunteering and career paths to illustrate their lessons learned and opportunities gained.
Many vendors try to sell you snake oil and wine/dine you during the review process then leave you high and dry afterwards. This talk focuses on how to do full tests of endpoint products to make sure you know what you are really getting into and not just being sold some fancy snake oil. The talk focuses on the technical aspects of the testing as well as the functionality of the product in your own environment.
Passwords have been used to secure user sessions in computing since the time sharing era. Cryptography, collaborative standards development, and persistent network connectivity have led to new options for authenticators, while determined attackers and ever-expanding computing power have minimized a password’s security value. Recently, NIST engaged with the identity community to substantially revise guidance around digital identities, authenticators, and federation security. This session will explore authenticators from passwords to the latest FIDO 2 standards, focusing on how to improve security while not negatively impacting user experience.
Nelson Mandela said, “Know your enemy - and learn about his favorite sport.” What does it mean to get to the know the enemy in 2019? Join us on a 5+ year journey of a CTI department and why a Fortune 500 decided to F! Attribution. In this talk, you’ll learn how the who and why of attribution means little when compared with TTPs in most company’s cyber threat intelligence programs.
Disaster Recovery isn’t exciting or prestigious, but recent real world examples have shown the consequences for failing to create and test an effective plan. Building a clear, flexible plan will let you recover gracefully from an outage and meet your service requirements. This talk will lay out how to model failures in your environment, create and document a plan for recovery, and test it thoroughly. Prepare your team to respond to a disaster (be it environmental, fire, or ransomware to name a few).
Time have changed, paths have changed, heck the only thing constant is change. Therefor what we must look for to hire should change, but has it? There are some people and companies that are willing to take chances on people that are a bit outside the “norm” for our industry, but should those people be outside the norm? with our shortage of people, and the low numbers of diversification of people in our field isn’t it time we changed our parameters a bit?