Title: Hack Yourself First: How to go on the cyber-offence before online attackers do
Abstract: 'Hack Yourself First' is all about developers building up cyber-offence skills and proactively seeking out security vulnerabilities in their own websites before an attacker does. It recognises that we have huge volumes of existing websites that haven’t gone through sufficient security review plus we continue to create new content that even when built with security in mind, still needs testing from the perspective of a cybercriminal. In this session we’ll look at website security from the attacker’s perspective and exploit common risks in a vulnerable web application. The session is entirely web framework agnostic – if your website uses HTML and is loaded over HTTP, this session is for you!
Bio: Troy Hunt is a prolific blogger, speaker and antagonist of poorly secured websites. A Microsoft MVP for Developer Security, Troy’s focus is on helping developers secure the web by demonstrating the execution of attacks and then walking through the mechanics of the mitigations. Troy’s also the author of two Pluralsight courses that follow this pattern – the OWASP Top 10 for ASP.NET and Hack Yourself First – as well as the creator of ASafaWeb, the Automated Security Analyser for ASP.NET websites.
Title: Whitelist is the New Black
Abstract: Damian will be discussing the perils of using blacklists and how easily they can typically be bypassed for attacks such as Cross-Site Scripting (XSS), SQL Injection (SQLi), and File Uploads. He will also cover why whitelists should be favored over blacklists and some techniques for proper implementation.
Bio: Damian Profancik is a Security Consultant in the Application Security Group of Trustwave’s SpiderLabs. He has worked as a server/network infrastructure and security consultant for over 12 years with the last 4 years solely focused on information security. His main focus has been on application security and vulnerability research. He has worked in this capacity both independently and for a number of companies ranging from small businesses to fortune 100 enterprises. His work has included network penetration testing, application penetration testing, reverse engineering, exploit development, architectural design analysis, code review, and forensics. He is actively involved in the Information Security community through speaking engagements at events DerbyCon, ShmooCon, OWASP, and ISSA, and he is a co-leader for the local OWASP chapter.
Food, drink and location provided by Pondurance