5:30-6:15 pm - Networking with Drinks & Food
6:15-6:45 : Speaker: Firing Bots at Bugs, Jasvir Nagra, Google
7:00-7:30 : Speaker: Headless Browser Hide and Seek, Sergey Shekyan & Bei Zhang, Shape Security
7:30-8:00 : More food, drink, and security "hallway con"
Firing Bots at Bugs - Jasvir Nagra
It remains all too easy to find simple security vulnerabilities in many web applications. Why is it so hard to automatically find vulnerabilities when finding them manually remains so relatively easy? In this talk, we’ll share some of gotchas that we’ve run into scanning for web security bugs at Google, armed with a 'firing squad' of examples. We'll then walk through some of the solutions we've come up with, and finish up with a few unsolved problems which remain that really make web vulnerability scanning a hard (but fun!) problem to work on.
Headless Browser Hide and Seek - Sergey Shekyan & Bei Zhang
Headless browsers have become indispensable tools for security teams, researchers, and attackers focusing on web applications. Tools like PhantomJS enable anyone to automatically interact with highly dynamic websites and to perform many types of automated attacks.
This presentation will dive into headless browser detection and spoofing techniques.
Sergey Shekyan is a Principal Engineer at Shape Security, where he is focused on the development of the new generation web security product. Prior to Shape Security, he spent 4 years at Qualys developing their on demand web application vulnerability scanning service.
Bei Zhang is a Senior Software Engineer at Shape Security, focused on analysis and countermeasures of automatic web attacks. Previously, he worked at the Chrome team at Google with a focus on the Chrome Apps API. His interests include web security, source code analysis, and algorithms.