Skip to content

Details

Security time, courtesy of our host EBay! We will have three exciting talks, lots of people to meet, and great food.

• 5:30 - Doors open
• 6:00-6:15 - Intro/welcome
• 6:20-6:50 - The forgotten phase: Post Incident Review (PIR) (Faranak Firozan)
• 6:55-7:25 - 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System (Serge Egelman)
• 7:30-8:00 - Threat Modeling: Creating a customized framework in an agile environment (Chaitanya Bhatt)

Talk 1: The forgotten phase: Post Incident Review (PIR) (Faranak Firozan)

In this talk, Faranak will put back the PIR into incident/attack cycles and shares the best practices and case studies on to building and maintaining this forgotten phase.

Bio:
Faranak Joined Uber who is transforming transactions through technology as a CyberSec Investigator/Incident Commander. She is currently responsible for building and implementing a Post Incident Review program for the company that is comprised of 91 million monthly active platform consumers with 14 million trips completed each day running in 63 countries, and has over 22000 employees.

Been a subject matter expert in Anti-Money-Laundry at private banks and private wealth management firms; she clearly sees how companies got busy defending against attacks and forgotten to stop and smell the effects of the attack, take a deep breath, and redirect their strategy. The conclusion has been repeated history.

Talk 2: 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System (Serge Egelman)

Do Android permissions work? Do they succeed in protecting Android users from intrusive monitoring and other privacy violations by preventing apps from exfiltrating sensitive data? After all, users are up against some determined and tricky privacy violators. We did a detailed study to find out different ways that apps cheat the permissions systems and found two classes of techniques that apps use to cheat: covert channels and side channels. We found side channels ranging from filesystem access to operating system resources, to direct communication to network routers, to unprotected low-level access to system calls in native C++ code. We found covert channels, where one app with an SDK and permission to access data stashes it in onboard storage so that another app without permission can access it at a known location. We'll talk about some examples of both of these attack types from our observations.

Bio:
Serge Egelman is the CTO and Co-Founder of AppCensus, Inc., and the Research Director of the Usable Security and Privacy group at the International Computer Science Institute (ICSI) at Berkeley. https://www.linkedin.com/in/serge-egelman-3018614/

Talk 3: Threat Modeling: Creating a customized framework in an agile environment (Chaitanya Bhatt)

Threat Modeling is an art of foreseeing the threats associated with an application and getting them fixed in a very early stage. There have been various Threat Modeling frameworks developed over the course of years. Most of the companies follow one of those Threat Modeling frameworks. However, these frameworks lack some of the most crucial steps in order to produce the maximum result of Threat modeling. The aim of this presentation is to help you create your own customized threat modeling framework based on your organization's risk appetite. We help you complete the full circle of Threat Modeling in an agile environment and create a feedback model to understand overall Threat Landscape for any organization.

Bio:
Chaitanya Bhatt is an information security professional working as Staff Security Engineer at eBay who specializes in Application Security and Vendor Security Assessment. Chaitanya holds Master’s degree in Computer Engineering and has over 6+ years of experience in source code analysis, vendor security and Threat Modeling.

Related topics

Events in San Jose, CA

You may also like