NCC Group Open Forum (OC)

This is a past event

44 people went

Location image of event venue


Please join us for another iteration of NCC Group Open Forum, this time we're meeting in OC! Hosted at Karl Strauss in Costa Mesa, this event will bring together experts and aficionados of all things security-related to meet with their peers and help build ties within the local community. The evening will feature three distinct talks on information security, food and beverages, and great conversation. Please RSVP since spots are limited!

DATE: Wednesday, June 6, 2018
TIME: 6:00pm-9:00pm
LOCATION: Karl Strauss Brewing Company, 901 S Coast Dr, Costa Mesa, CA 92626
RSVP via if you wish to attend!

***food and beverage provided, bring valid ID for beer/wine***


SPEAKER: Sean McAllister / Cytense Inc.
PRESO SUMMARY: FRIDA ( ) is a debugging and instrumentation platform that is horribly underutilized in the AppSec world. This powerful tool allows you to inject JavaScript into native apps on (almost) any platform you care about, and provides an easily scriptable interface to inject, and interact with an application in memory, providing you with control over the application as robust as your imagination allows. This talk will dive into FRIDA and it's practical uses for AppSec processionals and hackers, and show once again nothing is safe. Ever. This is a massive update to the OWASP OC talked I presented in 2017.
SPEAKER BIO: Sean McAllister has been involved in the Infosec/hacking world for the last 15 years, and has worked for both the private and public sector as an application security consultant and reasearcher. He is currently a Managing Partner at Cytense Inc. and organizer of ShellCon (


SPEAKER: Jake Heath / NCC Group
PRESO TITLE: Tracing User Input Through JS is for Tools
PRESO SUMMARY: Being able to comprehend causal relationships between sources of user input and their corresponding output separates the master web hacker from the novice script kiddie. The better a tester can grasp these relationships, the faster they can abuse lapses in output encoding, identify dangerous patterns, and understand the overall attack surface of an app. However, enumerating these relationships is difficult and time intensive to do by hand, especially with JavaScript-heavy apps. Security scanning tools have tried to automate this procedure, but they face several problems in modern web apps. Intercepting proxies, like Burp Suite, support tracking user taint between HTTP requests and responses. Yet, they still fail when it comes to tracking taint within complex client-side JavaScript. All of these problems stem from the popularity of frontend frameworks and the lack of tooling to address how these frameworks manipulate user input. To solve these problems, we need a tool that augments, not automates, a manual penetration tester by helping them understand all of the inputs and outputs of a web app. To this end, we present Tracy, a tool for assisting penetration testers with enumerating every sink of output for all user input sources.
SPEAKER BIO: Jake Heath is a penetration tester with NCC Group, familiar with performing web application, network, and hardware penetration tests.


SPEAKER: Daniel Rice / Sagewise
PRESO TITLE: When Smart Contracts Are Not Smart
PRESO SUMMARY: When smart contracts go wrong. A deep dive into the security and issues around cryptocurrency, blockchains, and smart contracts.
SPEAKER BIO: Daniel Rice is the co-founder and chief technology officer of Sagewise. Sagewise builds tools that act as a safety net for smart contracts. Daniel is a veteran software engineer and team leader with expertise in blockchain and finance. Daniel’s previous role was as CTO for Totum Risk which provides portfolio analytics software. Totum was selected for YNext incubator in 2016, which was awarded “top accelerator” honors by Finance Magazine. Daniel has helped launch over 20 products, and as an entrepreneur his personal apps have been downloaded over 5 million times.

About the NCC Group Security Open Forum

The NCC Group Security Open Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for security researchers from all fields to get together and share work and ideas.