Downtown: Trojaned Gems & Attacking and Defending DevOps

Schedule (tentative)

• 6:00-6:30pm - Food, drink, and socialize

• 6:30-9:00pm - Presentations

Presentations

#1 Trojaned Gems - You can’t tell you’re using one!

Summary:

Dependence on software libraries and frameworks continue to grow in popularity. More scrutiny is being placed on reviewing the source code of these dependencies for security vulnerabilities, but little attention is being placed on software dependencies while in transit. In this talk, we will expose weaknesses in software delivery mechanisms and show how malicious software can be added/injected into popular software libraries during transit. We will also demonstrate the impact of these weaknesses using a newly developed tool and provide advice and guidance on defending against these attacks.

Bio:

Brandon Myers is a Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has an interest in software development with a large focus on security. Brandon works in the SpiderLabs Research division as a member of the Vulnerability Assessment Team (VAT) where he helps develop the core engine for Trustwave’s Vulnerability Scanning Services.

#2 Attacking and Defending DevOps

Summary:

DevOps is a movement of philosophy and technology that is changing how software is created and deployed. It brings with it powerful tools, but that power can cut both ways.

In this presentation, we explore how DevOps differs from traditional development and operations, and how it translates into security gains and security risks. We also dive into specific examples of post-exploitation pivoting using devops artifacts, and targeting devops infrastructure as a single point of failure.

Along the way, we share some war stories and will invite others to discuss and share

Bios:

Patrick Thomas is a recovering software developer turned penetration tester with Neohapsis (recently acquired by Cisco Security Solutions). When not breaking applications, Patrick helps organizations with the technical and strategic parts of building security into systems. He has previously spoken at Black Hat, DEFCON, SecTor, AppSec Cali, TROOPERS and others.

Alec Gleason is a hacker, developer, and all around geek currently working for Neohapsis (now Cisco) as a Security Consultant. With previous experience in DevOps, development, and systems administration, he focuses on application and network penetration tests. Alec has competed in, architected, and directed over 20 Cyber Defense Competitions at both the regional and National leve