NCC Group's Open Forum

This quarter's NCC Open Forum will be held at the Basecamp offices (https://basecamp.com/about/office)! We'll have food and drinks to start things off as people roll in and then we'll head to the theater to get the presentations started.

Schedule:

6:00 - 6:30: Drinks and Food

6:30 - 7:00: Wrapping up Starfighter by Thomas Ptacek

7:00 - 7:30: CSRF in the Modern Age by Tanner Prynn

7:30 - 8:00: C, Crypto & Clojure by lvh

Presentations:

Title: Wrapping Up Starfighter

Speaker: Thomas Ptacek

I ran recruiting for Matasano Security, successfully moving us towards a resume-blind hiring process based on CTFs. Then I started a company based on those ideas, called Starfighter. That didn't work. I'd like to talk about whatI've learned about how to hire security people, and what I learned about how not to run a recruiting firm.

Title: CSRF in the Modern Age: Sidestepping the CORS Standard

Speaker: Tanner Prynn

Any site your browser visits can make cross-site requests to any domain it wants, with relatively few restrictions. Abuse of this functionality is known as Cross-Site Request Forgery (CSRF). CSRF has been around for 15 years, and for most of that time CSRF tokens were the only solution. More recently, the Cross-Origin Resource Sharing (CORS) policy was developed to allow "safe"cross-origin requests. In reality, CORS has opened up a new attack surface for cross-site requests and made preventing them more complex.

This talk will cover the surprising versatility of CSRF as an attack vector, and the numerous ways applications fail to protect themselves. We will be exploring the "dark corners" of CORS, and will discuss how the standard violates users' expectations. Finally, framework-level protections against CSRF will be discussed, along with how these protections are often subverted, leading to a better understanding of how to test for and protect against modern CSRF.

Title: C, Crypto & Clojure with ✨

Speaker: lvh

One of Clojure's strengths is its JVM interop, but sometimes you really want to call some C code. Perhaps you have a legacy .so/.dll you inherited; perhaps you're calling a video decoder or some cryptographic routines. This talk focuses on that interop, using a cryptographic library (caesium) as a specific example. It shows how Clojure can still leverage its strengths here, providing a significantly better environment for both R&D and general use than plain Java or even other high-level C-centric environments like Python. This talk includes the mechanics of how to actually do this, lessons learned managing areal library used in production, and future efforts to make this process smoother for future programmers (e.g. manylinux1).

P.S. Interested in giving a security related presentation at the next Open Forum? Send us a message and we'll work with you to get you on the next open slot.