2019 BASC Presentations
We would like to thank our speakers for donating their time and effort to help make this conference successful.
An Intelligent Approach to Upgrading OSS Libraries
Maintaining secure versions of third-party libraries is a repetitive and tedious task at best. At worst, with many interdependent internal projects (think microservices) and dozens of layers of transitive dependencies, it is a logistical nightmare. A top-down, ad hoc approach is often used to resolve vulnerable third-party libraries, prioritizing high-severity vulnerabilities or internal projects critical to business functions, but failing to address the larger impact of vulnerabilities. TraceLink is taking a different approach, utilizing the graph structure of interconnected projects to perform security upgrades in an informed order from the bottom up. This process aims to automate third-party library version maintenance as much as possible, aiding in the completion of vital security upgrades and compounding the effects of each individual upgrade to reduce overall work done.
OWASP Serverless Top 10
In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand.
In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security.
Security Culture Hacking: Disrupting the Security Status Quo
This session is an exploration into the world of security culture hacking. In the wake of the “data breach of the day”, organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end of the day, how much actual security culture change occurs post-breach? The answer is not enough. This session describes how to change security culture from the inside out, utilizing best practices and real-world examples. With security culture disruption, the security team attempts to impact employees through positive security learning and experience.
The session begins by introducing the audience to the concepts of security culture and security culture hacking, and then explains the security status quo. Security culture hacking is the skills and creativity necessary to disrupt an existing culture and redirect it towards a more secure future. Security status quo is the idea that companies move in a herd mentality and believe that their security must only be an average of their peers. To prove this point, we profile some anonymous organizations based on their external security story versus reality. Next, we’ll discuss what makes a good security culture hacker, including the skills required for success in this type of endeavor.
The middle of this session includes a how-to of hacking security culture. Each section includes various tips and stories from real life experience about how to influence security culture. The phases of security culture improvement are explored, including awareness, big learning, and community. In addition, a discussion of organizational reach, marketing, rewards, recognition, and metrics surrounding security culture improvement are explored. It’s time to make security fun.
At the conclusion, a plan is laid out for how a learner could put true security culture change into practice in their organization. Audience members receive a 30-60-90-1-year plan for how to implement true security culture change.
Critical Thinking in Cybersecurity
Security's most important skill is overlooked – critical thinking. Keeping up with the latest technical tools and trends is only one contributor to success. Security is a constantly evolving field. Long-term success requires that we think on our feet—regardless of technology—to understand tools and how to apply them to the changing landscape.
We often do not think about critical thinking. What does it feel like? How is "critical" thinking different from "normal" thinking? How do you develop these skills? And how do you apply them to security?
Critical thinking is part art, part science. It takes a combination of intuition, logic, and creativity to understand the 'why' and not just the 'how.' It should help us address the root cause of an issue and not just the symptoms. In security it means decomposing a problem, analyzing objectively, evaluating a hypothesis, and recognizing context. This session will explore how to apply critical thinking in your day-to-day job pulling from my experience and observations across academia, industry, and government.
Open Source Security on a Shoestring
Securing assets is a difficult job without the appropriate support, be it from your superiors or having access to resources: getting what you need can be challenging, but that is no excuse to not securing it. In small and medium companies where technology departments are service oriented, security is often overlooked in favor of ease of access, forcing IT to compromise on solutions and, potentially, leave the organization vulnerable.
This talk will explore the open source and open access tools available to the public, their pros and cons, the elements to consider when implementing and the hurdles along the way, covering basic aspects of security in a company: incident response, application security, network security, training, risk & compliance, among others. Analysts, engineers and technicians whose many hats may result in security holes benefit from the implementation of these tools… and managers from knowing alternatives to the increasingly costly solutions in the market.
Put that Cease and Desist Down: How to Train Your Org to Work with Hackers
Before that hacker slides into your brand’s DMs, how do you prepare your organization to talk to researchers and spot vulnerability disclosure? Today, poorly handled disclosures can cause the same reputational damage as a public security incident. As security continues to climb the ranks of importance, more decision makers and stakeholders are involved in interactions that were once solely owned by security teams. The vulnerability reports are coming. Ready or not. Everyone is on the front lines of security and this includes researcher interactions. Are your executives, legal, PR, and social media teams prepared?
Based on hundreds of hacker and company mediation request, this talk will look at common and extreme scenarios many are seeing for the first time. We will cover real-world communication failures, as well as the success stories you will never read about. Attendees will walk away with armed with practical tips to prepare their colleagues for the inevitable vulnerability report, starting with hacker motivations, what disclosure success looks like, and de-escalation tips. This talk will cover: Responding to vulnerabilities reported via social media; How to minimize the chances of your vulnerabilities ending up on Twitter; Tips for keeping the press out of your bug reporting workflow; Prepare your company to talk to a hacker who is requesting cash; De-escalation tips to find a happy f@%#&$* ending when tempers flare and you are caught in the middle; and How to advocate for security researchers without losing friends or your job.