I had the privilege of presenting at GOTO Chicago 2017. I hosted the security track at the conference and gave a talk on the evolution of Threat Modeling and Risk. This talk builds a basic foundation of what makes up Threat Modeling and how it plays into improving the quality of Risk analysis. The talk goes on to explain the evolution of manual Threat Modeling and Risk Analysis and talks about how to automate systems to arrive at a state of continuous analysis of systems.
I was invited to speak once again at Windy City Rails. I enjoy this conference because they do a great job with it. It remains a single track conference which I really enjoy. The venue was nice and the people were great. A link to the slides can be found here.
I recently had the pleasure of meeting the fine folks at CrossChx and presenting at their monthly scaletech meetup . I talked about some of the challenges present in securing web applications and what we can do to improve security as we scale. I hope you enjoy the video below. The slides are available here.
As humans we process information as it is presented to us. We use the information presented to us to decide on how to react and possibly adapt to the current situation. This trait has a lot of advantages and has served us well over many years. Our approach to the security of our systems should be much the same. This presentation introduces patterns for processing potentially malicious activity and weaving an adaptive security system.
Designing secure systems is a very difficult task. Even the smallest issues can have devastating consequences. As designers of these systems we have to do everything in our power to ensure that these systems function as intended. Join Aaron as he demonstrates techniques for formally verifying security systems. These tools demonstrate the power of functional languages as verification systems against both functional and imperative software systems. You will learn how to create functional models and use them to prove the correctness of your security systems.
Keeping a multi-faceted system running is hard work. It’s even harder when you have to deal with the day to day nonsense that happens on the web. Gathering the data you need to drive your business is also a tricky game. It is made even more complicated by all of the bots running around messing up the place. And the attacks. Oh the attacks. Every day all day with the attacks…
This talk explains how to write custom modules for NGINX in C. It goes into detail about how NGINX handles requests and how and where to insert your modules to get the desired result.
Following close on the heels of heartbleed we have seen a resurgence in questioning C as the implementation choice for critical infrastructure. With performance innovations on managed runtimes the option to implement more and more critical pieces in alternative languages is becoming tangible. Of course this brings along with it a different set of problems. To re-write a system like OpenSSL or even just to implement SSL/TLS on top of a managed runtime there are some serious obstacles to overcome.
Every year billions of dollars are spent on preventing breaches. While some of these systems are doing a sufficient job of keeping data away from the hands of attackers, it has become clear that there is no real way to prevent breaches with 100% certainty. Of course time should be spent building proper controls, but if we hope to survive the next decade, we need to focus on detection and remediation.
In this talk, three Rails security specialists will take a journey through a terrifying Rails application to illustrate common security problems we have seen in the real world. The discussion will include how to identify, fix, and prevent the issues with an emphasis on practical advice. Along the way we will share our experiences and perspectives concerning securely implementing applications. We hope it is a bit scary, and yet fun … like a horror movie!
Web development libraries for Clojure have started to mature, but there are still quite a few gaps. Although there has been some activity in securing Clojure web applications, there has not been much of an effort into documenting the options or even explaining what should be done. This includes authentication and password management, securing application responses and options, as well as code review and deployment. This talk will explore what is available, what is coming, and what does not yet exist in any open and consumable fashion.