Session Synopsis

AI Governance involves managing the trade-offs between innovation and risk management for artificial intelligence. This session will cover the following topics based on Sunil Soares’ books on AI Governance:

Agentic AI Governance – Best practices to implement governance within the context of Human-out-of-the-Loop.

People – Emerging roles and groups, such as the AI executive sponsor, AI governance leader, AI oversight board, AI steward, and AI center of excellence.

Process – 13 components and 100+ controls for AI governance.

Technology – Reference architecture to support AI governance including tools and vendors.

Regulations – Mappings of controls to regulations such as the EU AI Act.

Industry Standards – Mappings of controls to industry standards such as the NIST AI Risk Management Framework, OWASP Top 10 LLM and MITRE ATLAS.

Sunil Soares, Private Equity Exit/IAPP AIGP

Speaker Bio

Sunil Soares is the Founder and CEO of YDC, focused on AI Governance. Prior to this role, Sunil was the Founder and CEO of Information Asset, a data management firm, which he sold to private equity.

Sunil is the author of 12 books on data management and AI governance, including The IBM Data Governance Unified Process, Selling Information Governance to the Business, Big Data Governance, Data Governance Tools, Data Governance Guide for BCBS 239 and DFAST Compliance, The Chief Data Officer Handbook for Data Governance, and AI Governance. In the past, Sunil also worked as an auditor at PwC and as a management consultant at Booz and Company. Sunil was a member of the Institute of Chartered Accountants of India and has an MBA in Finance from the University of Chicago Booth School of Business. Sunil also holds the Artificial Intelligence Governance Practitioner (AIGP) certification from the International Association of Privacy Professionals. He has also successfully completed the IEEE CertifAIedTM Assessor Training for AI ethics assessments.

RSVP on meetup dot com

Event Agenda:

There will be a main talk between 30 minutes to 1 hour followed by optional lighting talks. Pizza will be provided by New Relic.

Main Talk: Notes from the blue team by Elaine Laguerta

Hi! I'm a blue-team security engineer. I try to make it easier for devs to build software while balancing safety and security. In this talk I'll rant about some things I think you should know. What we won't talk about: the OWASP Top 10, how to do SQL injection, which hash functions are the most secure. I'll provide a list of links to answer questions like these! What we will talk about: A basic checklist for secure development, what new devs should learn, how experienced devs can stay up-to-date, and why a healthy team culture should be a core part of your security posture.

Lightning Talks: Lightning talks are talks up to 5 minutes in length on any topic that might interest other Python people.

Join us for a new event this month: the OWASP Open Forum. This open discussion format allows you to bring your own questions and experiences in information security to the table. Whether you're solving problems, sharing success stories, or looking for advice, this is the perfect opportunity to engage with a diverse audience, including several long-time OWASP members and other attendees. This forum offers a chance to network, gain insights, and connect with peers who may have similar questions or perspectives. Let's learn from each other and strengthen our community together.

Doors open at 5:30. The forum will run from roughly 6 to 7. We'll need to be out of the space by 7:30.

We thank NedSpace for hosting us again this month. NedSpace is a co-working space with 15,000 of 11th-floor views, in the heart of downtown Portland, 2 blocks away from Pioneer Square.

Hacking a SaaS: A Practical Guide to Understanding Attackers and Defending Against Them

In this talk, we will delve into the mindset of an attacker and explore the vulnerabilities they exploit in SaaS systems. We will cover the following topics:

What motivates hackers to target SaaS systems (5%) How hackers conduct reconnaissance on SaaS systems (50%) The anatomy of exploit chains (40%) Strategies for defending against attacks (5%) Our goal is to provide a practical guide to understanding attackers and defending against them. We will share lots of hacker tips and tricks, and provide plenty of quiz moments to train your intuition. Our focus will be on vulnerabilities that hackers actually care about, rather than theoretical ones. All of our examples will be based on real-world exploit chains, and we will explore multiple vulnerabilities chained together to create media-news-headline-worthy outcomes. By the end of this talk, you will have a better understanding of how attackers think and operate, and you will be better equipped to defend against their attacks.

Our January host and sponsor is Solutional Inc, and the talk will take place in their Portland office at 301 SE 2nd Ave.

Please RSVP here if you are planning to attend.

This is a monthly event of OWASP's Portland chapter.

Let’s talk about the different career options in the vast security field, how to prepare and gain the necessary skills in order to break in and succeed. Hopefully this will help you focus on a particular area of the security field that best matches your interests and skills. This is going to be a short presentation with hopefully lots of interactions and Q&A. Doors open at 5:30. The presentation will begin about 6:00. NetSPI is the sponsor for our September event. They are providing food as well as a location. They have sponsored us before, and we are grateful for their continuing support.

Let's talk InfoSec!

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/280657220/

Bios:

Cassie Clark: Passionate about bringing humans into security. She develops awareness programs focused on behavior change, user enablement, and culture. As Security Awareness Lead Engineer at Brex, she built and leads security awareness for employees and customers. Prior to Brex, she built the security awareness function at Cruise and focused on security engagement at Salesforce. She holds a Master’s degree in Women’s Studies and can often be seen holding a cup of coffee.

Traci Esteve: As Director of Technology Governance and Risk for The Standard in Portland, Oregon, Traci Esteve is committed to protecting the confidentiality, integrity, and availability of information and processing resources. She began her career as a developer and infrastructure engineer. This led to her rise to a premier technical architect at Accenture and to expanding the practice in Asia and Europe. Her journey includes staying home to raise her two sons and serving as an advisor to organizations to increase profitability, maximize customer value, and effectively meet regulatory requirements. She has a BS in Applied Science, MBA certification from Miami University, and a certification in Cybersecurity Risk Management from Harvard University. Traci enjoys cooking with her family, drawing, hiking, and encouraging high-school students to believe in themselves.

Sarba is currently the Product Security Consultant at Umpqua Bank where she is collaborating and acting as a security advisor to the Product teams when new digital technologies and/or business needs are identified. She is also the Membership Chair for the Women In Cybersecurity(WiCyS) Oregon Affiliate, the Chapter Lead for Infosec Girls - Oregon and the Founding member of WomenH2H, a global community for women leaders and changemakers. She is also a passionate volunteer and advocate for women’s empowerment, education equity while being a writer and mentor at heart, dedicated to helping individuals and organizations become more compassionate, curious and cybersmart.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/278536668/

PNWSEC, aka, Pacific Northwest Application Security Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.

Kymberlee Price and Jim Manico to keynote! All of the speakers and workshops can be found on the website: https://pnwcon.com/

Stretching the Truth: Attacking the Elastic Agent By Zander Work

Starting Left with Cloud Security By Stefania Chaplin

Fuzzing Python Native Extensions By Lucas Amorim

CVE-2020-17049: Kerberos Bronze Bit Attack By Jake Karnes

Zero-Trust - The Paradigm Shift Required in a Post-pandemic World By Timothy Morgan

Ad-Tech for Security People By Will Whittaker

Secure Coding of Industrial Control Systems By Vivek Ponnada

Six Ways Known-vulnerabilities Sneak Into Docker Containers By Julius Musseau

Effects Malware Hunting in Cloud Environment By Filipi Pires

Honeytokens: Detecting attacks to your web apps using decoys and deception By Dana Epp

Don’t B-MAD: Making Threat Modeling Less Painful By Adam Shostack

Women in Appsec: Advice to Differentiate Your Skills By Aarti Gadhia

Cultivating Cyber Warriors By Patterson Cake

Insiders Guide to Mobile AppSec with OWASP MASVS By Brian Reed

Follow us on Twitter at @pnwseccon to see when the workshops are going to be released.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/277480846/

Excerpt:

Traditionally, breaches that make the news are about stealing data and that data being resold for financial gains. Think Target, Ashley Madison, Marriott and so many more. Recently a spotlight was put on supply chain security via the SolarWinds breach and how that affected many companies. The adversaries were able to inject malicious code into applications that have a lot or rights and are widely deployed in many organizations, small and large alike.

We will discuss the framework, your SDLC (SDL, SSDLC, etc.) – Secure Development Lifecycle – to lay out how you are going to develop and secure your applications. Customers care about this. Once you have your SDLC, you need to define your processes, select your tools, integrate them into your SDLC and finally automate those tools. This is not a short process and often multiple iterations are necessary to get to a good place. The goal of this presentation is to make you aware of a variety of tools that are out there, the various steps along the way of your SDLC you need to take and how to complete each of these steps.

BIO:

Derek Hill has over 25 years of experience in Information Security and Information Technology. He is currently the Director of AppSec engineering at ForgeRock, an Identity and Access management company, based in Vancouver, WA. He is responsible for implementing and improving the company’s product security on a continual basis. He works closely with software engineers and security engineers in multiple countries to ensure the ForgeRock products are developed securely and tested in all phases of the development lifecycle. In addition to his full time job, Derek is also a SANS community instructor teaching Security Leadership and CISSP prep courses.

Prior to his current position, Derek held Information Security, IT management and technical roles at both large and small companies. In each role, he consistently focused on managing high-performing teams, delivering efficient solutions and providing excellent services to a variety of stakeholders, maximizing uptime and security. Derek also has significant experience in cloud technologies, responsible for moving, securing and maintaining them in various cloud environments through their lifecycle.

Abstract: As more businesses migrate their workloads into cloud environments, the importance of following the principle of least privilege (PoLP) to mitigate security risks significantly increases. Unfortunately, the infrastructure being utilized and the mechanism for securing it in the cloud is complex and substantially different than traditional legacy infrastructure. As a result, the amount of practitioners that know how to secure cloud projects is insufficient compared to the number of cloud projects being created. To address this, this paper describes a Least Privilege CTF, a series of Google Cloud based exercises that can be quickly deployed at minimal cost, to allow players to practice applying PoLP in cloud deployments.

Joint work with Wu-chang Feng.

Bio: Current PHD student at PSU

RSVP https://www.meetup.com/OWASP-Portland-Chapter/events/276208217/

Abstract: Organizations have rapidly shifted infrastructure and applications over to public cloud computing services such as AWS, Google Cloud Platform, and Azure. Unfortunately, such services have security models that are substantially different and more complex than traditional enterprise security models. As a result, misconfiguration errors in cloud deployments have led to dozens of well-publicized breaches. This paper describes Thunder CTF, a scaffolded, scenario-based CTF for helping students learn about and practice cloud security skills. Thunder CTF is easily deployed at minimal cost and is highly extensible to allow for crowd-sourced development of new levels as security issues evolve in the cloud.

Joint work with Nicholas Springer.

Bio: Wu-chang Feng is a professor in the Department of Computer Science at Portland State University where he works on topics in cloud computing and security. His current projects include developing CTFs and codelabs to teach advanced topics in security as well as performing outreach to high-schools via camps and internships through CyberPDX and Saturday Academy.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/276208151/

Overview: Use OWASP ZAP to detect web application vulnerabilities in a CI/CD pipeline; for this, how we automate ZAP with existing automation scripts.

Speaker: Roop Kaur, an engineer at Zapproved

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/274622842/

Summary of the Talk: Automate The CloudSec Things - How to automate your response to security incidents within the public cloud space using your current security stack and AWS Lambda.

Speaker's Bio: Ashish Patel is a security engineer on the Box Infrastructure Security team. He usually lives in the realm of cloud security and automating security related tasks that scale across multiple clouds & attack surfaces.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/272846648/

Secure Code Warrior is going to be hosting a July virtual tournament for our OWASP Portland, Oregon chapter. It's free!

Improve your secure coding skills by joining the OWASP Portland Secure Coding tournament on July 21st 8:00AM PDT through July 24th 8:00PM PDT. The tournament allows you to compete against the other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability.

All challenges are based on the OWASP Top 10, and players can choose to compete in a range of software languages including Java EE, Java Spring, C# MVC, C# WebForms, Go, Ruby on Rails, Python Django & Flask, Scala Play, Node.JS, React, and both iOS and Android development languages.

Throughout the tournament, players earn points and watch as they climb to the top of the leaderboard. Prizes will be awarded to the top finishers! First place will receive a hoodie, and lots of bragging rights!

Tournament times: July 21- July 24th 8:00 AM 9:00 PM

Practice times: July 14th - July 21st 8:00 AM

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271638472/

Topic - Secure Code Warrior Tournament Study Session. We'll cover how to register for our upcoming tournament, cover the game rules, navigate through the menus and do a few practice challenges. Let's be new to this together! This meeting will also be recorded and posted to the PDX OWASP YouTube channel.

Host: Samuel Lemly

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271905106/

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271144214/

Abstract: We’ll discuss a program analysis tool we’re developing called Semgrep. It's a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

Speaker bio: Clint Gibler (@clintgibler) is the Head of Security Research for r2c, a small startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups.Clint has previously spoken at conferences including BlackHat USA, AppSec USA/EU/Cali, BSidesSF, and DevSecCon Seattle/London/Tel Aviv/Singapore. Clint holds a Ph.D. in Computer Science from the University of California, Davis.Want to keep up with security research? Check out tl;dr sec, Clint’s newsletter that contains summaries of artisanally curated, top talks and useful security links and resources from around the web.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/271144214/

Abstract Cryptography is tricky. Sure, everybody knows not to roll out their own crypto, but is it enough? Are the standard algorithms, libraries, and utilities always used the right way? This is of course a rhetorical question! Humans keep making mistakes that other humans can exploit, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.” In this talk, not only will we discuss what can go wrong, but also how attackers could take advantage of that. Insufficient entropy? Static initialization vector? Key reuse in stream cipher? Lack of ciphertext integrity? We’ve heard these terms and may be familiar with them in theory, but let’s see actual examples of these and other crypto mistakes and corresponding exploits, and understand how they could lead to real life problems. Are you not on an offensive team and not interested in exploitation? Then this talk is for you too! Come and learn how to avoid common crypto mistakes in your code!

Bio Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting various development teams in delivering secure code, as well as security consulting. He holds OSCP and CISSP, and currently works as a lead product security engineer for Salesforce.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/270404725/

In this class, we'll briefly go over the 10 things that I would like to show anyone using wireshark. There are no prerequisites for this presentation. If you would like to follow along please install the most recent 3.x version of Wireshark. Example packet captures will be provided.

Kevan Vanhoff is a Network Security Engineer living in Portland, Oregon.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/270075900/

They told me to use encryption and it will solve all our problems! What is encryption and cryptography, and why is it important? The web uses certificates to encrypt. How do they fit in? What are they? We will discuss the 3 types of encryption: symmetric, asymmetric and hashing, what they do, how are they different, and how are they used in the real world.

Bio: Brian Ventura is an Information Security Architect with 20 years of industry experience. With a diverse background in consulting, public and private sector, and project management; Brian brings a comprehensive view of security and technology. As an architect, he currently focuses on enterprise information security governance, risk and compliance. Brian advises public and private entities on security best practices generally and within large projects.

Additional meeting details will be messaged to all Meetup RSVP attendees later.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/269992111/

Join us for a night of networking and discussion about security. Kendra will kick it off with a short talk about how to make friends with your developers through automation. Then we will split up into groups and allow people to discuss cloud security, application security, devops and jobs.

Bio: Kendra Ash (@securelykash) is a security engineer at Vacasa, actively building out an application security program by leveraging guidance from her network and incorporating industry standards. She is also actively involved with the Portland OWASP chapter.

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/268903220/

In this class, we’ll be exploring how to find the vulnerabilities in OWASP Juice Shop with Burp Suite (and maybe some other security tools if we get some time). You’ll learn to set up the environment to play with in your own time. As well as learning to practically apply the different features of Burp Suite and when it is and isn’t the most optimal tool. This will help you to reproduce security vulnerabilities or help find them for bug bounty programs.

Bio: Jordan is an Application Security Engineer at New Relic and a graduate from the University of Pittsburgh with a degree in computer science. She’s Champion ranked in Rocket League and does yoga in her free time.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/269026936/

OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

Burp Suite CE: https://portswigger.net/burp/releases/professional-community-2020-1?requestededition=community

Threat modeling is a vital skill for security hats of all colors, as well as for product designers, managers and developers. Ray is a Life Coach and Conspiracy Theorist. He does AppSec in his non-spare time for money. Zak is an Application Security Engineer with many years of development experience.

Bring your own dinner/snacks. No provided pizza.

Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer with Burp Suite installed and preferred note taking mechanisms.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/268231564/

Want to test your skills in identifying web app vulnerabilities? Join OWASP Portland and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.

All you need is your laptop and your inner evil-doer.

Register early to reserve your spot and get a sneak peek at our cheat sheets and FAQs!

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

The speaker covers the basics of the tool along with real-world experiences and techniques that can help you as a pen tester.

Speaker: Ryan Krause

Ryan is a penetration tester based in the Portland, Oregon area. He has worked in various areas of the security field for the past 11 years for companies such as HP, eEye Digital Security/BeyondTrust, and Comcast with a primary focus on application security and development. He is currently a consultant at NetSPI where he performs web and network penetration tests and assists clients with reducing their overall security exposure.

Happy New Year! Welcome to our second ever OWASP PDX study night. Our January topic will be "Burp Suite Basics" presented by Sophia Anderson. Sophia is a security consultant for NetSPI performing web application penetration tests for Fortune 500 clients to discover vulnerabilities. Sorry no pizza unless you want to bring :).

Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer with Burp Suite installed and preferred note taking mechanisms.

Seating is limited

RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/267644393/

This talk focuses on building a security curriculum and teaching it, whether individually, at the workplace or in academia. Start with the following question: Am I the right person to do it? A novice can be downright dangerous, while an expert who can't teach as useful as a waterproof teabag. Security education is the first line of defense, but who trains the trainers? Are students getting their money's worth? What differentiates your training from others? Join the speaker to share life lessons, funny anecdotes, and useful advice on lecturing, "curriculuming", and critiquing. Learn what it means to containerize a syllabus, deploy labs in a continuous integration-like environment using open source tools and why markdown is a better tool than PowerPoint for creating new content. Consider security textbooks as obsolete, "office hours" mandatory, and the impact of the Family Educational Rights and Privacy Act (FERPA). There will be a test at the end of the talk.

Speaker: John L. Whiteman

John is a product security expert and instructor at Intel in Oregon. He's also a part-time adjunct instructor teaching cybersecurity at the University of Portland. In a past life, John was a shipboard and classroom instructor in the United States Navy, training hundreds of sailors in the dark arts of passive sonar and torpedo countermeasure systems (in case the former didn't pan out). He also did a stint as a news director for a small radio station in Colorado. John has an M.S. in Computer Science from Georgia Tech and a B.A. in Asian Studies from the University of Maryland UC. He holds CISSP, CCSP and CEH security certifications. John blogs and loves to podcast for the OWASP chapter in Portland.

The OWASP Portland Chapter is pleased to announce regular Study Nights. Study Nights are smaller, bitesize, digestible, skill building mini lectures or workshops for those interested in learning new skills, tools, tricks, or new CTF challenges. It’s also meant for members to practice communication skills and teamwork in a supportive environment.

Study Nights will meet the first Tuesday of each month at the ^H hackerspace in North Portland. Doors will be at 7pm, event will start at 7:30pm and wrap up by 8:30. Please bring your computer and preferred note taking mechanisms.

The December topic will be an introduction to the command line debugger GDB, presented by Allison Naaktgeboren. Please be sure to have GDB installed if it is not installed by default and your preferred command line interface available.

Tips on formulating complete sentences without acronyms, learning to pretend you aren't the smartest person in the room, choosing the right animations for your PowerPoint presentations, and more! Let's be honest, you probably didn't get into info-sec because of your love for public speaking, your mastery of written and verbal communication, or your highly-tuned social skills! Regardless, these things are key to your success or failure in info-sec. Dare to join me for a frank if somewhat tongue-in-cheek conversation regarding strategies for simplifying complex conversations, recognizing and overcoming common communication obstacles, translating leet-speak to business language and creating effective visual presentations.

Speaker: Patterson Cake

Patterson has been in information technology for over 20 years, focusing on security for the past several years in offensive, defensive and leadership roles. He is the founder of Haven Information Security, an instructor for SANS, and the Principal Cybersecurity Engineer for PeaceHealth.

Attacks always get better, so your threat modeling needs to evolve. Learn what's new and important in threat modeling in 2019. Computers that are things are subject to different threats, and systems face new threats from voice cloning and computational propaganda and the growing importance of threats “at the human layer.” Take home actionable ways to ensure your security engineering is up to date.

Speaker: Adam Shostack Adam is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups including as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

Using Graph Theory to Understand Security

Information security is hard. It must be, because we keep getting hacked. One aspect that makes it so difficult is the level of complexity that exists in even a modestly-sized digital infrastructure. Humans can consider only so many security relationships, trust boundaries, and attack scenarios at once. This complexity makes it hard to decide where to focus our defensive resources and we're regularly led astray by the latest shiny tool or security advisory. Remarkably, our adversaries actually have a similar challenge: once a digital intruder gains a foothold in an environment that is completely new to them, how do they know what next steps they should take to efficiently achieve their goal? The environments they attack are not only complex, they are also unexplored landscapes that must be mapped out.

This is where graph theory can lend a hand. Several open source tools, such as BloodHound and Infection Monkey, provide intruders (whether that be your friendly neighborhood pentester or your adversaries) with easy ways to map out infrastructures and identify the quickest path to your crown jewels. While this is certainly alarming, we can also use these tools ourselves to find out what our infrastructures look like in the eyes of an attacker.

In this talk, Tim will provide a brief introduction to graph theory, show some demos of the free tools that use it, and discuss how he is using these techniques to build automated threat models "at scale" to make defenders' lives easier.

Speaker: Timothy Morgan

After earning his computer science degrees (B.S., Harvey Mudd College and M.S., Northeastern University) and spending a short time as a software developer, Tim began his career in application security and vulnerability research. In his work as a consultant over the past 14 years, Tim has led projects as varied as application pentests, incident response, digital forensics, secure software development training, phishing exercises, and breach simulations. Tim has also presented his independent research on Windows registry forensics, XML external entities attacks, web application timing attacks, and practical application cryptanalysis at conferences such as DFRWS, OWASP's AppSec USA, BSidesPDX, and BlackHat USA.

For the past three years Tim has been building an innovative new risk-based vulnerability management product (DeepSurface) that helps his customers gain a much deeper understanding of the complex relationships present in their digital infrastructures. Visit kanchil.com to learn more about Tim's latest R&D effort.