Traps of Gold

Presented at DEF CON 19 (2011), Aug. 6, 2011, 11 a.m. (50 minutes)

The only thing worse than no security is a false sense of security. And though we know, "you can't win by defense alone", our modern approaches tend to act as though offense and defense are two entirely separate things. Treating security as an issue of quality has gotten us far, however, nearly everyday, some of the largest companies are still being compromised. It's become apparent that with enough time a skillful attacker will always get in. We have created new armaments to fight back. This style of fighting, known as maneuverability, aims to make your opponents expend their own resources while putting yourself in a position of strategic advantage. Using techniques that leverage deception, ambiguity, and tempo we believe we can do better to protect web applications. If time is an attacker's most important resource, let's steal it away from them. But talk is cheap. Not only will we demonstrate real world examples of this system, we encourage you to prove us wrong. An unofficial web application capture the flag competition, based on deceptive defense techniques, will be made available for testing throughout the conference.


Presenters:

  • Michael Brooks - Security Researcher
    Michael Brooks writes exploit code because it is challenging and a privileged art form. He writes secure software and helps others do the same because secure software is a luxury that should be shared. He is the top answerer of security and cryptography questions on StackOverflow.com (Rook). Exploit Code: http://www.exploit-db.com/author/?a=628 He works for Sitewatch: https://sitewat.ch
  • Andrew Wilson - Security Consultant, Trustwave SpiderLabs
    Andrew Wilson is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 9 years experience building and securing software for a variety of companies. Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle. Andrew is active in the developer and security community as a speaker, a trainer, and as a leader of the Phoenix OWASP group. Twitter: @Kuzushi

Links:

Similar Presentations: