The Un-parsing Manifesto: Reconnecting our Corpus Callosum

Presented at ShmooCon 2023, Jan. 21, 2023, 2:30 p.m. (30 minutes).

Ask almost anyone what we need to do about XSS or SQL injection, and they’ll tell you by rote: “input sanitization!” But I bet you also question password policies like “must not include ,.<>/?%^&*”. I’ll blow your mind by describing how, like regular password changes, input sanitization is a weak control that’s out of step with development practice, and what you can do instead. The idea is basically this: malice is in the buffers of the data consumer, and no data is intrinsically malicious. And it turns out we already believe this implicitly, except when we’re working from the input handling side of our brains.

Presenters:

  • Falcon Darkstar Momot
    Falcon Darkstar Momot (@falcon) was a penetration tester and researcher for 9 years and is currently the manager of product security at Aiven.io. He’s a security generalist with expertise ranging from cryptosystem design to application security. Currently an MBA student, he finished a M.Sc. in informations systems by describing how formalized security basics like identity establishment and network engineering basics like broadcast domains, and not blockchain or emerging technologies, would solve our intelligent transportation system problems.

Similar Presentations: