Developers, developers, developers.: When DevOps Fails to secure.

Presented at ToorCamp 2018, June 23, 2018, 2:30 p.m. (20 minutes)

In the last year, I’ve found some pretty stupid security mistakes. Blatantly overlooked controls, or flat out lazy system admins. I will show real-world examples of misuse & abuse, and improper data handling of passwords inside application code. When talking about the security of a system as a whole, we must remember a breech in one system, can lead to a breach on another system because of the implicit trust relationships we build to get the job done. I will cover how we pulled down 1.2M hashes and cracked them and what controls were missed, and how to prevent it from happening again.

Presenters:

  • David Bryan / VideoMan as David Bryan - VideoMan
    David M. N. Bryan is the Global Managing Consultant in charge of Technology with X-Force Red, IBM’s elite security testing team. His responsibilities include establishing standardized tool sets and environments for project delivery, and delivering on pentest projects. David has over 17+ years of professional Information Security experience. From being a defender of security at a top ten bank, to securing the DEF CON network. David has been a participant in the information security community for 18+ years, first starting out as a DEF CON volunteer (Goon) - and now is on the board that runs Thotcon, a Chicago Information Security conference. For the last ten years David has been the attacker in many scenarios as a penetration tester covering: network, embedded, wireless, web applications, and physical security. David has presented at BlackHat, DEF CON, ToorCon, LayerOne, ToorCamp, BSides Events, and AppSecUSA. David lives in cold, but beautiful Minneapolis Minnesota.

Links:

Similar Presentations: