Cheating at AppSec: How devops tools can be used in digital combat for fun and profit

Presented at ToorCon San Diego 20 (2018), Sept. 14, 2018, 1 p.m. (75 minutes).

DevSecOps is becoming the rule not the exception. Right? Applying the "rule" backwards can prove this wrong. The IT industry is all fired up with talk of devOps and DevSecOps. What if someone took those same tools and techniques and applied them backward, not to improve security for their own apps and organizations, but to find bugs in OTHER organizations' systems and code? <sarcasm>If only developers had some way to do these checks themselves...</sarcasm> This talk is about using static and dynamic analysis tools normally used by developer to chase bug bounties in automated ways.

Presenters:

  • Gene Erik
    Gene Erik is a hacker with many variety interests spanning the gamut of hacking topic, including wireless networking, software defined radio, embedded device hacking, phone phreaking, application security, social engineering, and much more. Gene Erik is a hacker with many variety interests spanning the gamut of hacking topic, including wireless networking, software defined radio, embedded device hacking, phone phreaking, application security, social engineering, and much more. Gene's major passion is taking those hacking concepts, distilling them down, and weaponizing them through automation and tool creation. In the real world, Gene has had experience at companies big and small doing stuff all over the IT professional space: software development; technical support; desktop support; dev(sec)ops (system administration and hardening, orchestration, vulnerability management, cloud achitecture and migration, and the software development that goes with it); network engineering; data center and storage architecture; PBX design and management; AppSec; and much more. Gene is a long time toorcon attendee with a passion for breaking (and fixing) things.

Links:

Similar Presentations: