LASCON X

Commercial software products rely on formal test strategies to describe who will perform testing, the process that will be followed, the depth of testing, and more. Test strategies are extended by test plans that detail specific tests that will be executed and how success will be measured. Test strategies and plans support objectively evaluating that software meets requirements and functions properly.

Conversely, security teams think about where security gates should be in the SDLC and deploy SAST, DAST, IAST, or a combination. Rarely is it considered what level of coverage these methods provide, and output from security testing is not mapped back to requirements. Compared to other teams involved in the SDLC, security seems to just be winging their test strategies and plans.

This talk will describe how product teams leverage test strategies and plans to make sure software delivered meets requirements, and how security can do the same.

On the Internet, nobody knows you're a dog" is an adage and meme about identity verification on the Internet, or rather lack thereof. It began as a cartoon caption by Peter Steiner and was published by The New Yorker on July 5, 1993. Ironically, quarter of a century later we still seem to be battling the same issues, though on a different scale, and are now looking towards artificial intelligence and machine learning techniques. This talk will provide a high level overview of the historical trends, current challenges and future opportunities in the field of user identity, online authentication, and access management. The current landscape of AI and ML with specific focus on identity space will be discussed. It will cover scenarios that work, those that don’t and those that can perhaps serve as a cautionary tale for technologists and policy makers alike.

Tamper resistant property of blockchains can be used to identify the insider threats to centralized DBs.

Is it possible to break the cyber attack lifecycle by continuously reshuffling the infrastructure and services being attacked?
How would the intruder be able to reconnaissance a network when physical servers are reimaged and brought back online with new keys, passwords, and IP addresses every few hours? We use modern application development and devops techniques such as a service mesh and a bare metal cloud to build an ever-morphing cloud of physical servers. Is that enough to thwart the enemy?

It is widely accepted that monolithic applications do not scale well in a cloud environment. Micro-services pattern offers a solution to monolithic application challenges, like scalability, agility, availability, etc. However, micro-services come with their own set of challenges and issues: duplication of common code is a major one and in case of different technologies, there is not only duplication of code, but re-implementation of common functionality in different technologies. Micro-services also add significant overhead for operations as they have to manage many applications.
There is a need to solve the micro-service overhead problem so developers can focus on implementing business requirements instead of re-implementing common functionalities. Also, it should remain easy for devops teams to manage and monitor all applications in a uniform way. Monitoring should also be easier, so we have an efficient way of diagnosing issues: where is the application failing, which micro-service is the issue, etc.

This talk will show how the Chrome Dev Tools protocol works and how we can use it to reverse JavaScript and alter the behavior of an app to find bugs and vulnerabilities. This can be done by writing functions that modify the behavior of web applications and that can automate pentesting tasks. A Go based tool that allows anyone to write simple plugins for use with this protocol will also be demoed.

This talk provides the audience with a high level understanding of modern API and microservices-based application architectures, awareness of key security concerns with these architectures, and knowledge on how to best secure microservices and their APIs. The speaker leverages existing concepts and his years of experience with building security architecture patterns and solutions in this domain for one of world's largest Global financial institutions to present actionable architectural take-aways.