An introduction to web-based capture the flag events for anyone looking to participate for the first time. Techniques and common tools will be discussed with a focus on preparing you for the CTF event being held during this conference. Topics covered in order, time permitting: 1 | URL Discovery and Forceful Browsing 2 | Parameter Tampering 3 | XSS Attacks 4 | SQL Injection and Data Exfiltration 5 | XML and XPATH Injection # No previous experience or programming skill is required to get the full benefit of this talk.
Naomi Peori CTF for Beginners, GoSecure, WoSec
Naomi grew up on the mean streets of Dartmouth and is famous for nothing serious because she was young and indiscreet before social media ruined privacy. She prefers Asimov, Tesla (boo Edison!), Solid Snake, Luigi and MIPS. Her interests include habanero farming, calibrating displays to perfection, hacking game consoles and if you ever really need a video game she probably has two copies. Although her talk is about capturing flags, she can also speak confidently on the quirks of 6502 opcodes, training machines to think and what it was like to do network sniffing in the 90's.
Eat food, stretch legs.
The Dirty Dozen refers to twelve of the most common human error preconditions, or conditions that can act as precursors, to accidents or incidents, in the aviation industry. Developed by Canadian Gordon Dupont, it became the cornerstone of the aviation industry's Human Factors safety program in the 1990s. That program was a major part of reducing incidents per million departures from 4.0 to less than .5 over the past 30 years, a nearly 90% reduction. In this talk, David will discuss the Dirty Dozen and how they can be applied to cybersecurity to significantly improve awareness programs and reduce cyber risk.
David Shipley Co-Founder and CEO, Beauceron Security
David Shipley is the co-founder and CEO of Beauceron Security, an Atlantic Canadian scale-up that serves more than 150 clients across North America and in Europe and provides a new approach to cybersecurity awareness and risk management. Shipley is the former security lead for the University of New Brunswick and developed its incident response, threat intelligence and awareness practices prior to founding Beauceron. He holds a CISM from ISACA.
Created as an internal tool inside Facebook in 2012 and released publically in 2015, GraphQL is an overnight success now 8 years in the making. In this talk we'll take a look at how GraphQL works and show why it has properties that can help build safer systems.
Mike Williamson Developer, Treasury Board Secretariat
Mike Williamson is a developer passionate about digital government. Leaving a government career in IT security to work in various startups, he rejoined the Government in 2017 as part of the team that launched the Canadian Digital Service, a new organisation with a mission of helping the government build startup style, modern, user focused digital services. This year he's joined the cyber security group at Treasury Board Secretariat to help with efforts modernise and automate security in support of service delivery.
DNS logs are one of the most powerful threat hunting resources, but encryption is rapidly changing that equation. Key DNS threat hunting techniques include detecting DNS tunneling and Domain Generation Algorithms (DGAs). It used to be simple(r): log DNS requests and responses on DNS forwarders, or sniff and analyze via tools like Zeek. DNS over TLS (DoT) and DNS over HTTPS (DoH) are disrupting the status quo: where does that leave network defenders? This talk will analyze the current state of DNS monitoring, and provide actionable steps for detecting malice on your network via DNS.
Eric Conrad CTO, Backshore Communications
Eric's career began in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and health care. He is now CTO of Backshore Communications, a company focusing on hunt teaming, intrusion detection, incident handling, and penetration testing. He is a graduate of the SANS Technology Institute with a master of science degree in information security engineering. In addition to the CISSP, he holds the prestigious GIAC Security Expert (GSE) certification as well as the GIAC GPEN, GCIH, GCIA, GCFA, GAWN, and GSEC certifications. Eric also blogs about information security at www.ericconrad.com.
Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our industry, only egos, stereotypes and unaffordable security models. Modern application security approaches are needed for new technologies, and this talk will outline several strategies for new tech, one by one. The future of security is PURPLE.
Tanya Janca Head Nerd, Security Trainer and Coach , SheHacksPurple
Tanya Janca, also known as ‘SheHacksPurple’, is the founder, security trainer and coach of SheHacksPurple.dev, specializing in software and cloud security. She also consults part time for IANs Research. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years in Ottawa, founding a new OWASP chapter in Victoria, and founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops and talks, her focus is clear. Tanya is also an advocate for diversity and inclusion, co-founding the international women’s organization WoSEC, starting the online #CyberMentoringMonday initiative, and personally mentoring, advocating for and enabling countless other women in her field. As a professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.