Black Hat USA 2010
//Cloud Security Alliance Summit

Caesars Palace Hotel & Casino, Las Vegas NV

wed: jul.28

The Cloud Security Alliance Summit

The Cloud Security Alliance Summit will be hosting the second “Cloud Security Alliance Summit” at this year’s Black Hat USA. The half-day summit is open all Black Hat USA 2010 Briefings registrants and will take place on Wednesday July 28th. The summit will feature the following speakers and presentations:

  • Chris Hoff, Cisco: Cloudersize: A cardio, strength & conditioning program for a firmer, more toned *aaS - KEYNOTE
  • Dan Hubbard, Websense: Cloudy with a chance of miss-information
  • Wolfgang Kandek, Qualys & Jeremiah Grossman, WhiteHat Security: CSA Application Security Findings
  • Steve Riley, Amazon: Security and compliance in the Amazon cloud
  • Brian Chess & Jacob West Fortify Software: The Cloud is Made of Software
  • Josh Pennell, IOActive: Hacking the Hypervisor 2010
  • Michael Sutton, Zscaler & Dan Hubbard, Websense: The "Unpanel Royale" : The Ying and Yang of Cloud Abuse

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.

For more information on the specific times for the Cloud Security Alliance Summit sessions, visit the 2010 conference schedule.

Presentation Speakers/Abstracts

Christofer Hoff

Cloudersize: A cardio, strength & conditioning program for a firmer, more toned *aaS

In this keynote session, Christofer “Mr Cloud Security” Hoff provides a definitive list of the security problems with cloud computing that can add ugly inches to your *aaS. As Hoff will explain, sometimes an *aaS will be so ugly that it should only be private. Hoff introduces his revolutionary “Cloudersize” conditioning program, and explains how a balanced diet of standards, architecture, compliance and innovation can give you a firmer, more toned *aaS.

Dan Hubbard

Cloudy with a chance of miss-information

The biggest use today of the cloud is the use of the web and web services, platforms, and content. Users want their information and they want it NOW. With that the several new technologies have been created/added/modified to present data in real-time. One of these is real-time search.

Attackers have been utilizing weaknesses within search engine algorithms for some time now. Today it is VERY likely that you will hit a poisoned result on any named current event search. However we have not seen attacks commonly happening within the social web through real-time search.

Search engines are embracing the social web through real-time search results. This presentation will demonstrate how to poison the real-time web with your results in real-time.

  • Will demonstrate how today’s search engine poisoning works.
  • Will demonstrate how to poison the social web through real-time search in various search engines.
  • Will include demonstrations and steps to perform actions including mitigation options.
  • Will demonstrate future vectors and possibilities

Steve Riley

Security and compliance in the Amazon cloud

Moving to the cloud raises lots of questions, mostly about security. Providers worthy of your business should answer them clearly and honestly. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. Steve Riley will discuss common cloud security concerns, show how AWS protects its infrastructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud. Sprinkled throughout the presentation are stories from Steve's past life as a security consultant, information on the history and future of attacks, and additional advice on how customers can best secure their operating systems and applications against common and not-so-common vulnerabilities.

Brian Chess & Jacob West

The Cloud is Made of Software

Most cloud security discussions have focused on what cloud providers can do, what they can’t do, and what they might do if you paid them enough. These discussions focus on topics such as virtualization, hosting, and data storage. However, just as the software industry has learned that putting fancy boxes on the network doesn’t fix bad software, cloud converts must focus on the risks they bring along with the software they deploy.

This talk details risks to software deployed in the cloud. Some risks impact security in much the same way wherever and however it's hosted, but many old risks take on new importance when software makes the jump to the cloud. Attacks that leverage the software's environment, services and systems the software relies on, and communication channels it uses to communicate all take on new magnitude in the cloud. Choices around authentication and access control, encryption algorithms, and policies around private data must also be revisited. We discuss notable concerns in all of these areas and describe an approach for assessing a software system's readiness to be deployed in the cloud.

Joshua Pennell & Mike Davis

Hypervisor Security 2010

Clearly not all virtualization is the same. Different Clouds have assembled their own flavors that range from “full emulation” to “bare metal”. IOActive’s Joshua Pennell and Mike Davis will discuss the approaches from the most popular virtualization technologies for how the virtual machine will function and how the virtual hardware that is exposed can be used.

These approaches have security implications for companies that are leveraging these cloud architectures for ubiquitous storage and access of their sensitive data and applications. Josh and Mike will discuss the virtualization technologies, the security trade-offs of each, and what the past security failures will mean to enterprises looking to invest their data to the cloud.

Wolfgang Kandek & Jeremiah Grossman

CSA Application Security Research

In this presentation, two leading researchers explain key cloud computing risks in the application security vector. The session explores the impact of cloud on the software development lifecycle, application architectures, security metrics and application analysis tools.

Panelists: Dan Hubbard, Michael Sutton, Steve Riley, Jeff Wu, Michael Panico, Steven Adair, Chris St. Myers

The "Unpanel Royale" : The Yin and Yang of Cloud Abuse

For this discussion we put together a mix of some of the largest cloud providers and security researchers. Security experts from Amazon, Rackspace, Microsoft, Facebook, and Shadowserver, will be discussing one of the top 7 deadly sins to Cloud Computing: Abuse of cloud services. Product pitches will be received with a gong and open mic's should serve for some interesting debates on how providers are addressing the issues at hand and scaling to the demands of the future.