Black Hat Roundtables are moderator led, hour-long discussion groups driven by audience participation. Small in size (30-50 individuals), these interactive sessions provide attendees the opportunity to actively engage with colleagues as well as share experiences and or research on specific, pre-determined topics. Roundtable discussions are informal in nature, highly collaborative and offer excellent networking opportunities.
This Roundtable will focus on security considerations inherent when supporting or building any number of APIs. Participants will share practical information on what approaches have worked and what haven't in their environments. Additionally, this Roundtable will cover techniques for secure design principles, instrumentation, and attack detection.
In the Age of Agile Development and continuous integration gaining massive popularity, where does security fit in? Most security testing happens in production driven by audit requirements. This does not fit well with teams who are pushing code faster and faster constantly changing the applications being tested.
This roundtable will discuss the state of basic continuous delivery pipelines and how we can make sure security does not become an afterthought. Using a number of battle tested methodologies and open source tools, we will discuss how to be mean to our code before it ever sees the light of day in production. This discussion will allow us to find a way to adapt to the ways of DevOps but also foster a development lifecycle that creates software that is secure, reliable, and resilient.
This panel will focus on security certifications and tackle the pros and cons of getting certified in today's market place. With the rising demand for qualified staff in organizations there is a need to disseminate and demonstrate qualifications. We examine the quest for value in security certifications.
Join us for an interactive discussion of all things embedded and how the new ubiquity changes our security landscape. The group will be focused on how this new environment can be secured, and what that even means in a fully network enabled world of embedded computers. We will attempt to cover the entire gamut of devices, from smart watches and cameras to industrial control systems and robots. Bring your questions and ideas.
With the increase of data breaches by several companies and organizations, the SEC, FTC, and other agencies are considering tougher cyber security regulations and rule making policies to force companies to increase their info security. On the other hand, the National Institute for Standards and Technology (NIST) recently released a voluntary Risk Management Framework after a year of collaboration between the private and public sectors. This roundtable will look at what this voluntary framework is really designed to do, discuss the framework's strengths and areas for improvement, and discuss how organizations can focus LESS on "compliance" and paperwork exercises and MORE on risk and tangible information security improvement.
This discussion will focus on the unique concerns and issues related to medical related technology. The explosion of networked and internet enabled medical devices have brought a multitude of security risks and privacy issues to the table. These devices are often being used by those with little technology experience and very little information is offered to those users on the risks of using connected devices. Join us for a lively roundtable on how to address those issues and more.
Gartner estimates that the number of attacks against mobile devices is going to double in the near future, and yet for the most part these devices remain a blackbox in many ways. Lack of proper tools to evaluate the privacy posture of the installed apps, no rootkit and baseband attacks detection software and hardly any control over the underlying internals are all important missing aspects of these devices both for consumers and enterprises. Furthermore Android got the lion share of the market and its security model is closer to the PC-world compared to the one used by iOS.
The goal of the roundtable is to discuss and address these issues, is the Android approach to security better than iOS in the long run? How can we deal with attacks below the application level (baseband, kernel, etc etc)? What are the implications of more and more apps for finance and IoT monitoring on the threat models for mobile? Can we realistically build a trustworthy mobile platform?
All too often security is a disconnected series of manual tasks spread across a diaspora of different tools. However, many organizations are breaking the meat cloud habit and integrating automation of security workflows and controls in novel ways. This is especially true in organizations using cloud, SDN, and/or DevOps practices. In this roundtable we will exchange and discuss the latest real-world security automation and orchestration techniques. Leave the theory at home, and bring your code.
Finding and communicating vulnerabilities is de rigeur for Black Hat speakers- and experiences vary wildly. For companies being notified, the maturity of their response is on a spectrum- no idea what to do, some have a security@ alias set up, others have a formal management process, others have fully funded bounty programs. Even the simple act of keeping researchers informed on a timely basis and making sure patches actually happen and are rolled out with proper notification is a huge hassle, with or without a bounty.
Is it worth it? Managing disclosure is a minefield for both the researcher, and the company being notified. Join us in this session for a live discussion on the pro's and con's of a disclosure program, considerations for both the company and the researcher, and a discussion of the common pitfalls.
Virtualization of servers and applications changed the face of computing in ways that we are still exploring operationally. The attack surfaces for virtualized systems are different, even if only in number and location, but virtualization has also presented some new control points for those looking to address security concerns. Both attackers and defenders have had to adjust.
Now the emergence of Software Defined Networking (and/or Network Function Virtualization) presents network designers and security professionals with another new landscape. Do these architectures present us with an intractable growth of new exposures or do they provide enabling technologies for better security design and management?