Aaron Cure
Senior Security Consultant with Cypress Data Defense
Aaron is a senior security consultant at Cypress Data Defense, and an instructor and contributing author for the CDD Introduction to Internet Security in .NET course. After ten years in the U.S. Army as a Russian Linguist and a Satellite Repair Technician, he worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant. Other experience includes developing security tools, secure code review, vulnerability assessment, penetration testing, risk assessment, static source code analysis, and security research. Aaron holds the GIAC GSSP-.NET, GWAPT, GMOB, and CISSP certifications and is located in Arvada, CO.
Presentations
While developers and testers use Selenium and other suites to test web application functionality, security often falls to the wayside because it's either too time consuming or they just don't know HOW to test for these issues. In this talk we'll discuss some basic OWASP TOP 10/CWE 25 vulnerabilities and how to discover them.
We'll use Selenium in conjunction with tools, such as ZAP and Burp, to identify vulnerabilities in our applications.
Exposing applications over the web continues to allow attackers to compromise an organization’s clients, customers and employees. These applications are often deployed with compressed development timelines, and as a result often contain several common security vulnerabilities. This presentation will discuss and demonstrate exploitations of the most common vulnerabilities identified during a security review, using tools such as Burp Suite, BeEF, and sqlmap. Most importantly this presentation will also demonstrate how to remediate and eliminate these vulnerabilities from your applications.
In this presentation, we will be discussing the following vulnerabilities from the OWASP Top 10:
A1: Injection
A3: Cross-Site Scripting (XSS)
A8: Cross-Site Request Forgery (CSRF)
The Agile and DevOps software development lifecycles present interesting challenges for application security. How can security keep up with the rapid development cycles, constantly changing code base, and continuous deployment schedules? The answer lies within an automated security framework that is integrated into the development lifecycle.
This presentation will demonstrate how to integrate a new application security testing framework into your build environment. Popular open-source vulnerability scanners, such as the Zed Attack Proxy (ZAP), will be leveraged to provide real-time feedback to development teams, allowing them to remediate vulnerabilities before they reach production.
DevOps is changing the way that organizations design, build, deploy, and operate online systems. Engineering teams are making hundreds or even thousands of changes per day, and traditional approaches to security are struggling to keep up. Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines.
In this talk, we start with a case study of an organization trying to leverage the power of Continuous Integration (CI) and Continuous Delivery (CD) to improve its security posture. After identifying the key security checkpoints in the pre-commit, commit, acceptance, and deployment lifecycle phases, we will explore how unit testing and static analysis fit into SecDevOps. Live demonstrations will show how to enforce
security unit tests and static analysis in a Jenkins CI build pipeline. Attendees will walk away with a better understanding of how security fits into DevOps to help secure their organization’s applications.