Conference:  Defcon 31

Authors: Kemba Walden Acting National Cyber Director, Office of the National Cyber Director, The White House,

2023-08-01

A fireside chat with Director Walden. Director Walden is the current acting National Cyber Director for the Biden-Harris Administration.

Conference:  Defcon 31

Authors: RenderMan His Holiness, Pope of the Church of Wifi, Thomas Dang

2023-08-01

Post 9/11, the phrase “If you see something, say something” became ubiquitous. If you saw something of concern, better to report something that was nothing than let something bad happen. Problem is, no one let the authorities know that they should apply this to the online realm too. Threats of arrest and criminal investigations have the opposite effect and chill anyone from wanting to report security vulnerabilities that affect everyone. Lack of clear reporting paths, misunderstandings, jurisdiction issues, superseding laws, and good old fashioned egos can make trying to do the right thing turn into a nightmare that can cost livelihoods, reputation, criminal charges and even worse, particularly when government systems are involved. This talk will cover the presenters personal experiences with poorly written or a lack of vulnerability disclosure policies with their governments and what it cost them in trying to make things better. The presentation will then move to a discussion about what should be done and what is being done to make sure that reporting a vulnerability doesn’t cost you everything. Anyone who is responsible for writing such disclosure policies or legislation will benefit, but so will any hackers that want to make it safer to report issues they find by advocating for changes.

Conference:  Defcon 31

Authors: Joe Sullivan CEO of Ukraine Friends

2023-08-01

The federal criminal case of United States v. Joseph Sullivan, NDCA 3-20-CR-337 WHO, has been covered and debated quite publicly since I was fired by the new Uber CEO in November 2017, a year after the incident. Most discussion has focused on questions of my guilt or innocence, the culpability of other executives at the company, and the implications of the case for other security executives. Less has been written about the guilt or innocence of those who accessed Uber’s AWS environment in October 2016 and triggered an incident response by emailing me and asking for payment. After we met them, my team and I did not consider those 19- and 20-year-old kids to be criminal actors and treated them as security researchers. Yet both also faced federal criminal charges. During my talk I will review the extraordinary investigation done by my team at Uber and put it into the context of other historical cases we and I had worked on. Whether or not you consider them to be security researchers, there are many lessons to be learned related to the dynamics between researchers and companies and the dynamics between companies and the government.

Conference:  OWASP 20th Anniversary Event

Authors: Chris Wysopal

2021-09-24

The presentation discusses the importance of team collaboration and continuous improvement in achieving secure code and reducing remediation time. It also highlights the impact of using multiple testing techniques and APIs in reducing remediation time. The future of application security is also discussed, with a focus on managing supply chain risk.

• Team collaboration and continuous improvement are crucial in achieving secure code and reducing remediation time
• Using multiple testing techniques and APIs can significantly reduce remediation time
• Managing supply chain risk is the future of application security