Conference Talks – February 2020

This month, members of NCC Group will be giving the following 6 conference presentations:

  • Mark Manning, “Command and KubeCTL: Real-World Kubernetes Security for Pentesters” presented at Shmoocon (Washington, DC – January 31-February 2 2020)
  • Clint Gibler, “How to 10X Your Company’s Security (Without a Series D),” presented at BSidesSF (San Francisco, CA – February 22-24 2020)
  • Clint Gibler, “[Panel]: Lessons Learned from the DevSecOps Trenches,” presented at BSidesSF (San Francisco, CA – February 22-24 2020)
  • Travis Knapp-Prasek, “Sans Serif Rules Everything Around Me,” presented at BSidesSF (San Francisco, CA – February 22-24 2020)
  • Sourya Biswas, “East vs West: How The Coasts Approach Information Security Differently,” presented at BSidesSF (San Francisco, CA – February 22-24 2020)
  • Clint Gibler, “DevSecOps State of the Union,” presented at RSA Conference (San Francisco, CA – February 24-28 2020)

You can preview each of the talk abstracts below. We hope to see you there!

Command and KubeCTL: Real-World Kubernetes Security for Pentesters
Mark Manning, NCC Group
Shmoocon – Washington, DC
January 31 – February 2 2020

Kubernetes is a security challenge that many organizations need to take on and we as pentesters, developers, security practitioners, and the technically curious need to adapt to these challenges. In this talk we will look at tactics, techniques, and tools to assess and exploit Kubernetes clusters. We will demonstrate how to intercept service mesh traffic, evade runtime syscall filters, exploit custom sidecars, and chain attacks that go from compromising a build environment, to exploiting production applications. We’ll cover real world attack paths, provide practical advice, and guidance using the experience of conducting hundreds of reviews of containerized environments while running NCC Group’s container research group.


How to 10 Your Company’s Security (Without a Series D)
Clint Gibler, NCC Group
BSidesSF – San Francisco, CA
February 22-24 2020

I’ll summarize and distill the insights, unique tips and tricks, and actionable lessons learned from a vast number of DevSecOps/modern AppSec talks and blog posts, saving attendees 100s of hours. I’ll show where we’ve been, where we’re going, and provide a lengthy bibliography for further review.


[Panel]: Lessons Learned from the DevSecOps Trenches
Clint Gibler, NCC Group; Zane Lackey, Signal Sciences; Astha Singhal, Netflix; Justine Osborne, Apple; Doug DePerry, Datadog
BSidesSF – San Francisco, CA
February 22-24 2020

A frank discussion with security team leads at several forward-thinking companies on how they’ve built and scaled their security programs. What worked, what failed, and more. No topics are off-limits, no holds will be barred, and chanting will be encouraged (“Jerry! Jerry!”)


Sans Serif Rules Everything Around Me
Travis Knapp-Prasek, NCC Group
BSidesSF – San Francisco, CA
February 22-24 2020

Lightning Talk – Lowercase L and uppercase i look exactly the same when used in Sans-Serif fonts. Apple iMessage, Gmail, Facebook, and Twitter all display urls in mixed case San-Serif fonts. This opens up the potential for very simple and highly effective phishing attacks.


East vs West: How The Coasts Approach Information Security Differently
Sourya Biswas, NCC Group
BSidesSF – San Francisco, CA
February 22-24 2020

In my experience as an information risk and security consultant, I’ve had the opportunity to assess the security postures of both financial services companies (mainly on the East coast) and technology services providers (mainly on the West coast). The presentation is on how they fundamentally differ in their approaches to information security, and what one can learn from the other.


DevSecOps State of the Union
Clint Gibler, NCC Group
RSA Conference – San Francisco, CA
February 24-28 2020

It’s tough to keep up with the DevSecOps resources out there, or even know where to start. This talk will summarize and distill the unique tips and tricks, lessons learned, and tools discussed in dozens of blog posts and more than 50 conference talks over the past few years, and combine it with knowledge gained from in-person discussions with security leaders at companies with mature security programs.