Conference Talks – March 2020

This month, members of NCC Group will be presenting their work at the following conferences:

  • Adam Rudderman, “Bug Bounty: Why is this happening?” presented at Nullcon Goa (Goa, India – March 3-7 2020)
  • Rob Wood, “[Panel]: CSIS Security Panel Discussion,” presented at OCP Global Summit (San Jose, CA – March 4-5 2020)
  • Rory McCune, “[Training]: Mastering Container Security,” presented at 44CON (London, United Kingdom – March 12-13 2020)
  • Damon Small, “[Opening Panel]: Protecting Cybersecurity as a Business Investment not a Cost,” presented at Cybersecurity for Critical Assets USA (Houston, TX – March 24-25 2020)
  • Derek Hinch, “Smashing Containers for Food and Profit,” presented at BSidesATL (Atlanta, GA – March 27-28 2020)
  • Sourya Biswas, “East vs West: How The Coasts Approach Information Security Differently,” presented at InfoSec World (Orlando, FL – March 30-April 1 2020)

You can preview each of the talk abstracts below. We hope to see you there!

Bug Bounty: Why is this happening?
Adam Rudderman, NCC Group
Nullcon Goa – Goa, India
March 3-7 2020

Abstract forthcoming.

[Panel] CSIS (Cloud Security Industry Summit) Security Panel
Rob Wood, NCC Group; Jeff Wilson, IHS Markit; Yigal Edery, Kameleon; Ben Stoltz, Google; Roksana Golizadeh Mojarad, Intel; Matt King, Oracle; Tobias Langbein, ZKB
OCP Global Summit – San Jose, USA
March 4-5 2020

In this session, a panel of cloud security experts from the Cloud Security Industry Summit (CSIS, www.cloudsecurityindustrysummit.org) will discuss top of mind hardware security and supply chain challenges, from a cloud providers point of view, share best practices to address those challenges, and present opportunities for collaboration with the OCP community.

[Training]: Mastering Container Security
Rory McCune, NCC Group
44CON – London, United Kingdom
March 12-13 2020

The course will start by looking at Docker and how Linux containers work, covering the basics of using Docker and good security practices around creating Docker images.

We’ll also be covering fundamental Linux security concepts such as namespaces, cgroups, capabilities and seccomp, along with showing how to secure (or break into) container-based applications.

The course will then move on to the world of container orchestration and clustering, looking at how Kubernetes works and the security pitfalls that can leave the clusters and cloud-based environments which use containers exposed to attack.

The course has core modules which we’ll cover as well as an array of bonus content which will be covered if there is time. The bonus modules focus on areas like Docker and Kubernetes security tooling, the details of prominent container security vulnerabilities and exploits and also look at the world of Windows containers.

At the end of the two days we’ll have a range of systems to practice some of the skills learned during the course.

[Opening Panel]: Protecting Cybersecurity as a Business Investment not a Cost
Damon Small, NCC Group
Cybersecurity for Critical Assets USA – Houston, TX
March 24-25 2020

As the opening panel for . the Cybersecurity for Critical Assets conference, join NCC Group’s Damon Small and colleagues for a discussion of cybersecurity as a business investment.

Smashing Containers for Food and Profit
Derek Hinch, NCC Group
BSidesATL – Atlanta, GA
March 27-28 2020

Containerized applications have become the norm versus the exception in modern application development and deployment. Traditional penetration testing methodologies have often focused on monolithic design architectures and semi-monolithic Service Oriented application models. With the advent of micro service container based architectures, several layers of abstraction have been introduced between successful exploitation of an application and ultimately compromising the host system/corporate network.

We will cover the modernization of common penetration testing methodologies, adapting them to the challenge these layers of abstraction present. Container breakouts via misconfiguration, and post exploitation horizontal/vertical attacks (including orchestration privilege escalation attacks) will be covered.

East vs West: How the Coasts Approach Information Security Differently
Sourya Biswas, NCC Group
Infosec World – Orlando, FL
March 30-April 1 2020

In my experience as an information risk and security consultant, I’ve had the opportunity to assess the security postures of both financial services companies (mainly on the East coast) and technology services providers (mainly on the West coast). The session covers how they fundamentally differ in their approaches to information security, and what one can learn from the other.

  • Where an assessor would want you to focus your cybersecurity assessment efforts
  • How an advisor would want you to prioritize remediation recommendations
  • What to learn about infosec from other industries / domains
  • Why it’s necessary to learn and share in today’s connected, computerized world

[Editor’s Note: Post updated March 3 2020 to include additional talk listings.]