RVAsec 13

A good prioritization plan should let you know where to start when tackling risk. And yet, people don't know where to start when developing a good prioritization plan! Even worse, we make a number of bad assumptions when trying to navigate this labyrinth.

Which method is the best? Are many methods better than one? How many is too many? What does “best” even mean?

Ask 10 different practitioners these questions and you might get 10 different answers. There’s no better example of this situation than with the plethora of vulnerability prioritization methods available today. Luckily, we’ve been able to collect an unprecedented amount of data on vulnerabilities, and it’s taught us a lot about what makes sense, and what doesn’t.

Join us as we use this vulnerability data to dispel myths, avoid pitfalls, and conjure some solid recommendations that will put you on a better path.

In this presentation, the development process of a remote code execution (RCE) exploit for CVE-2023-2033 is discussed. CVE-2023-2033 is an N-day type confusion vulnerability that affects Google Chrome for Windows, Mac, and Linux with which an attacker can exploit Chrome V8 engine to cause heap corruption via a crafted HTML page and gain RCE. Prior to this presentation, a public RCE exploit for this vulnerability did not exist. This exploit is based on publicly available proof of concept code that uses this vulnerability to implement v8 heap read/write/addrof primitives. This presentation focuses on weaponizing these primitives to achieve remote code execution consistently on an unsandboxed renderer process of an Electron version running a vulnerable version of Chrome. Methods to hijack the render process instruction pointer and to write and execute specially encoded chunks of shellcode using these primitives are discussed.

Application Security is the most oft-ignored, yet critically vulnerable attack vector in many businesses today.  Development teams are encouraged to create new features first and foremost, at the expense of fixing vulnerabilities.  It’s not until a breach or an audit finding when they pay attention to patching security holes.  

So how does a thoughtful CISO get in front of this?

Application security has to exist across the application lifecycle. DevSecOps is the philosophy of imbuing proper security controls at every stage of the Software Development Lifecycle (SDLC).  This session will introduce you to core DevSecOps concepts so you can bring them back to your company and make some proactive changes to “drive defects left” and reduce the risk of a catastrophic security breach in your applications

Microsoft Exchange 2019 uses the Oracle Outside-In libraries to parse specific file types when attached to emails. This talk covers the process of discovering memory corruption vulnerabilities within the technology using AFL and Jackalope and the results of the fuzzing process.

Focusing on real stories from the trenches, Orion's Quest walks through a series of modern application and API attacks Kevin and his team have pulled off.  The talk describes how we found and exploited the flaws and provides information so you can test yourself.

In this speech, we will uncover many of secrets the security services industry doesn't want you to know.  We will follow three real world case examples to show why it's important to know how to compare "apples to apples" when getting the help you need to evaluate, remediate, and mature your security program.

Join us for 'Unlocking Generative AI: Balancing Innovation with Security' as we navigate the complex landscape of generative AI in corporate environments. From understanding the fundamentals to exploring security threats like data poisoning and model theft, discover how large enterprises can safeguard sensitive data and AI models. Learn robust mitigation strategies to tackle these challenges head-on, ensuring a secure future for AI innovation. Don't miss this opportunity to delve into the promising yet challenging world of generative AI security.

When developing a product, software engineers often discuss the “what if?” user. What if a user builds their own frontend client? What if a user finds that embedded API key? What if a user notices that endpoint doesn’t have authorization? This talk has three real-life examples from the speaker’s perspective as the “what if?” user. Each example will delve into the motivation, the security flaws reverse engineered, and how to improve the security of each product. This talk will cover reverse engineering assets from an Android game, a waitlist to buy exercise equipment, and a Publish Subscribe system for an auction house. This talk aims to generate interest in identifying software design flaws and reverse engineering them, as well as helping teach about common security issues and practical methods of fixing them.

Deception engineering is a defence-in-depth strategy which many organisations overlook. Post achieving certain level of maturity over their infrastructure security processes, deception engineering is a great security project to enhance monitoring via high fidelity alerts and targeted knowledge of an attack in terms of where the attack's epicentre exists, what actions are the attackers taking, etc.

This session aims to share the overview of what entails when building a deception engineering charter, how to plan for deploying honeypots and honeytokens, and finally how to handle a potential incident that was detected via a honeypot.