BSides Perth | Other
BSides Perth
Reviews
to load big map
25.01.2022 Caring for our pen tester friends! Another one of this year’s talks... Brendan Seerup looks at how quality assurance teams are becoming more context driven and collaborative. QA Testers are now needed from design through to supporting their applications into production.... Yet we still ask external security testers to test our applications engaging them at the end just before we ship to production. Often armed with very little handover we ask them Did we built it securely?. I see a big gap between external security testers and development teams, its making life hard for both teams. I also see the damage it does to good security testing. Its time to bring these two team closer together and start take better care of our pen tester friends. This talk covers advice for both engineering teams and their external penetration testers on collaborating more, ensuring the right context is exchanged and the teams work together for better security testing outcomes. Bio: Brendan (@SparkleOps) is an Application Security Specialist who loves helping teams with secure development, threat modelling and being involved with the penetration testing of their applications. Outside of Application Security Brendan leads a threat hunting group dedicated to finding and disclosing threats to NZ’s internet space to our CERT. Brendan spends his spare time slowly studying towards a masters of wine and reading comics in his blanket fort. https://bsidesperth.com.au/presentations/
24.01.2022 Sarah Youngs talk SecDevSecOpsSec: lets stop throwing around the buzzwords. Everyone likes throwing the phrase DevSecOps out there at the moment, right? Its a security industry buzzword. But how many of us actually know what this means? We have DevSecOps, SecDevOps, secure pipelines, security toolchains, etc. too often used interchangeably and with no clear official definition. In this talk, Sarah will attempt to distill the exact meanings of each of these and use examples from her own experiences of creating automated security processes to explain how each can be effectively used, and the tools that she has used to do this. https://bsidesperth.com.au
21.01.2022 Kai Frosts talk at BSides 2018 called London Calling, VoIP hacking for fun and profit mostly profit promises to be a lot of fun. #bsidesper https://bsidesperth.com.au/presentations/
20.01.2022 Sarah Youngs talk entitled, SecDevSecOpsSec: lets stop throwing around the buzzwords, promises to be interesting. Everyone likes throwing the phrase DevSecOps out there at the moment, right? Its a security industry buzzword. But how many of us actually know what this means? We have DevSecOps, SecDevOps, secure pipelines, security toolchains, etc. too often used interchangeably and with no clear official definition. In this talk, Sarah will attempt to distill the exact ...meanings of each of these and use examples from her own experiences of creating automated security processes to explain how each can be effectively used, and the tools that she has used to do this. Bio: Sarah is a security architect currently based in Melbourne, Australia. She has previously worked in New Zealand, London and various parts of Europe across a range of industry sectors. In her current role, Sarah helps enterprises move their stuff into the cloud securely. She spends most of her spare time eating hipster brunches and high teas.
17.01.2022 Secure SDLC Speed-run Matt Jones Writing software comes with a lot of challenges different industry trends and ways of working, legacy stuff to factor in, then theres all the constraints along the way as deadlines approach.... Writing *secure* software then has its own set of challenges. The industry has in some ways evolved well past the old approach of waterfall style projects with a penetration test at the end where people grumble risk acceptance. Theres a variety of security assurance approaches various types of organisations use with varying success at different phases of a software projects. In reality though, theres a lot of considerations to be made on a case by case basis to ensure energy is used wisely, the right people are rationalising threats you may or may not face, and you mature things incrementally factoring all of this in. This presentation will: 0) Quickly introduce Secure Development Lifecycles 1) Talk through managing threats for code you build on versus code you write 2) Run-through a bunch of examples, i.e. eradicating entire vulnerability classes, understanding technology edge-cases, catching low-hanging fruit yourself, getting defence in depth stuff in your requirements/design, how some security activities can be part of your internal QA, how to setup a vulnerability disclosure process, and whatever else we can squeeze in. 3) How to best scope and engage third-party security assurance 4) A tonne of decent resources for you to learn more Bio: Hes a Partner at elttam.
15.01.2022 Caring for our pen tester friends! Another one of this years talks... Brendan Seerup looks at how quality assurance teams are becoming more context driven and collaborative. QA Testers are now needed from design through to supporting their applications into production.... Yet we still ask external security testers to test our applications engaging them at the end just before we ship to production. Often armed with very little handover we ask them Did we built it securely?. I see a big gap between external security testers and development teams, its making life hard for both teams. I also see the damage it does to good security testing. Its time to bring these two team closer together and start take better care of our pen tester friends. This talk covers advice for both engineering teams and their external penetration testers on collaborating more, ensuring the right context is exchanged and the teams work together for better security testing outcomes. Bio: Brendan (@SparkleOps) is an Application Security Specialist who loves helping teams with secure development, threat modelling and being involved with the penetration testing of their applications. Outside of Application Security Brendan leads a threat hunting group dedicated to finding and disclosing threats to NZs internet space to our CERT. Brendan spends his spare time slowly studying towards a masters of wine and reading comics in his blanket fort. https://bsidesperth.com.au/presentations/
14.01.2022 Tell you what, Jodie Siganto’s talk at BSides Perth will raise a few debates. Don’t miss it. @bsidesper #cyber #infosec #security Security practice is broken. How can we fix it?... From Jodie: I’d like to look at the information security profession. As information security practitioners we think of ourselves as professionals with a special expertise. But is this perspective real? Or are we more like security brokers negotiating an acceptable outcome with the business? If we are a profession, then who is shaping that profession? If we are experts, is education producing the right person? By looking at some of these questions, I hope to start a conversation about how we might re-shape security practice to delivery better results for practitioners, their employers and the community more generally. Bio: A lawyer who accidently strayed into security about 18 years ago and never been able to get out. Fascinated by what happens at the interface between humans and technology, particularly in the security and data privacy realm. Intrigued by what shapes security practice and our failure to change.
10.01.2022 Another featured talk: Malware Meets Industrial Safety System and the Consequences By Paresh Kerai A Middle East Industrial Safety System was recently attacked with malicious malware designed specifically to enable the damage or destruction of industrial equipment. This malware known as Triton, or Trisis, aimed to interfere with or shut down completely Schneider Electrics Triconex safety instrumented system (SIS) The SIS are used by human operators to monitor industrial pr...ocesses in order to detect potentially dangerous conditions, triggering alerts or shutdowns to prevent accidents or deliberate acts of sabotage which could result in an explosion, damaged machines, property destruction, injury or loss of human life. Triton is one of less than a handful of known cases worldwide where malware has been specifically designed and executed to sabotage industrial control systems and the attack appeared to be a sophisticated state-sponsored style coordinated attack on the organisation plant. This presentation will give an overview of the attack timeline, highlight the capabilities of the malware and the attack flow, and explain just how the attackers compromised the SIS device. Bio: I am an Industrial Control System (ICS) Security Engineer and researcher, specializing in in cyber security in control systems and network infrastructure, and computer forensics. Currently enrolled in Doctor of Philosophy at Edith Cowan University, his research focus is on the security of Modbus protocol used in critical infrastructure systems and the security framework of industrial control systems. He is also interested in computer forensics, wireless security, IoT devices, threat hunting and threat intelligence.
10.01.2022 Thanks to the Australian Security Magazine for featuring @bsidesper in todays newsletter #bsidesper http://mysecuritymediaptyltd.cmail20.com//0EE531773BF74556
09.01.2022 Malware Meets Industrial Safety System and the Consequences Speaker: Paresh Kerai Details... A Middle East Industrial Safety System was recently attacked with malicious malware designed specifically to enable the damage or destruction of industrial equipment. This malware known as Triton, or Trisis, aimed to interfere with or shut down completely Schneider Electrics Triconex safety instrumented system (SIS) The SIS are used by human operators to monitor industrial processes in order to detect potentially dangerous conditions, triggering alerts or shutdowns to prevent accidents or deliberate acts of sabotage which could result in an explosion, damaged machines, property destruction, injury or loss of human life. Triton is one of less than a handful of known cases worldwide where malware has been specifically designed and executed to sabotage industrial control systems and the attack appeared to be a sophisticated state-sponsored style coordinated attack on the organisation plant. This presentation will give an overview of the attack timeline, highlight the capabilities of the malware and the attack flow, and explain just how the attackers compromised the SIS device. Bio: I am an Industrial Control System (ICS) Security Engineer and researcher, specializing in in cyber security in control systems and network infrastructure, and computer forensics. Currently enrolled in Doctor of Philosophy at Edith Cowan University, his research focus is on the security of Modbus protocol used in critical infrastructure systems and the security framework of industrial control systems. He is also interested in computer forensics, wireless security, IoT devices, threat hunting and threat intelligence. https://bsidesperth.com.au/get-tickets/
09.01.2022 Kai Frost’s talk at BSides 2018 called London Calling, VoIP hacking for fun and profit mostly profit promises to be a lot of fun. #bsidesper https://bsidesperth.com.au/presentations/
07.01.2022 Sarah Young’s talk SecDevSecOpsSec: let’s stop throwing around the buzzwords. Everyone likes throwing the phrase DevSecOps out there at the moment, right? It’s a security industry buzzword. But how many of us actually know what this means? We have DevSecOps, SecDevOps, secure pipelines, security toolchains, etc. too often used interchangeably and with no clear official definition. In this talk, Sarah will attempt to distill the exact meanings of each of these and use examples from her own experiences of creating automated security processes to explain how each can be effectively used, and the tools that she has used to do this. https://bsidesperth.com.au
04.01.2022 Sarah Young's talk entitled, SecDevSecOpsSec: lets stop throwing around the buzzwords, promises to be interesting. Everyone likes throwing the phrase DevSecOps out there at the moment, right? Its a security industry buzzword. But how many of us actually know what this means? We have DevSecOps, SecDevOps, secure pipelines, security toolchains, etc. too often used interchangeably and with no clear official definition. In this talk, Sarah will attempt to distill the exact ...meanings of each of these and use examples from her own experiences of creating automated security processes to explain how each can be effectively used, and the tools that she has used to do this. Bio: Sarah is a security architect currently based in Melbourne, Australia. She has previously worked in New Zealand, London and various parts of Europe across a range of industry sectors. In her current role, Sarah helps enterprises move their stuff into the cloud securely. She spends most of her spare time eating hipster brunches and high teas.
02.01.2022 Tell you what, Jodie Sigantos talk at BSides Perth will raise a few debates. Dont miss it. @bsidesper #cyber #infosec #security Security practice is broken. How can we fix it?... From Jodie: Id like to look at the information security profession. As information security practitioners we think of ourselves as professionals with a special expertise. But is this perspective real? Or are we more like security brokers negotiating an acceptable outcome with the business? If we are a profession, then who is shaping that profession? If we are experts, is education producing the right person? By looking at some of these questions, I hope to start a conversation about how we might re-shape security practice to delivery better results for practitioners, their employers and the community more generally. Bio: A lawyer who accidently strayed into security about 18 years ago and never been able to get out. Fascinated by what happens at the interface between humans and technology, particularly in the security and data privacy realm. Intrigued by what shapes security practice and our failure to change.
