Learnings from Duo

Jon Oberheide on Duo's story, from conception through acquisition, and the important lessons he learned along the way.

[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online

Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.

[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation

I'm speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.

[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security

OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware <code>grep</code>, how to assess another company's security posture.

[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale

DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.

[tl;dr sec] #21 - AppSec Cali, Bezos's Phone, Fuzzing

I'm speaking at AppSec Cali 2020, details on Bezos's phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.

[tl;dr sec] #20 - What I Learned Watching All 44 AppSec Cali 2019 Talks

What I Learned Watching All 44 AppSec Cali 2019 Talks

An Attacker’s View of Serverless and GraphQL Apps

An overview of functions-as-a-service (FaaS) and GraphQL, relevant security considerations and attacks, and a number of demos.

A Seat at the Table

Authorization in the Micro Services World with Kubernetes, ISTIO and Open Policy Agent

The history of authz implementation approaches, the value of externalizing authz from code, authz in Kubernetes, and the power of using Open Policy Agent (OPA) for authz with Kubernetes and ISTIO.

Automated Account Takeover: The Rise of Single Request Attacks

Behind the Scenes: Securing In-House Execution of Unsafe Third-Party Executables

Many companies rely on third-party native executables for functionality like image and video processing. However, many of these tools are written in C or C++ and were not designed with security in mind. When a malicious user uploads a specially crafted file, it can lead to arbitrary command execution via a buffer overflow or command injection, arbitrary file read or write, and other bad outcomes.