DerbyCon is almost here. With an all star line up, I anticipate that DerbyCon will truly live up to the hype. I want to take a moment to discuss a few talks that I am especially excited about:
Kevin Mitnick & Dave Kennedy: Adaptive Penetration Testing
I am pretty excited about this talk. Dave is a CISO, a former security consultant here at SecureState, one of the authors of “Metasploit – The Penetration Tester’s Guide”, and one of the creators of “FastTrack” and “SET”. There is no doubt he will bring solid insights into how to adapt to the environment an attacker is PenTesting.
It is true that Kevin Mitnick gets a lot of flak from the security community, but I doubt that many would dispute the fact that he was one of the world’s most famous hackers. I am interested to see what sort of insights he will have into current adaptive PenTesting techniques, as well.
Kevin Johnson & Tom Eston: Desktop Betrayal: Exploiting Clients through the Features They Demand
In fairness of full disclosure, I have to admit that I am a little partial to this talk. Tom Eston is my manager and Kevin Johnson likes Star Wars (my all time favorite movie series), but in all honesty, I think this talk will be really great.
When many people think of PenTesting, they immediately think of Buffer Overflows, Weak Passwords, and SQL Injection. What many people fail to realize is that in many cases it is easier to use “features” of applications already installed on users’ machines in order to get a foothold into a corporation’s network.
Peter Van Eeckhoutte (Corelanc0d3r) & Elliot Cutright: Win32 Exploit Development With Mona and the Metasploit Framework
If you are a PenTester and you don’t enjoy exploit development, then perhaps you should have your head examined. Need I say more? In all seriousness, exploit development is always a fun topic.
I have to admit, the fact Corelanc0d3r will be co-presenting this talk did make it a little more appealing. I have walked through his blog series on exploit development and found it to be very insightful!
Chris Nickerson: Compliance: An Assault on Reason
This talk strikes a chord with me. I have performed my share of compliance specific PenTests. While I am looking at 5 bastion hosts, which entails the client’s PCI zone, the company’s critical assets (trade secrets, client base, etc.) are sitting on an unencrypted file share that practically anyone can access.
I only hope that talks like these cut to the heart of decision makers and call them to start protecting their company’s critical assets. It is time for organizations to stop treating security like a series of check boxes!
Unfortunately, I could not write about all the talks that I thought looked good! With other speakers, such as Carlos Perez, Rafal Los, Chris Gates, Adrian Crenshaw, and James Arlen (just to name a few), the talks should be first rate. DerbyCon start’s this Friday (9/30/2011) and should be a great conference!
Gary McCully is a Security Consultant on SecureState’s Profiling Team. SecureState is an information security firm comprised of five specialties - Advisory Services, Audit and Compliance, Profiling, Risk Management, and Business Preservation Services. At SecureState, Gary performs Web Application Security Reviews, Penetration Tests, Physical Penetration Tests, and War Dialing. Passionate about expanding his knowledge and expertise, Gary’s research interests include the discovery and exploitation of buffer overflows, discovery and exploitation of web application vulnerabilities, lock picking, and SSL vulnerabilities.
Cross-posted from the SecureState Blog