a history of software composition
Cybersecurity data has a notoriously higher feature space but not all features are created equal. This talk covers different visualization libraries available in Python to make sense of your data and a few techniques for feature selection and processing.
Heather Lawrence is a data scientist for the Nebraska Applied Research Institute who earned her undergraduate and masters degrees in Computer Engineering from the University of Central Florida. In previous lives she was a USN nuke, VA photographer, NCCDC winner, [email protected] mom, and darknet marketplace miner. Her current research centers on the application of machine learning to intrusion detection. She serves the community through volunteer work for Kernelcon and DEF CON as well as facilitating logistics as a member B-Sides Orlando board.
Security researchers in academia, industry, public service, and independent practice promote computer security by identifying serious security shortcomings in systems ranging from medical devices to voting machines to critical national infrastructure. This research and investigation is especially urgent as we integrate computers into our homes, vehicles, and even our bodies. But the notoriously ambiguous federal anti-hacking law, the Computer Fraud and Abuse Act, can expose even well-intentioned security researchers to serious legal risk. This year, the Supreme Court will decide, for the first time, exactly how far the law extends. This talk will discuss the current legal landmines that the CFAA presents and how this landscape might soon change.
Naomi Gilens is an attorney at the Electronic Frontier Foundation, where she represents computer security researchers in a CFAA case currently before the Supreme Court. In her prior role as the William J. Brennan First Amendment Fellow at the ACLU, Naomi litigated a high-profile First Amendment challenge to the CFAA in the federal court in Washington, D.C. Naomi received her J.D. magna cum laude from Harvard Law School, where she was an affiliate at the Berkman Klein Center for Internet and Society. She received her B.A. from Princeton University.
Fred Jennings is GitHub's Associate Corporate Counsel, handling security incident response, bug bounty policy, and litigation matters. Prior to Github, Fred was senior associate at Tor Ekeland PLLC, where he litigated civil and criminal CFAA and other cybercrime cases. When not lawyering, Fred enjoys kludgy bash scripts and improbable vehicles.
Content security policy (CSP) is a browser feature that allows an application to tell a browser what is allowed to happen on a given page. It can be a very powerful tool when used correctly. But it’s a tricky beast with a lot of complexity, esoteric details, gotchas, and is still not widely adopted by most of the Internet, by any measure.
Any random article on CSP will talk about its features and behaviors. Some talk about the “report-only” mode for testing out CSP and analyzing reports. But how do you go from no CSP to a solid CSP? A light overview of CSP with a focus on mitigating cross-site scripting will be followed by an explanation of strategies to create an effective and dynamic policy including code samples taken directly from the GitHub codebase.
Neil Matatall is a product security engineer at GitHub focusing on account security and user experience.
What appsec conference is complete without a conversation about cryptography? We'll look at the same elliptic curve graph you've seen a thousand times before, talk about what a group operation is (multiplication is just addition!), and explain Diffie-Hellman to you yet again (it's real mayonnaise!) before segueing into a discussion of how the ECDSA signature scheme fails in actual systems. Attendees will end the talk in a quantum superposition of security nihilism and religious ecstasy, but mostly they'll just be hungry.
Seth & Ken will host Absolute AppSec live, accompanied by @lojikil and @infosecanon and any attendees that wish to participate. Topics to include infosec burnout, secure code reviews, bug bounties, current landscape of appsec, and anything else we can think of.
Seth Law is the Principal Consultant of Redpoint Security (rdpt.io), where he leads up efforts to secure client applications. In his spare time, he develops the iOS version of HackerTracker and co-hosts the Absolute AppSec podcast with Ken Johnson.
Ken Johnson, has been hacking web applications professionally for 11 years and given security training for 8 of those years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about appsec, devops security, and AWS security. Ken’s current projects are WeirdAAL, OWASP Railsgoat, and the Absolute AppSec podcast with Seth Law.
When free software licensing was born, software copyrights were essentially nonexistent, software patents didn't exist at all, terms of service weren't enforceable and there was no anticircumvention law. In other words, you were legally permitted to clone or interoperate with any digital product. Today, we think of free software as a way for a company to say, "We probably won't sue you if you write code that can interoperate with ours" - but when free software started, it was more like, "I know I've got the absolute legal right to reverse engineer all your code and make a competing product, but that's such tedious work. Please, make it easy for me by giving me your sourcecode." Back then, free software was icing on the cake. Then they stole the cake and left us hoping for a little icing every now and then.
This makes a huge difference because software has eaten the world and shit out a dystopia: a place where Abbot Labs uses copyright claims to stop people with diabetes from taking control over their insulin dispensing and where BMW is providing seat-heaters as an-over-the-air upgrade that you have to pay for by the month. Companies have tried this bullshit since the year dot, but Thomas Edison couldn't send a patent enforcer to your house to make sure you honored the license agreement on your cylinder by only playing it on an Edison phonograph. Today, digital systems offer perfect enforcement for the pettiest, most bullshitty, greediest grifts imaginable.
Cory Doctorow (craphound.com) is a science fiction author, activist, and journalist. He is the author of RADICALIZED and WALKAWAY, science fiction for adults, a YA graphic novel called IN REAL LIFE, the nonfiction business book INFORMATION DOESN'T WANT TO BE FREE, and young adult novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER. His next book is POESY THE MONSTER SLAYER, a picture book for young readers. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University, a Visiting Professor of Practice at the University of North Carolina's School of Library and Information Science and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles.