Prairie.Code() Sessions tagged security

Blasting Browser Security with Extensions

Abstract

Multi-platform browser extensions are easier to write than ever, can have great authority to examine and alter HTTP requests and responses, and are shockingly easy to get listed on the official respective browser stores. In this talk Micah builds an over-powered, multi-platform extension.

Description

In this talk, Micah gives an overview of how browser extensions work and the web-ext tool for creating extensions that work in both Google Chrome and Mozilla Firefox. He then shows how to debug and test extensions locally as well as how to package them up for distribution. The talk culminates with a real-time attempt to get an extension with an over-powered list of permissions listed on the Chrome Web Store and the Firefox Browser Add-ons Store.

Speaker

Micah Silverman

Micah Silverman

Lead Developer Advocate, Split

Hacking OAuth: Pitfalls and Remedies

Abstract

OAuth 2.0 is the most widely used standard for secure authorization on the Internet for modern Web and Mobile apps. There are a lot of pitfalls that can lead to an insecure app.

Description

In this talk Micah gives a brief overview of OAuth and its mechanics. Then he leads you through a number of risks and remedies to best secure your applications. This isn’t just theory, but the practical application of certain risks and how to configure OAuth and write your code to mitigate those risks.

Speaker

Micah Silverman

Micah Silverman

Lead Developer Advocate, Split

Explaining HTTP Security Headers You Need On Your Website

In this session, we'll explain a handful of HTTP Security Headers (including HSTS, CSP, XFO, and more) from the bottom up. We'll explain what they are, what they do, and how you can implement them to secure your sites. On each of these, we'll demo a before and after so you can see first hand what each of these security headers do.

Speaker

Scott Sauber

Scott Sauber

Director of Engineering, Lean TECHniques

Hack your first box!

This will be an hour-long talk with step-by-step instructions on how to enumerate, exploit, and privilege escalate a vulnerable machine to root/admin. This will use an "easy" VulnHub machine (Blogger), and would be distributed before the class begins. The USB drive will have Oracle VirtualBox download, the "Blogger" Virtual machine, and a fress copy of Kali.

Attendees can install using the provided USB's, bring their own kali box and follow along, or watch the screen as I explain how enumeration, exploitation, and privilege escalation works.

Speaker

Knowing What Risks Matter--And Don’t--In Your Open Source

As digital transformation accelerates, software developers face increasing pressure to speed up their work, and open-source software helps them meet aggressive timelines by dropping standardized code into an application. But cyber criminals are targeting more attacks on the software supply chain, exploiting software vulnerabilities that occur in production. As a result, organizations must prioritize protecting the open-source code in their applications. Attend this session to learn about the findings of the 2021 Contrast Labs Open-Source Security Report. The research uses telemetry from applications protected by Contrast OSS and Contrast Assess to reveal trends about library usage, vulnerabilities, and best practices from thousands of real-world software supply chains. You will learn about surprising findings such as:

  • Less than 10% of code in the typical application is open-source code actually used by the software.
  • Legacy software composition analysis (SCA) tools have a false positive rate of up to 69%.
  • The average library uses a version that is 2.5 years old, increasing risk and promising future headaches.
  • High-risk licenses are present in 69% of Java applications and 33% of Node applications.

In a world of accelerating development and frequent exploitation of vulnerabilities, protecting applications containing open-source libraries and frameworks requires a different approach. Organizations need a comprehensive picture of active and inactive libraries and classes, library age, vulnerabilities, and licensing issues. Such observability enables an organization to address the riskiest issues—and not waste time with vulnerabilities that pose no risk.

Speaker

David Lindner

David Lindner

CISO, Contrast Security

Tell Web Ads to Shut Their Pi-hole!

Speed up your browsing and protect your privacy and security by setting up a Pi-hole! It is free small DNS server that is "a black hole for Internet advertisements" that runs on a Raspberry Pi. We'll talk briefly about the Raspberry Pi, then learn how to setup Pi-hole on your network for use with all of your devices. With a low cost Raspberry Pi and an hour of setup time, we now surf faster and more securely, with nearly 40% of our DNS queries blocked. Its amazing how much more enjoyable using the web can be, you'll cry when you have to surf without it.

Speaker

Robert Boedigheimer

Robert Boedigheimer

Principal Systems Developer