Talks
on demand talks
Watch our on demand talks, and view the corresponding slide decks.
In this talk, we have a look at monitoring solutions from an attacker’s point of view. We present the basic architecture of modern monitoring solutions and talk about the derived attack surface. Based on this, we outline how important the choice of attack vector is and describe the approach we used to find critical vulnerabilities in popular monitoring solutions. We deep-dive into these findings and explain how they were found, how they can be exploited, and what we can learn from them.
In this talk given during We Are Developers, Olivier Gaudin talks about how Clean Code empowers developers and enable organizations to consistently deliver high-quality, secure code. He explains why the Clean As You Code methodology has to become an organizational imperative for a sustainable edge in the marketplace.
Topics: Clean As You Code, DevOps
Zimbra, an enterprise-level email solution, has recently been the target of a 0-day campaign likely conducted by a state actor. As demonstrated by the Microsoft Exchange vulnerabilities, enterprise mail servers are a gold mine for attackers. In this talk we break down how we approached a complex enterprise web target from the viewpoint of a sophisticated attacker.
Topics: Code Security, Enterprise
During our vulnerability research, we broke the defenses of some of the most popular open-source web applications. We realized that many code vulnerabilities we discovered share a common theme. In this talk, we express this common denominator as a simple, abstract methodology that seems to have gone unnoticed in the industry. To turn our theoretical pattern into an entertaining presentation, we explain and demo related vulnerabilities that we discovered in applications such as Magento2, WordPress, and Zimbra.
Topic: Code Security
This talk presents the technical details of the vulnerabilities that allowed us to compromise the infrastructure behind the two PHP package managers, Composer (twice!), and PEAR. Together, they serve more than a billion monthly package downloads. We also present how we could reduce the impact of such an attack and the actions package managers could take to protect themselves.
Topics: Code Security, Supply Chain, Developer Tools
