It's that time of year again.

Veracode's security research team and our Chief Scientist will be at the Vegas cons in force this year engaging in the usual roguery.

Here's where to see us speaking:

  • Christien Rioux, "Lessons of Binary Analysis", BlackHat, July 26, 10:15am
  • Zach Lanier and Andrew Reiter, "Mapping and Evolution of Android Permissions", BlackHat, July 26, 2:15pm
  • Chris Lytle, "Puzzle Competitions and You", B-Sides Las Vegas, July 25, 4pm

We'll also have a booth (#229) for the first time. Here's when you can stop by and speak with members of the research team, assuming you don't bump into them in the hallway first.

Chris Wysopal (@WeldPond), Christien Rioux (@dildog), and I (@chriseng) will also be floating around.

Finally, I asked everyone to look at the BlackHat schedule this year and pick out the one or two talks that looked most promising to them. Here are some recommendations:

  • "How Many Bricks Does It Take to Crack a Microcell?" (2 votes). Comments: "I am interested in Microcell devices for their linking cellular networks and IP networks and for the fact I use one!" "I second the micorocell talk –- this field is extremely underresearched."
  • "Clonewise -– Automated Package Clone Detection". Comments: "This is going to be incorporated to a number of OS projects in different ways. Silvio has a great history of binary analysis, stemming from his ELF work, and this is definitely one not to be missed."
  • "Scaling Up Baseband Attacks: More (Unexpected) Attack Surface" (2 votes).
  • "Libinjection: A C library for SQLi Detection and Generation Through Lexical Analysis of Real World Attacks". Comments: "Although there’s been some nifty research in mitigation and prevention of SQL injection at the language/compiler/API level, there’s been a strong tendency for people to publish a PoC and let it languish. The description appears to be aimed straight at app developers, which is great."
  • "PRNG: Pwning Random Number Generators (in PHP applications)". Comments: "Barely-good-enough (or worse) PRNGs are at the core of virtually every session-generation mechanism. It’s one thing for everyone to say, 'stop using weak randomness!', but there’s been a lack of practical attacks in this space (aside from the old LCG attacks – we know rand() is bad. What about truncated arc4random in practice?)."
  • "iOS Kernel Heap Armageddon Revisited".
  • "iOS Application Security Assessment and Automation: Introducing SIRA".
  • "Advanced ARM Exploitation".
  • "Hardware Backdooring is Practical".
  • Neal Stephenson keynote. Comments: "Sure it’s not technical, but I’m a tremendous fan of his writing and I’d love to hear his thoughts as they pertain to the security space."
  • Any of the talks focused on the implications of HTML5 and modern Javascript techniques like "Hacking with Websockets", "Blended Threats and Javascript: A Plan for Permanent Network Compromise", and "Owning Bad Guys {and Mafia} with Javascript Botnets".

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (1)

Nick Galbreath | July 24, 2012 3:01 am

Thanks Veracode for nice words about libinjection ! The talk is on Wednesday, 2:45pm in the Augustus I/II rooms. Slides and more details can be found at Hope to see you all there! @ngalbreath

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.