Finally, I asked everyone to look at the BlackHat schedule this year and pick out the one or two talks that looked most promising to them. Here are some recommendations:
"How Many Bricks Does It Take to Crack a Microcell?" (2 votes). Comments: "I am interested in Microcell devices for their linking cellular networks and IP networks and for the fact I use one!" "I second the micorocell talk –- this field is extremely underresearched."
"Clonewise -– Automated Package Clone Detection". Comments: "This is going to be incorporated to a number of OS projects in different ways. Silvio has a great history of binary analysis, stemming from his ELF work, and this is definitely one not to be missed."
"Scaling Up Baseband Attacks: More (Unexpected) Attack Surface" (2 votes).
"Libinjection: A C library for SQLi Detection and Generation Through Lexical Analysis of Real World Attacks". Comments: "Although there’s been some nifty research in mitigation and prevention of SQL injection at the language/compiler/API level, there’s been a strong tendency for people to publish a PoC and let it languish. The description appears to be aimed straight at app developers, which is great."
"PRNG: Pwning Random Number Generators (in PHP applications)". Comments: "Barely-good-enough (or worse) PRNGs are at the core of virtually every session-generation mechanism. It’s one thing for everyone to say, 'stop using weak randomness!', but there’s been a lack of practical attacks in this space (aside from the old LCG attacks – we know rand() is bad. What about truncated arc4random in practice?)."
"iOS Kernel Heap Armageddon Revisited".
"iOS Application Security Assessment and Automation: Introducing SIRA".
"Advanced ARM Exploitation".
"Hardware Backdooring is Practical".
Neal Stephenson keynote. Comments: "Sure it’s not technical, but I’m a tremendous fan of his writing and I’d love to hear his thoughts as they pertain to the security space."
Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.