Principal Application Security Consultant | @kevcody
Presentations
- CodeMash 2016
- OWASP Pittsburgh Q1 MeetUp 2016
- CodeMash 2017
- Steel City InfoSec Q2 MeetUp 2017
- BSides Pittsburgh 2017
- BSides Dallas/Fort Worth 2017
- CodeMash 2018
- Absolute AppSec Podcast - February 2018
- BSides Orlando 2018
- Absolute AppSec Podcast - May 2018
- ISACA Phoenix Chapter Meeting - May 2018
- BSides Knoxville 2018
- BSides Pittsburgh 2018
- BSides Cleveland 2018
- OWASP Columbus July 2018 Seminar: Mobile Device Security and Auditing
- Absolute AppSec Podcast - February 2019
- OWASP SNOWFROC 2019
- BSides Greenville 2019
- OWASP AppSec Global Tel Aviv 2019
- mDevCamp 2019
- BSides Pittsburgh 2019
- DerbyCon 2019
- BSides Orlando 2020
CodeMash 2016
Secure Code? What are your libraries hiding, and how do you know?
Libraries and Frameworks greatly assist developers to bolster functionality and meet deadlines. However, are these components introducing risk and vulnerabilities? Also, how does an overtasked and deadline driven developer stay up-to-date on the state of these dependencies? Attendees will discover the alarming statistics that security professionals identified regarding the sheer percentages of vulnerable libraries and frameworks. Additionally, participants will acquire information on some great manual scripts and open-source utilities to help automate this process. Since writing all components from scratch is too cumbersome and inefficient, attend this session to acquire the means to ensure the best risk adverse and well maintained libraries are utilized.
OWASP Pittsburgh Q1 MeetUp 2016
Secure Code? What are your libraries hiding, and how do you know?
Libraries and Frameworks greatly assist developers to bolster functionality and meet deadlines. However, are these components introducing risk and vulnerabilities? Also, how does an overtasked and deadline driven developer stay up-to-date on the state of these dependencies? Attendees will discover the alarming statistics that security professionals identified regarding the sheer percentages of vulnerable libraries and frameworks. Additionally, participants will acquire information on some great manual scripts and open-source utilities to help automate this process. Since writing all components from scratch is too cumbersome and inefficient, attend this session to acquire the means to ensure the best risk adverse and well maintained libraries are utilized.
CodeMash 2017
Who Are You & What Can You Do? Auth Security
Authentication and authorization are two critical components to any highly secure and easily usable application. But it’s easy to get lost in acronym soup. Worse, between misconfigurations and lack of appropriate threat modeling, federated identity services can add substantial risk to a previously secure system. Get details on how to effectively comprehend and avoid the security pitfalls in utilizing SAML, OAuth, OpenID, FIDO, Assertions, and more. No matter what you’re using – Java or .Net, Python or Ruby, JavaScript or the programming flavor de jour – this topic has direct bearing on anyone building or utilizing modern applications.
Steel City InfoSec Q2 MeetUp 2017
Who Are You & What Can You Do? Auth Security
Authentication and authorization are two critical components to any highly secure and easily usable application. But it’s easy to get lost in acronym soup. Worse, between misconfigurations and lack of appropriate threat modeling, federated identity services can add substantial risk to a previously secure system. Get details on how to effectively comprehend and avoid the security pitfalls in utilizing SAML, OAuth, OpenID, FIDO, Assertions, and more. No matter what you’re using – Java or .Net, Python or Ruby, JavaScript or the programming flavor de jour – this topic has direct bearing on anyone building or utilizing modern applications.
BSides Pittsburgh 2017
Lesser-Known Application Vulnerabilities
Vulnerabilities are expensive, there’s simply no way around it. Whether it’s mitigation costs, Penetration Testing fees, auditing, or bug bounties - vulnerabilities and bugs are pricey. While SQLi and XSS are certainly dangerous, this talk will focus on some of the more obscure application vulnerabilities which were identified within apps and services we use every day. This presentation won’t simply stop at introducing these talking points; rather, we will dive into identification, both risk and technical analysis, and finally remediation techniques. The goal of this discussion will be to arm security practitioners, of all skill levels, in better understanding application risks in 2017.
BSides Dallas Fort Worth 2017
Lesser-Known Application Vulnerabilities
Vulnerabilities are expensive, there’s simply no way around it. Whether it’s mitigation costs, Penetration Testing fees, auditing, or bug bounties - vulnerabilities and bugs are pricey. While SQLi and XSS are certainly dangerous, this talk will focus on some of the more obscure application vulnerabilities which were identified within apps and services we use every day. This presentation won’t simply stop at introducing these talking points; rather, we will dive into identification, both risk and technical analysis, and finally remediation techniques. The goal of this discussion will be to arm security practitioners, of all skill levels, in better understanding application risks in 2017.
CodeMash 2018
Enhancing Application Security: Understanding and Utilizing Browser Security Features
Have you looked at HTTP headers lately? Not only are they unwieldy, but what do half of them mean? Furthermore, browsers are protecting us from more-and-more attacks, but what are all of these acronyms? SOP, CSP, XSS, HSTS, HPKP, CAA… at the end of the day, we just want useable AND secure applications. This talk will break down exactly what all of these acronyms and browser-enforced security policies mean. Attendees will learn implementation and long-term strategies in effort to increase security posture without potentially sinkholing your user’s traffic. Whether you’re a first time developer, multi-linguist application guru, or simply an app user who wants to know what all of this security fuss is about - this session will appeal to the entire security conscious gamut.
Absolute AppSec Podcast - February 2018
BSides Orlando 2018
Enhancing Application Security: Understanding and Utilizing Browser Security Features
Have you looked at HTTP headers lately? Not only are they unwieldy, but what do half of them mean? Furthermore, browsers are protecting us from more-and-more attacks, but what are all of these acronyms? SOP, CSP, XSS, HSTS, HPKP, CAA… at the end of the day, we just want useable AND secure applications. This talk will break down exactly what all of these acronyms and browser-enforced security policies mean. Attendees will learn implementation and long-term strategies in effort to increase security posture without potentially sinkholing your user’s traffic. Whether you’re a first time developer, multi-linguist application guru, or simply an app user who wants to know what all of this security fuss is about – this session will appeal to the entire security conscious gamut.
Absolute AppSec Podcast - May 2018
Mobile Security Testing
ISACA Phoenix Chapter Meeting - May 2018
Mobile Device Security and Auditing
Co-Presenter
With over 10 Billion mobile-connected devices presnetly in use, mobile devices and applications enable new threats and attacks which introduce significant risk. The biggest risks are data loss through an exploit or from devices being lost or stolen. How have devices become more secure? How do Apple and Google secure iOS and Android? How are mobile applications susceptible to common software vulnerabilities? Do you know what critical data is stored on these devices and backed up in the cloud? Is your sensitive data protected if a device is lost or stolen? Join David and Kevin as they explain how to be proactive by examining your mobile applications, devices, and their footprints.
BSides Knoxville 2018
Mobile Application Privacy and Analytics
Have you ever wondered how much data your favorite shopping application is capturing during your mobile app visits? Or, have you questioned what kind of data that mobile game you love is able to gather, even if you don’t give it special permissions? What about the final consensus on that long running theory on if XYZ Enterprise is using your microphone to listen to your conversations and target advertisements? This session will hone in on exactly those questions. We will tear apart some common analytic products and tracking engines to expose exactly the content and frequency our commonly used mobile applications are reporting. Attendees will walk away with insider knowledge to make informed decisions in regard to how analytic services work in conjunction with their favorite mobile applications.
BSides Pittsburgh 2018
REST is the sweet sauce of labor.
Contrary to Plutarch’s famous quote regarding rest being the “sweet sauce” of labor, RESTful web services may actually be the source of additional security labor. A service or microservice architecture demands a different sort of security testing knowledge base, tooling, and perspective. Tools such as Swagger, Postman, and Insomnia can help your testing efforts; however, a basic understanding and security foundation is critical in getting the most out of your time invested in these tools. Attendees will learn useful nomenclature, tutorials, and expertise that will be benefit anyone dealing with risk assessments, vulnerability analysis, or penetration testing of RESTful web services.
BSides Cleveland 2018
Mobile Application Privacy and Analytics
Have you ever wondered how much data your favorite shopping application is capturing during your mobile app visits? Or, have you questioned what kind of data that mobile game you love is able to gather, even if you don’t give it special permissions? What about the final consensus on that long running theory on if XYZ Enterprise is using your microphone to listen to your conversations and target advertisements? This session will hone in on exactly those questions. We will tear apart some common analytic products and tracking engines to expose exactly the content and frequency our commonly used mobile applications are reporting. Attendees will walk away with insider knowledge to make informed decisions in regard to how analytic services work in conjunction with their favorite mobile applications.
OWASP Columbus 2018
Seminar: Mobile Device Security and Auditing
With over 10 Billion mobile-connected devices presnetly in use, mobile devices and applications enable new threats and attacks which introduce significant risk. The biggest risks are data loss through an exploit or from devices being lost or stolen. How have devices become more secure? How do Apple and Google secure iOS and Android? How are mobile applications susceptible to common software vulnerabilities? Do you know what critical data is stored on these devices and backed up in the cloud? Is your sensitive data protected if a device is lost or stolen? Join David and Kevin as they explain how to be proactive by examining your mobile applications, devices, and their footprints.
Absolute AppSec Podcast - February 2019
OWASP SNOWFROC 2019
How to Frida Good
There are currently between seven and eleventy billion mobile applications in Apple and Google app stores. Users have on average 150 mobile applications on their devices and screen time varies from 5-10hrs per day. Needless to say, we are entrenched in mobile applications and at the mercy of the security of the devices and applications. Over the years there have been many tools released for instrumenting and debugging mobile applications for security purposes, such as Snoop-it, Drozer, cycript, lldb, etc. Frida was released in late 2013, but really started taking a stronghold in mobile application security testing when the other tools became less useful or unmaintained. But how can we best use Frida, what is too deep, and what other tools can we use to improve our mobile testing methods? Join David and Kevin as they walk you through examining functionality of both iOS and Android apps to learn how they work, and dynamically instrument the applications as they are used. You should walk away with a better idea of how powerful Frida is, and how miserable mobile application security is if an attacker has physical access to a device.
BSides Greenville 2019
To CORS! The cause of, and solution to, all SPA problems!
Co-Presenter
Cross-origin resource sharing (CORS) is complex and misunderstood by many developers and security testers. If not implemented correctly, CORS can lead to major breaches of information through devastating client-side attacks. While CORS is a powerful protocol that enables much of the modern web, we’ve once again found ways to make development easier while putting others at risk.
In this talk we will explain the same-origin policy (SOP) and CORS in an easy to understand way. We will then discuss poor implementations of CORS and the resulting issues. We’ll continue by releasing research done on the number of development frameworks and libraries that default to the most dangerous behavior and some popular applications that use those technologies. We’ll then demonstrate why all of this matters by conducting a distributed attack against the most common CORS configuration using audience participation. Finally, we’ll discuss the safest ways to implement CORS. The custom tools developed for the talk will be released along with the presentation.
While not without its drawbacks, the development community has spoken, and client-side frameworks aren’t going anywhere anytime soon. That means CORS is here to stay. It’s time we get the word out and start doing CORS right.
OWASP AppSec Global Tel Aviv 2019
Dissecting Mobile Application Privacy and Analytics
Have you ever wondered how much data your favorite business application is capturing during your mobile app visits? Are you a developer or security engineer tasked with keeping your client data secure? Are you curious about what kind of data that mobile game you love can gather, even if you don’t give it special permissions? The apps we trust with our data hopefully use caution and comply with regulations, but what about the safeguards and authentication around these analytics portals? This session will hone in on precisely those questions. We will tear apart some favorite apps and their analytic products/tracking engines to expose exactly the content and frequency commonly used mobile applications are reporting. Attendees will walk away with insider knowledge to make informed decisions regarding the scope of this exposure, in effort to guard or personal and client data.
mDevCamp 2019
How to Frida Good
There are currently between seven and eleventy billion mobile applications in Apple and Google app stores. Users have on average 150 mobile applications on their devices and screen time varies from 5-10hrs per day. Needless to say, we are entrenched in mobile applications and at the mercy of the security of the devices and applications. Over the years there have been many tools released for instrumenting and debugging mobile applications for security purposes, such as Snoop-it, Drozer, cycript, lldb, etc. Frida was released in late 2013, but really started taking a stronghold in mobile application security testing when the other tools became less useful or unmaintained. But how can we best use Frida, what is too deep, and what other tools can we use to improve our mobile testing methods? Join David and Kevin as they walk you through examining functionality of both iOS and Android apps to learn how they work, and dynamically instrument the applications as they are used. You should walk away with a better idea of how powerful Frida is, and how miserable mobile application security is if an attacker has physical access to a device.
BSides Pittsburgh 2019
Dead Folks Tell No Tales
Death, wills, estate planning… I get it, this is not a topic that many people want to discuss. However, take a moment to think about the sophisticated authentication and authorization systems we use today. Does your significant other or family have everything they need to access, archive, and disseminate the digital lives that we technologists live? Furthermore, with more and more services accepting the use of multi-factor authentication, are you adequately prepared for anyone outside of yourself to authorize access? This presentation will break down different types of authentication technology and the barriers that might face your next-of-kin, in the event that an untimely (but ultimately inevitable) situation arises. Additionally, this talk will evaluate the risks and benefits of the current beneficiary recovery mechanisms available within password vaults, social media, financial services, and more. If the goal is to have strong authentication without single points of failure, we need to plan ahead and think of how we can bequeath our digital assets – this presentation will educate and implore you to do just that.
DerbyCon 2019
To CORS The cause of and solution to your SPA problems
Co-Presenter
Cross-Origin Resource Sharing (CORS) is a complex and commonly misunderstood concept that is often implemented wrong for the right reasons. In this talk we will explain the Same-Origin Policy (SOP) and CORS in an easy to understand way. We will then discuss poor implementations of CORS and the resulting issues. We’ll continue by releasing research done on a number of development frameworks exposing poorly designed CORS libraries that default to the most dangerous behavior. We’ll then demonstrate why all of this matters by conducting a distributed attack against the most common CORS configuration using audience participation and a new tool. Finally, we’ll discuss the safest ways to implement CORS. The custom tools used during the talk will be released along with the presentation.