kcody.co

View on GitHub

Principal Application Security Consultant | @kevcody

Presentations

  1. CodeMash 2016
  2. OWASP Pittsburgh Q1 MeetUp 2016
  3. CodeMash 2017
  4. Steel City InfoSec Q2 MeetUp 2017
  5. BSides Pittsburgh 2017
  6. BSides Dallas/Fort Worth 2017
  7. CodeMash 2018
  8. Absolute AppSec Podcast - February 2018
  9. BSides Orlando 2018
  10. Absolute AppSec Podcast - May 2018
  11. ISACA Phoenix Chapter Meeting - May 2018
  12. BSides Knoxville 2018
  13. BSides Pittsburgh 2018
  14. BSides Cleveland 2018
  15. OWASP Columbus July 2018 Seminar: Mobile Device Security and Auditing
  16. Absolute AppSec Podcast - February 2019
  17. OWASP SNOWFROC 2019
  18. BSides Greenville 2019

CodeMash 2016

Secure Code? What are your libraries hiding, and how do you know?

Libraries and Frameworks greatly assist developers to bolster functionality and meet deadlines. However, are these components introducing risk and vulnerabilities? Also, how does an overtasked and deadline driven developer stay up-to-date on the state of these dependencies? Attendees will discover the alarming statistics that security professionals identified regarding the sheer percentages of vulnerable libraries and frameworks. Additionally, participants will acquire information on some great manual scripts and open-source utilities to help automate this process. Since writing all components from scratch is too cumbersome and inefficient, attend this session to acquire the means to ensure the best risk adverse and well maintained libraries are utilized.


OWASP Pittsburgh Q1 MeetUp 2016

Secure Code? What are your libraries hiding, and how do you know?

Libraries and Frameworks greatly assist developers to bolster functionality and meet deadlines. However, are these components introducing risk and vulnerabilities? Also, how does an overtasked and deadline driven developer stay up-to-date on the state of these dependencies? Attendees will discover the alarming statistics that security professionals identified regarding the sheer percentages of vulnerable libraries and frameworks. Additionally, participants will acquire information on some great manual scripts and open-source utilities to help automate this process. Since writing all components from scratch is too cumbersome and inefficient, attend this session to acquire the means to ensure the best risk adverse and well maintained libraries are utilized.


CodeMash 2017

Who Are You & What Can You Do? Auth Security

Authentication and authorization are two critical components to any highly secure and easily usable application. But it’s easy to get lost in acronym soup. Worse, between misconfigurations and lack of appropriate threat modeling, federated identity services can add substantial risk to a previously secure system. Get details on how to effectively comprehend and avoid the security pitfalls in utilizing SAML, OAuth, OpenID, FIDO, Assertions, and more. No matter what you’re using – Java or .Net, Python or Ruby, JavaScript or the programming flavor de jour – this topic has direct bearing on anyone building or utilizing modern applications.


Steel City InfoSec Q2 MeetUp 2017

Who Are You & What Can You Do? Auth Security

Authentication and authorization are two critical components to any highly secure and easily usable application. But it’s easy to get lost in acronym soup. Worse, between misconfigurations and lack of appropriate threat modeling, federated identity services can add substantial risk to a previously secure system. Get details on how to effectively comprehend and avoid the security pitfalls in utilizing SAML, OAuth, OpenID, FIDO, Assertions, and more. No matter what you’re using – Java or .Net, Python or Ruby, JavaScript or the programming flavor de jour – this topic has direct bearing on anyone building or utilizing modern applications.

YouTube Recording


BSides Pittsburgh 2017

Lesser-Known Application Vulnerabilities

Vulnerabilities are expensive, there’s simply no way around it. Whether it’s mitigation costs, Penetration Testing fees, auditing, or bug bounties - vulnerabilities and bugs are pricey. While SQLi and XSS are certainly dangerous, this talk will focus on some of the more obscure application vulnerabilities which were identified within apps and services we use every day. This presentation won’t simply stop at introducing these talking points; rather, we will dive into identification, both risk and technical analysis, and finally remediation techniques. The goal of this discussion will be to arm security practitioners, of all skill levels, in better understanding application risks in 2017.

YouTube Recording


BSides Dallas Fort Worth 2017

Lesser-Known Application Vulnerabilities

Vulnerabilities are expensive, there’s simply no way around it. Whether it’s mitigation costs, Penetration Testing fees, auditing, or bug bounties - vulnerabilities and bugs are pricey. While SQLi and XSS are certainly dangerous, this talk will focus on some of the more obscure application vulnerabilities which were identified within apps and services we use every day. This presentation won’t simply stop at introducing these talking points; rather, we will dive into identification, both risk and technical analysis, and finally remediation techniques. The goal of this discussion will be to arm security practitioners, of all skill levels, in better understanding application risks in 2017.


CodeMash 2018

Enhancing Application Security: Understanding and Utilizing Browser Security Features

Have you looked at HTTP headers lately? Not only are they unwieldy, but what do half of them mean? Furthermore, browsers are protecting us from more-and-more attacks, but what are all of these acronyms? SOP, CSP, XSS, HSTS, HPKP, CAA… at the end of the day, we just want useable AND secure applications. This talk will break down exactly what all of these acronyms and browser-enforced security policies mean. Attendees will learn implementation and long-term strategies in effort to increase security posture without potentially sinkholing your user’s traffic. Whether you’re a first time developer, multi-linguist application guru, or simply an app user who wants to know what all of this security fuss is about - this session will appeal to the entire security conscious gamut.

YouTube Recording


Absolute AppSec Podcast - February 2018

YouTube Recording


BSides Orlando 2018

Enhancing Application Security: Understanding and Utilizing Browser Security Features

Have you looked at HTTP headers lately? Not only are they unwieldy, but what do half of them mean? Furthermore, browsers are protecting us from more-and-more attacks, but what are all of these acronyms? SOP, CSP, XSS, HSTS, HPKP, CAA… at the end of the day, we just want useable AND secure applications. This talk will break down exactly what all of these acronyms and browser-enforced security policies mean. Attendees will learn implementation and long-term strategies in effort to increase security posture without potentially sinkholing your user’s traffic. Whether you’re a first time developer, multi-linguist application guru, or simply an app user who wants to know what all of this security fuss is about – this session will appeal to the entire security conscious gamut.

YouTube Recording


Absolute AppSec Podcast - May 2018

Mobile Security Testing

YouTube Recording


ISACA Phoenix Chapter Meeting - May 2018

Mobile Device Security and Auditing

Co-Presenter

With over 10 Billion mobile-connected devices presnetly in use, mobile devices and applications enable new threats and attacks which introduce significant risk. The biggest risks are data loss through an exploit or from devices being lost or stolen. How have devices become more secure? How do Apple and Google secure iOS and Android? How are mobile applications susceptible to common software vulnerabilities? Do you know what critical data is stored on these devices and backed up in the cloud? Is your sensitive data protected if a device is lost or stolen? Join David and Kevin as they explain how to be proactive by examining your mobile applications, devices, and their footprints.


BSides Knoxville 2018

Mobile Application Privacy and Analytics

Have you ever wondered how much data your favorite shopping application is capturing during your mobile app visits? Or, have you questioned what kind of data that mobile game you love is able to gather, even if you don’t give it special permissions? What about the final consensus on that long running theory on if XYZ Enterprise is using your microphone to listen to your conversations and target advertisements? This session will hone in on exactly those questions. We will tear apart some common analytic products and tracking engines to expose exactly the content and frequency our commonly used mobile applications are reporting. Attendees will walk away with insider knowledge to make informed decisions in regard to how analytic services work in conjunction with their favorite mobile applications.


BSides Pittsburgh 2018

REST is the sweet sauce of labor.

Contrary to Plutarch’s famous quote regarding rest being the “sweet sauce” of labor, RESTful web services may actually be the source of additional security labor. A service or microservice architecture demands a different sort of security testing knowledge base, tooling, and perspective. Tools such as Swagger, Postman, and Insomnia can help your testing efforts; however, a basic understanding and security foundation is critical in getting the most out of your time invested in these tools. Attendees will learn useful nomenclature, tutorials, and expertise that will be benefit anyone dealing with risk assessments, vulnerability analysis, or penetration testing of RESTful web services.

YouTube Recording


BSides Cleveland 2018

Mobile Application Privacy and Analytics

Have you ever wondered how much data your favorite shopping application is capturing during your mobile app visits? Or, have you questioned what kind of data that mobile game you love is able to gather, even if you don’t give it special permissions? What about the final consensus on that long running theory on if XYZ Enterprise is using your microphone to listen to your conversations and target advertisements? This session will hone in on exactly those questions. We will tear apart some common analytic products and tracking engines to expose exactly the content and frequency our commonly used mobile applications are reporting. Attendees will walk away with insider knowledge to make informed decisions in regard to how analytic services work in conjunction with their favorite mobile applications.

YouTube Recording


OWASP Columbus 2018

Seminar: Mobile Device Security and Auditing

With over 10 Billion mobile-connected devices presnetly in use, mobile devices and applications enable new threats and attacks which introduce significant risk. The biggest risks are data loss through an exploit or from devices being lost or stolen. How have devices become more secure? How do Apple and Google secure iOS and Android? How are mobile applications susceptible to common software vulnerabilities? Do you know what critical data is stored on these devices and backed up in the cloud? Is your sensitive data protected if a device is lost or stolen? Join David and Kevin as they explain how to be proactive by examining your mobile applications, devices, and their footprints.


Absolute AppSec Podcast - February 2019

YouTube Recording


OWASP SNOWFROC 2019

How to Frida Good

There are currently between seven and eleventy billion mobile applications in Apple and Google app stores. Users have on average 150 mobile applications on their devices and screen time varies from 5-10hrs per day. Needless to say, we are entrenched in mobile applications and at the mercy of the security of the devices and applications. Over the years there have been many tools released for instrumenting and debugging mobile applications for security purposes, such as Snoop-it, Drozer, cycript, lldb, etc. Frida was released in late 2013, but really started taking a stronghold in mobile application security testing when the other tools became less useful or unmaintained. But how can we best use Frida, what is too deep, and what other tools can we use to improve our mobile testing methods? Join David and Kevin as they walk you through examining functionality of both iOS and Android apps to learn how they work, and dynamically instrument the applications as they are used. You should walk away with a better idea of how powerful Frida is, and how miserable mobile application security is if an attacker has physical access to a device.


BSides Greenville 2019

To CORS! The cause of, and solution to, all SPA problems!

Co-Presenter

Cross-origin resource sharing (CORS) is complex and misunderstood by many developers and security testers. If not implemented correctly, CORS can lead to major breaches of information through devastating client-side attacks. While CORS is a powerful protocol that enables much of the modern web, we’ve once again found ways to make development easier while putting others at risk.

In this talk we will explain the same-origin policy (SOP) and CORS in an easy to understand way. We will then discuss poor implementations of CORS and the resulting issues. We’ll continue by releasing research done on the number of development frameworks and libraries that default to the most dangerous behavior and some popular applications that use those technologies. We’ll then demonstrate why all of this matters by conducting a distributed attack against the most common CORS configuration using audience participation. Finally, we’ll discuss the safest ways to implement CORS. The custom tools developed for the talk will be released along with the presentation.

While not without its drawbacks, the development community has spoken, and client-side frameworks aren’t going anywhere anytime soon. That means CORS is here to stay. It’s time we get the word out and start doing CORS right.