October 24th 2018 Chapter Meeting

October 24th 2018 6pm - 8pm

Agenda: 6:00pm-6:15pm Networking 6:15pm-6:30pm Chapter Business 6:30pm-8:00pm Presentations

Location: Bellevue City Hall 450 110th Ave. NE Bellevue, WA 98009

Register

attendance qualifies for 2 CISSP credits

Speakers:

Spencer Gietzen, Penetration Tester, Rhino Security Labs Pacu: Attack and Post-Exploitation in AWS Cloud infrastructure security and configuration has been shown to be a difficult task to master. Sysadmins and developers with years of traditional IT experience are now being pushed to the cloud, where there is a whole new set of rules. This is what makes AWS environments particularly exciting to attack as a penetration tester. Best practices are often overlooked or ignored, which can leave gaps throughout an AWS environment that are ripe for exploitation. In this talk I will cover how penetration testers/red teamers can use Pacu to simulate real-world attack scenarios against AWS environments, starting from information enumeration and scanning through exploitation, privilege escalation, data exfiltration and even providing reporting documentation. It will be released as an open source project to encourage collaboration and discussion of different AWS attack techniques and methodologies with both attackers and defenders. This way, both myself and the community can contribute new modules to expand the functionality and usefulness of Pacu continuously. Bio With a background in software development, Spencer Gietzen is a penetration tester with Rhino Security Labs. His primary focus as a penetration tester is security relating to Amazon Web Services post exploitation and configuration, where he has found success in discovering vulnerabilities and attack vectors through extensive research. Steven B. Lipner, Executive Director, SAFECode SDL That Won't Break the Bank Over the last fifteen years, many large software development organizations have adopted Security Development Lifecycle (SDL) processes as effective approaches to delivering secure software. Motivation for SDL comes from the realization that software vulnerabilities can have real impacts – on information security, on organizations' reputations, on customer satisfaction, and on revenues. But what if you don't have 40,000 developers and run a small to medium dev shop? Fortunately, SDL adoption need not be "only for the rich." While large organizations have the resources to create large teams and customized tools, smaller organizations have the advantage that they can focus an SDL on the specific products, tools, and threats that are relevant to the software they produce. They can also benefit from a wide array of free and affordable resources that can help them address many of the challenges posed by creating and sustaining an SDL program. With management commitment to SDL fundamentals and an investment of resources proportional to the size of the development organization and its products, it's possible for small organizations to build an SDL program and deliver software that customers will find secure. This briefing will describe some resources that can help smaller organizations create an effective SDL program. It will also outline some secure development concerns that may be especially important to those organizations – such as dependence on software they didn't write – and ways that they can address those concerns. Bio: Steven B. Lipner is the Executive Director of SAFECode, a non-profit industry organization dedicated to increasing trust in ICT products and services through the advancement of effective software assurance methods. He is also an Adjunct Professor of Computer Science in the Institute for Software Research, School of Computer Science at Carnegie Mellon University. Lipner retired in 2015 as Partner Director of Software Security at Microsoft where he was the creator and long-time leader of the Microsoft Security Development Lifecycle (SDL). He was also responsible for Microsoft's policies and strategies for security evaluation of products by governments, and for Microsoft's approach to supply chain security and product integrity. Before joining Microsoft, Lipner worked for several commercial vendors and government contractors as a researcher, consultant, engineering manager and general manager in computer and network security. He has written numerous technical papers on aspects of cybersecurity and served on nine National Academies committees. He holds twelve U.S. patents in computer and network security, and served two terms, a total of ten years, on the Information Security and Privacy Advisory Board. Lipner was elected in 2010 to the Information Systems Security Association Hall of Fame, in 2015 to the National Cybersecurity Hall of Fame, and in 2017 to the National Academy of Engineering.

SecureWorld Cybersecurity Conference 2018

November 8 - 9 2017 8am - 5pm

SecureWorld Seattle Cybersecurity Conference November 7-8, 2018  •  Meydenbauer Center

Earn 12-16 CPE credits!

Register: HERE Cloud Security Alliance members are invited to the 17th annual SecureWorld Seattle conference!

Use the Exclusive Discount Codes below when registering. Promo codes for registration discounts:       CSAP for $150 off SecureWorld PLUS       CSA for $100 off Conference Pass       CSAO for $65 off Open Sessions Pass