Your semi-definitive guide to #blackhat #bsideslv and #defcon 2017 – Vegas hacking!

2017-06-15 00.44.241

(my last year’s DEFCON badge – it winks at you with those terminator LED’s!)

Here is my subjective take on Vegas hacker’s Disneyland that’s happening end of July 2017. Please keep in mind that this year I’m trying to make it useful for web site/web service security – to that end, I sifted through 70+ talks to come up with a summary of what’s particularly interesting this year.

As for the parties… that’s for the follow-up post : )

High-level

BlackHat at Mandalay is more practical and by far the most expensive, it consists of three parts:

  1. 2-day trainings – ~$3k a piece
  2. Several days of hour-long briefings/talks – ~$2.5k includes all, and
  3. Expo floor which is free with either 1 or 2

Last year I took trainings, but this year I’m very much interested in website security briefings, so I plan to attend as many of the latter as possible.

BSidesLV is much more mellow, it’s under $100 bucks and more informal, people basically chill out in Tuscany Suites in between the “serious” stuff and present research, which can be interesting.

DEFCON, this year at Caesars, is definitely the most fun one, under $300 for everything. It has crazy talks, workshops, hackathons, CTF’s and just like the Renaissance Faire for geeks. They hack everything from poker to pacemakers to 747’s to implanting circuitry into your hands, also have tons of fun contests and a geek marketplace. It’s just super-fun, tho probably less useful for safeguarding a web service.

BlackHat Briefings – Totally Subjective Shortlist

Now, since BlackHat is absurdly expensive, I filtered out a few specific talks that seem worth visiting for website/web service security – all included with the admission ($2,395):

Cracking The Lens: Targeting HTTP’s Hidden Attack-surface

Don’t Trust The Dom: Bypassing XSS Mitigations Via Script Gadgets

Web Cache Deception Attack

A New Era Of SSRF – Exploiting URL Parser In Trending Programming Languages!

Friday The 13th: JSON Attacks

Practical Tips For Defending Web Applications In The Age Of Devops – potentially very interesting talk from Etsy on how to properly set up the whole security engineering process

Splunking Dark Tools – A Pentesters Guide To Pwnage Visualization

The Epocholypse 2038: What’s In Store For The Next 20 Years

Ichthyology: Phishing As A Science (walk through a series of real-world attacks conducted against a Bay Area tech company)

BlackHat (Web Security) Trainings

Those are very useful, they typically take 2 days, but tend to cost a ton (~$3k each). I took some last year, but this year I’m more interested in the briefings above. But still, these are the ones that I found very interesting for web security:

Engineering/app-level security training:

Whiteboard Hacking aka Hands-on Threat Modeling

Abilities Inc – Metasploit Mastery

Applied Data Science for Security Professionals

Visual Analytics – Delivering Actionable Security Intelligence

The Web Application Hacker’s Handbook, Live Edition – good intro as usual, but honestly, focuses too much on the obsolete and made-up simple attacks, could really benefit from a 2017-overhaul. But hey, maybe it will be brand new this year.

Talks I expect to be very useful for DevOps

Cloud Security Hands On (CCSK-Plus)

Advanced Cloud Security and Applied SecDevOps

 

And that’s it for now – see you there!! After all, it’s Vegas – good times all around!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s