(my last year’s DEFCON badge – it winks at you with those terminator LED’s!)
Here is my subjective take on Vegas hacker’s Disneyland that’s happening end of July 2017. Please keep in mind that this year I’m trying to make it useful for web site/web service security – to that end, I sifted through 70+ talks to come up with a summary of what’s particularly interesting this year.
As for the parties… that’s for the follow-up post : )
High-level
BlackHat at Mandalay is more practical and by far the most expensive, it consists of three parts:
- 2-day trainings – ~$3k a piece
- Several days of hour-long briefings/talks – ~$2.5k includes all, and
- Expo floor which is free with either 1 or 2
Last year I took trainings, but this year I’m very much interested in website security briefings, so I plan to attend as many of the latter as possible.
BSidesLV is much more mellow, it’s under $100 bucks and more informal, people basically chill out in Tuscany Suites in between the “serious” stuff and present research, which can be interesting.
DEFCON, this year at Caesars, is definitely the most fun one, under $300 for everything. It has crazy talks, workshops, hackathons, CTF’s and just like the Renaissance Faire for geeks. They hack everything from poker to pacemakers to 747’s to implanting circuitry into your hands, also have tons of fun contests and a geek marketplace. It’s just super-fun, tho probably less useful for safeguarding a web service.
BlackHat Briefings – Totally Subjective Shortlist
Now, since BlackHat is absurdly expensive, I filtered out a few specific talks that seem worth visiting for website/web service security – all included with the admission ($2,395):
Cracking The Lens: Targeting HTTP’s Hidden Attack-surface
Don’t Trust The Dom: Bypassing XSS Mitigations Via Script Gadgets
Web Cache Deception Attack
A New Era Of SSRF – Exploiting URL Parser In Trending Programming Languages!
Friday The 13th: JSON Attacks
Practical Tips For Defending Web Applications In The Age Of Devops – potentially very interesting talk from Etsy on how to properly set up the whole security engineering process
Splunking Dark Tools – A Pentesters Guide To Pwnage Visualization
The Epocholypse 2038: What’s In Store For The Next 20 Years
Ichthyology: Phishing As A Science (walk through a series of real-world attacks conducted against a Bay Area tech company)
BlackHat (Web Security) Trainings
Those are very useful, they typically take 2 days, but tend to cost a ton (~$3k each). I took some last year, but this year I’m more interested in the briefings above. But still, these are the ones that I found very interesting for web security:
Engineering/app-level security training:
Whiteboard Hacking aka Hands-on Threat Modeling
Abilities Inc – Metasploit Mastery
Applied Data Science for Security Professionals
Visual Analytics – Delivering Actionable Security Intelligence
The Web Application Hacker’s Handbook, Live Edition – good intro as usual, but honestly, focuses too much on the obsolete and made-up simple attacks, could really benefit from a 2017-overhaul. But hey, maybe it will be brand new this year.
Talks I expect to be very useful for DevOps
Cloud Security Hands On (CCSK-Plus)
Advanced Cloud Security and Applied SecDevOps
And that’s it for now – see you there!! After all, it’s Vegas – good times all around!
Fancy Mollusk 