BSides Toronto 2022

Have you ever gotten off the plane at BlackHat or RSA and seen the security vendor ads lining the corridors? Or made your way through a crowded vendor hall with the multistory booths larger and more elaborate than a typical city apartment and thought to yourself, that could be me? Then this talk is for you. Are you ready to never work again and enter the privileged world of successful entrepreneurs permanently on vacation? Just kidding! Are you ready to work so hard any potential reward will come out to well below minimum wage when you calculate the hours, blood/sweat/tears, and mental health crises that went into it? Then maybe it is time to start a cybersecurity startup. In this talk we will take a dive into the exciting world of turning your hacking tool into a successful product company and how to avoid the common pitfalls encountered by the speaker and her merry band of startup world survivors. We will cover exciting topics such as venture capital funding, startup accelerators, and making your first sale. We will also discuss not as exciting but equally important topics as corporate structures, hiring a CEO, and board meetings. Filled with info and direct quotes from real security practitioners turned startup founders, venture capital investors, and serial expert advisors, this talk will get you ready to start down the path of your own startup journey, or run screaming in the other direction.

Threat modeling for long has been a “design level” activity that fit in right at the beginning of a well defined application security strategy, and rightfully so. However, the current speed and scale of product and security engineering has forced software teams to overlook this very critical element of software security...and rightfully so!

In the modern world of cyber security, you as a defender for sure overwhelmed by numerous technology and strategy to prevent cyber attack in your organization. In the Detection Engineering front, it becomes more confusing since there is no clear right or wrong of what Detection Engineering is.

In this presentation, we will uncover things that worked in the Industry and numerous organizations, based on presenter's years of experience and community voice. It will touch both the management and technical aspect of Detection Engineering. Hopefully this will help both companies who just started building their Detection Engineering function and the ones who already running it.

Where are secrets stored in Azure? Is it even safe to put secrets in the cloud to begin with? There's so many services in Azure that this isn't easy to answer. We'll start by taking a look at common ways passwords should be stored, and how these services have grown through patching recent vulnerabilities. Then we'll shift to look at common spots where it looks like passwords should go... but really shouldn't. We'll end with how to ensure your secrets the shared responsibility model, and a quick reflection on the shared responsibility model. Both new & experienced cloud lovers welcome!

Rest APIs have been the backbone of webapps for over a decade now, and it’s treated us well. Inevitably, a challenger has approached and is gradually becoming the new industry standard. That is GraphQL, a query a language for your API. But shifts in tech trends also bring another inevitability, new and interesting ways to hack stuff. GraphQL is a growing target, and the pentesting tools have yet to keep up, leaving the criminals with more time and opportunity to probe and exploit vulnerabilities in your web apps.
Burp Suite has been the defacto tool for Application Security professionals running DAST scans and penetration tests against web apps, and it’s amazing Active Scan feature badly needed to be able to parse GraphQL. Our new plugin for Burp Suite allows the Active Scanner to competently point it’s library of payloads at a GraphQL API, giving the defenders a chance to detect vulnerabilities before the criminals do.

Privacy laws like CCPA, PIPEDA and GDPR are getting teeth. Cyber Insurance is getting more expensive and difficult to get. Are these just more hurdle's for beleaguered security professionals to overcome or will it become the forcing function that finally gets the attention of the C-suite?

In 2022, most of us have bought goods and services online or using mobile apps, for convenience, for safety (e.g., pandemic) or as a matter of personal preference. As mobile payments and integrations with third-party payment processors become more and more prevalent, common AppSec mistakes from the past reappear under new forms. Merchants who overlook security best practices and fail to secure their systems can be victims of fraud.

In this talk, we will cover some examples of payment APIs and mobile in-app purchases (e.g., with Apple Pay or Google Play Store) that fail to perform sufficient validation in ways that may have devastating financial and reputational impact to merchants. We aim to bring awareness to these often-overlooked issues and provide recommendations to avoid these vulnerabilities with real-world examples.

Security teams are constantly frustrated due to the number of false positives in security tools. The time wasted on false positives is enormous. The time it takes to identify something as a false positive is significant and it is risky to mark something as a false positive. It is a problem we all face, and we need the community to help fight this problem together. In this talk, we would like to introduce a project called NoiseTotal which consolidates open-source intelligence for noises in security tools and calls for the community to share and contribute. We will also walk through how it benefits the everyone in blue team.