Johnny Xmas

Johnny Xmas Sam Crowther

Sam Crowther

Sorry About your WAF: Modern Bypass Techniques for Autonomous Attacks

Scripting and automation are absolutely critical to many aspects of an attacker’s effectiveness, penetration tester or otherwise. Modern WAFs and “bot detections” often add a small layer of intelligence to their monitoring, attempting to determine whether or not an attack is being automated, and shut the bot/botnet down. This presentation will be a mini-tutorial on how the various forms of “bot detection” out there work, and how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python Requests to Selenium, Puppet and beyond.


Chris Merkel

Chris Merkel

Shifting Security Left: Self-Service Security for Developers and Beyond

The shift to the cloud, Agile and DevOps is making it more difficult than ever for security teams to control what happens in their organizations and secure systems.

The obvious solution is more security tools, more security people, and ever-inventive ways to reign in your environment.

You. Will. Fail.

The only way to get better is by giving up the illusion of control and the delusion that you can achieve control.

Instead, we’ll talk about how engineering automation to create a culture of empowerment, self-reliance and trust can result in better security outcomes. Along the way, we’ll learn about how the adoption of Agile and DevOps is creating value in some unexpected ways…


Ed Skoudis

Ed Skoudis

KeyNote: I, For One, Welcome Our New AI Over Lords

Title: I, For One, Welcome Our New AI Over Lords
Subtitle: The Ultimate Insider in the Cloud
By: Ed Skoudis and Surprise Guest
Amazing new AI-based services from Amazon, Google, and Microsoft let organizations rely on automated technology to crawl through their cloud-based data stores to identify sensitive data, security weaknesses, and hacking attempts. These AI offerings are impressive and can automate security at a scale impossible to achieve by humans alone. But, to use these commercial services, organizations must allow their cloud providers access to all of that information, exposing it to the deep gaze of an AI. In this talk, Ed will analyze the security implications of such offerings, along with the ethical, business, and privacy issues they raise as cloud-based AI intertwines itself in our lives more deeply every day. Oh, and it can turn on and off your lights too!