TLS Essential Security

Justin Mayer
works in Pelican python

how to check on runtime if the js has been tampered?

auth method:
DNS-01, webroot, standard, manual, apache/nginx

Certbot - github. lets encrypt - tool to deploy certs

http2 makes TLS fingerprinting more difficult

HSTS (http transport sec)

x-frame-options sameorigin
x-content-type-options nosniff

OCSP stapling -

whitelist scripts, css, images, fonts, etc.
no inline scripts or css
block anything else
doesn’t work with TypeKit because it dynamically injects scripts
don’t run script you can’t control

AMP (not good)

HPKP (don’t work very well with letsencrypt)

certs should support SCT (timestamps)

(coming soon)
TLS 1.3
CAA records - to whitelist which Cert Auth can issue certs for your domain - Algo VPN. doesn’t need client software installed. supports macOS/linux

brew install dnscrypt-proxy —with-plugins
sudo brew services start dnscrypt-proxy # change dns resolver to
test with

Chris Roberts


  • don't do BYOD
  • pen testing is often only running tools: Penwave or Trackwave
  • pentest before releasing
  • assume that the bad guys are in your network
  • resumes, whitepapers, etc can be payload payloaded
  • humans will always make a mistake
  • nanotechnology hacked
  • IoT hacked
  • nano machines
  • user behavior analytics
  • add AI in security tools
  • deception as defense

Gary Mcgraw

cigital bought by synopsis


Gary book

use static analysis tool for code review

pen testing. need typed language to do proper static analysis

security testers need to know how to understand the code that they have to test

architecture risk analysis. check where two architects disagree about the spec interpretation and there might be a bug there. it is unscalable because you need a superman to do it.

analysis your open source dependencies

pen testing is becoming a commodity

it's better to do pen testing before deploying to prod

have at least two pen testing outsourcing teams so you hear two opinions in case one of them aren't telling you the whole thing. put honey pots.


when finding an issue report it and offer a solution and help

Brent Johnson

@ndm Neil

localstorage with csp can be more effective against csurf than cookies

functions that generate html risk xss

build apps with security in mind since the beginning

research http headers

separate code and data

watch out for cdn vulnerabilities

bad bots

Tin Zaw

from verizon

OAT - owasp automated threats


there is a handbook

credential cracking

credential stuffing

rate limit with ip address and fingerprint

have elastic capacity

credit card abuse

carding - stolen cc validation


cashing out

scalping - bots buy faster than humans like Nike shoes or comic con tickets

sniping - to get the best bids

counter measures

Web security

w3c subresource integrity SRI


malicious browser extensions

Man-in the browser attack

runtime application self protectionRASP

DOM anti tampering

polymorphic java script

etc/hosts point local to the target and run a downloaded copy of the code

poisonjs de obfuscation

ocsp stapling in the wild

Emily stark

Google Chrome


devdatta akhawe


let's encrypt

Jilian karner

https is Auth and encryption

HSM hardware security models

root HSM - locked away. princess in the castle.

intermediate HSM - signs all the certs

developers can't deploy to prod

ops can't merge code

shared logs and metrics

AppSec pipelines event driven

Matt tesauro


the Phoenix project book

define false positive

automate yourself out of the job in order to scale

build a chat bot to help you answer questions from developers

integrate alerts in slack

expand the devops pipeline with AppSec pipeline

nikto docker

docker swarm

zap docker

chat bots can also tell devs when a code merge fixes a bug in backlog

owasp defect dojo

Apps parringSPA

document APIs


results matching ""

    No results matching ""