Bryant Zadegan Application Security Advisor & Mentor, Mach37 Ryan Lester CEO & Chief Software Architect, Cyph Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose. In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day). Bryant Zadegan is an application security advisor and mentor at Mach37, a security accelerator focused on pouring substantial dollars into new security technologies. When not driving developers to embrace AppSec in continuous integration, Bryant punches holes in Amazon, Google, Reddit, etc. On days when he'd rather not touch computers, he's usually nowhere to be found near DC. Twitter: @eganist Keybase.io/bryant Ryan Lester is the CEO and chief software architect for Cyph, a web-based one-click end-to-end-encrypted communications service funded in part by Mach37, Virginia's Center for Innovative Technology, and the Goel Fund. Since departing SpaceX, Ryan has dedicated the better part of a year and a half to the vision of accessible encrypted communication. Unsurprisingly, when he isn't working on building the logic for Cyph, he's usually looking for ways to break it. Twitter: @theryanlester ... https://www.youtube.com/watch?v=mqunXL0kAmw

Tim ‘t0rch’ Estell Solution Architect, BAE Systems Katea Murray Cyber Researcher, Leidos After the Rise of the Machines they'll need to communicate. And we'll need to listen in. The problem is that proprietary protocols are hard to break. If Wireshark barfs then we're done. Or can we listen in, break their Robot Overlord messages and spill it all to the meat-space rebels? Attend this talk to learn techniques for taking network data, identifying unknown protocols, and breaking them down to something you can exploit. Rebels unite! Tim Estell, a hacker since learning how to mod a TRS-80 game in the ‘80s. Since then he’s reversed protocols, leveraged hardware, and managed teams for many concepts of operation. He remains convinced machines will never exceed meat space innovation and so welcomes our new Robot Overlords, if only because their cause is lost. Rebels unite! Katea Murray, a programmer who turned to hacking in the early 00’s, she’s reversed and co-opted many tools and toys consumer’s touch, from old-school boat anchors to the latest mobile devices. Along the way she’s pulled recruits to the rebel cause through internships, outreach, and high energy. When she’s not watching sports she’s hacking as a sport. Game on! ... https://www.youtube.com/watch?v=eBsR10XlUl4