Mike Sconzo at OWASP Austin talking about Machine Learning

The video recording of Mike's talk is here https://vimeo.com/104466721

Mike Sconzo, (@sooshie) presented at the OWASP Austin chapter meeting on 8/26.  He showed how machine learning can be used to detect drive-by and SQL Injection attacks. Machine learning is interesting - it's tricky to do numeric-only analysis when log files contain words.

Mike showed a data frame he uses for logs, letting him parse them. He showed several cool technologies he uses in his process:

Here's his basic process:

Although the talk was not commercial, Mike works for Click Security http://clicksecurity.com
Here's a link to some of his goodies http://clicksecurity.github.io/data_hacking/
And, finally, here's an alternative picture of Mike in his natural habitat:

Railsgoat! July OWASP Austin Chapter with Ken Johnson - with link to recording

Ken Johnson travelled to Austin for the July OWASP meeting.  No thanks to US Airways! Remember, last meeting Ken and Mike McCabe were supposed to present, and US Airways deprived us of their presence. Vern Williams jumped in heroically to give a talk, but Ken and Mike spent most of a day trapped in Raleigh, subjected to several layers of lies from the airline.

Here's the recorded presentation http://vimeo.com/channels/owaspaustin

This month Ken made it!  Nice crowd on hand:

Ruby & Rails was an interesting topic - it seems like a lot of people using those technologies are startups trying to build apps as quick as they can, and Enterprises trying to pretend they're startups.  Both of these scenarios tend to "forget" about security and can lead to nasty problems.  It can be downright scary to security folks.

Given this state of security worries, chapter priorities included a Happy Hour, as usual:

We might have a recording of the presentation coming soon - if so I'll post it as a comment.

The slides are here http://prezi.com/5zo5lxs82lr7/railsgoat/

follow Ken @cktricky and Mike @mccabe615

Austin OWASP Chapter Meeting: Learn to Fight Wounded

Vern Williams presented at the Austin OWASP chapter meeting today on "Process and Architecture" in software development.  He advocates an engineering approach to security in software and systems, and suggests "engineering better management in." rather than reacting later.

In terms of software, architecture means designing something that meets the needs of the customer, but is also resilient, robust (resistant to failure) and secure.  This means that even when the system does fail, it will be gradual rather than catastrophic, and recovery will be rapid when something bad happens.

Vern also spoke about users and the importance of training.  He suggested warning users to notice when there are problems and alert IT.  Then again, it has been said that a user and his mouse can be viewed as a "malicious rodent on the desktop."









Vern also spoke about defense-in-depth, and used a few examples from his days in the navy, working on nuclear subs.  He described life about the nuclear sub as "the only place people run toward fires."

To the audience of mainly application developers, pen testers and security professional, Vern made a very interesting observation: We need to learn how to fight wounded.  Everyone in the audience agreed that it is foolish to assume that your company is impenetrable.  The best thing to do is figure out how to architect your systems and applications  in a way that is attack-resistant.

Never Underestimate the Power of the Little Raspberry Pi

The Raspberry Pi is fascinating a diverse set of people – from technophiles, to security researchers, to security practitioners, to Penetration Testers, to adventurers, to problem solvers, to kids, and to bad guys too.  This Raspberry Pi is a lot like Lego – you can literally build anything, do anything, with this affordable and diminutive device.  Unlike the smart phone, the Pi is basically disposable.

Tiny is the Pi’s power. Its size and unexpected power makes it interesting.  Applications for the Pi seem to be limited only by your imagination.

You can plant the Pi behind a power junction switch, put it in a Dell power brick, put it in a FedEx delivery envelope or put it on a drone – it’s also a great platform for remote attacks.  You can use it to send covert signals to nearby receivers using specific frequencies, and it’s so small it’s virtually invisible.

The Pi can support a camera, drive your TV video display, sense temperature and GPS location and even sense the opening and closing of doors.  This little critter can be programmed to really freak people out, by providing you all this information remotely. 

OK, back to task!  Branden Williams presented at the Austin OWASP chapter on 4/29/14, sharing his enthusiasm about the Raspberry Pi and its applications in security.  As Branden pointed out, the $35 Raspberry Pi is a full computer – the size of an Altoid tin and basically disposable given its price point. 

There was an in-person audience of about 50, and some online viewers.   One of the first things Branden asked of the audience was "Who is a ham radio operator?"  Amazingly, there were about 8 in the audience that were.  High percentage.  Let's think about why this might be the case. 

Security people understand some things quite well: they favor the path the attacker will ignore, or be unable to attack successfully.  Security people think about things like minimizing attack surfaces.  They are aware that attackers care about ROI and attack targets of value.  Ham radio appeals to the OWASP audience for these and other reasons.

To see and hear Branden’s talk, please go here and advance about 10 minutes to skip the OWASP meeting portion 

Branden’s slides are here 

For another example of the cool things the Pi can do: here’s a whitepaper Branden provided me that tells you how to configure and run a Raspberry Pi for Wireless Analysis.

Used to be, it was hard to acquire a Raspberry Pi.  No more.  Look on Amazon, there are some really nice kits with everything you need, for less than a dinner for two.   

SecurityBrew LLC Provides Security Product Marketing Consultancy

This is my shortest and most delightful blog post ever.  I've incorporated and SecurityBrew LLC is now offering IT security product marketing consulting.  Loving it, very busy, but would consider new clients after Q1.

Selling to IT security professionals is different - they demand timely information, education and facts, not marketing fluff.

View from one of my client's offices, in Austin, Texas