This event has passed.

Raleigh ISSA April 4, 2019 Chapter Meeting at RTP Headquarters

Name: Raleigh ISSA April 4, 2019 Chapter Meeting at RTP Headquarters
Start: 2019-04-04T17:00:00-04:00
End: 2019-04-04T20:30:00-04:00
Location: RTP Headquarters

April 4, 2019 @ 5:00 pm - 8:30 pm

$10

Chapter Event

Meeting Sponsor

Members, PLEASE RSVP

https://www.issa.org/events/EventDetails.aspx?id=1218447

Guests

https://www.eventbrite.com/e/raleigh-issa-monthly-meeting-guest-tickets-30871733185
Guests: If this is your first meeting use code 2019firstvisit upon checkout. Remember to register before the day of the event. This code will no longer be valid after 3 April.

Agenda

5:15 – 6:00pm Career Services (Conference Room 1)

5:15 – 6:00pm Back-to-Basics (Main Room) Rebecca – Of CORS It’s Exploitable!

6:00 – 7:00pm Jasmine / Drink / Socializing (Lobby)

7:00 – 7:15pm Board Updates (Main Room)

7:15 – 8:15pm Main Presentation (Main Room) Jim French – No Network Needed

Back 2 Basics

Topic: Of CORS It’s Exploitable!

Bio:
Rebecca is an Application Security Consultant with DirectDefense where she looks for software vulnerabilities, writes exploits, and helps improve SDLC security.

Abstract:

Cross-origin resource sharing (CORS) is extremely common on modern web apps, but scanning tools are terrible at analyzing CORS policy. If testers really understand CORS policy, a damaging exploit is often not far away. Is it possible to force a user to do something significant? Does using a GUID offer any protection? Does the authentication mechanism really protect against cross-origin attacks? Is it really risky to allow all origins? Do pre-flight requests always help?

CORS requests get tricky very quickly and scanning tools do not have a good understanding of the intricacies that surface during actual application testing. A quick and dirty JavaScript exploit will put the issue to rest and eliminate hours of theoretical debate.

This presentation covers how CORS works and how to find misconfigurations. Dozens of actual applications are distilled into examples demonstrate CORS protections and JavaScript code to bypass them. A basic knowledge of CORS and JavaScript will be helpful to understand the exploit code, but no special background is necessary to grasp the basics of CORS configuration.

Main Presentation

Title of presentation: “No Network Needed”

Abstract: Stop connecting networks to networks but instead connect users to applications whether the applications are in private data centers, IAAS, clouds or on the public Internet.

Presenter:

Jim French

Solution Architect at Zscaler

At Zscaler, Jim helps customers securely transact over the public Internet via a network, security, telemetry, and analytics service. The Zscaler cloud is based on Software Defined Network SDN principles (central authority, enforcement nodes, and log service) and located in 100+ locations world wide in the same facilities as the clouds themselves. The enforcement nodes execute all the primary realtime security functions in a single pass (excluding Sandbox) to optimize experience and minimize infrastructure. The Zscaler offer includes Internet Access, Zapp mobile/desktop access, cloud/o365 cloud access, and private data center access based on a single policy layer of user, group, department and location where most specific applies.

+ Google Calendar + iCal Export

Details

Date:: April 4, 2019
Time:: 5:00 pm - 8:30 pm
Cost:: $10
Event Category:: Monthly Meeting
Website:: https://www.issa.org/events/EventDetails.aspx?id=1218447

Organizer

: ISSA Raleigh Chapter

Venue

RTP Headquarters; 12 Davis Drive , Research Triangle Park, NC
Raleigh, NC 27709 us + Google Map
Phone:: 919-549-8181