5 Product Security talks that caught my eye on the Black Hat USA 2023 schedule.

5 Product Security talks that caught my eye on the Black Hat USA 2023 schedule.

Introduction

We are just a few short weeks away from Black Hat USA 2023. I’m really looking forward to attending in-person for the first time to deliver my training course, “Building a High Value AppSec Scanning Programme”. (Tickets are still available for this, and ticket prices go up on Friday, so you should definitely register today!)

(You can also check out my previous post about some other great trainings on offer 😀)

As a trainer, I also get a Black Hat briefings ticket. The Black Hat briefings bring some of the top security research and war stories from around the world to attendees.

In my excitement to attend, I’ve already been through the schedule to see which talks I think will be most useful from an application and product security perspective, so here are some of my top picks! (The list is in chronological order)

#1 James Kettle breaks the Internet again!

Every year, James Kettle from PortSwigger Research comes back with another brand new and unusual vulnerability class and this year he is back to talk about web race-conditions. His talks are always a master-class on how to perform security research but also contain useful information on how to mitigate the vulnerability class and how to test for it.

As with previous years, his talks will be accompanied by new functionality in Burp Suite and new learning lessons in the free Web Security Academy that PortSwigger provides so this talk seems like a great opportunity to keep up to date with the latest web application attacks.

2 Bringing security from chaos (engineering)

Kelly Shortridge from Fastly has been championing security chaos engineering for a while now as a way of improving the security industry in general, including releasing a new book about it. Kelly has also found time to prepare a variety of highly interesting and relevant articles and research pieces about security in general, based on significant experience in industry.

This talk, “Fast, Ever-Evolving Defenders: The Resilience Revolution”, looks like it will be a fascinating overview of how to really design defendable systems and treat security as an organisational (rather than technical) challenge. It also provides a refreshing counterpoint to the all too pervasive trend to try and improve security by just adding another tool or class of tool.

3 Cookie up a storm

Think you know everything about cookie security? Think again. Marco Squarcina and Pedro Adão will be talking about new attacks related to cookies and vulnerabilities in security mechanisms previous thought secure.

With 12 CVEs, and 30 vulnerability disclosures affecting, major Web development frameworks, and server-side programming languages and middlewares, leading to RFC changes, this sounds like the sort of issue which might have a long tail and be potentially exploitable in a variety of contexts.

4 I can’t let you release that feature, Dave

With AI being such a hot topic, obviously there was going to be something relevant in this area. This talk from Mrityunjay Gautam and Pavan Kolachoor from Databricks looks like it is going answer an age-old product security question: how can we bring the right level of security guidance and verification to the features which need it the most in the Software Development Lifecycle?

Coming from two practitioners (which is an encouraging sign for any talk), this talk discusses how to use AI instead of other more manual or unreliable methods for solving this problem.

5 Sealed with a loving Private Key

Software ecosystem security is a problem that continues to grow, with developers becoming accustomed to relying on downloading libraries and functionality from package repositories despite a variety of challenges in verifying the security of what they’re downloading.

Trevor Rosen and Zach Steindler are engineers from GitHub, and they’ll be telling their story about trying to solve this problem for the NPM ecosystem using the sigstore project for software signing.
I’m hoping this will start a trend of greater traceability in software development and that if it can be done at NPM scale, it can be done more widely.

Conclusion

With almost 100 talks on the briefings schedule, there should be something for everyone but these are the ones that caught my eye. Feel free to let me know if there are any others you think I should take a look at! What did I miss?