Artwork

Innhold levert av Black Hat and Jeff Moss. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av Black Hat and Jeff Moss eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.
Player FM - Podcast-app
Gå frakoblet med Player FM -appen!

Scott Stender: Attacking Internationialized software

50:36
 
Del
 

Manage episode 153984298 series 1109074
Innhold levert av Black Hat and Jeff Moss. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av Black Hat and Jeff Moss eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.
Every application, from a small blog written in PHP to an enterprise-class database, receives raw bytes, interprets these bytes as data, and uses the information to drive the behavior of the system. Internationalization support, which stretches from character representation to units of measurement, affects the middle stage: interpretation. Some software developers understand that interpreting data is an incredibly difficult task and implement their systems appropriately. The rest write, at best, poorly internationalized software. At worst, they write insecure software. Regardless of whether this fact is understood or acknowledged, each developer is reliant on operating systems, communication mechanisms, data formats, and applications that provide support for internationalization. This represents a large and poorly understood, attack surface. If we go back to the "three stages model" above, many attacks have focused on simply sending bad data and using perceived failures to influence the behavior of the system. Most defenses have evolved to prevent malicious data from entering the system. This talk will cover advanced techniques that use the interpretation stage to manipulate the data actually consumed by the myriad components of typical software systems. Attack and defense methodologies based on years studying core technologies and real software systems will be presented. Scott Stender is a founding partner of iSEC Partners and brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC Partners, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Scott has previously presented at conferences such as Black Hat USA, OWASP, and the Software Security Summit. He holds a BS in Computer Engineering from the University of Notre Dame."
  continue reading

86 episoder

Artwork
iconDel
 
Manage episode 153984298 series 1109074
Innhold levert av Black Hat and Jeff Moss. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av Black Hat and Jeff Moss eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.
Every application, from a small blog written in PHP to an enterprise-class database, receives raw bytes, interprets these bytes as data, and uses the information to drive the behavior of the system. Internationalization support, which stretches from character representation to units of measurement, affects the middle stage: interpretation. Some software developers understand that interpreting data is an incredibly difficult task and implement their systems appropriately. The rest write, at best, poorly internationalized software. At worst, they write insecure software. Regardless of whether this fact is understood or acknowledged, each developer is reliant on operating systems, communication mechanisms, data formats, and applications that provide support for internationalization. This represents a large and poorly understood, attack surface. If we go back to the "three stages model" above, many attacks have focused on simply sending bad data and using perceived failures to influence the behavior of the system. Most defenses have evolved to prevent malicious data from entering the system. This talk will cover advanced techniques that use the interpretation stage to manipulate the data actually consumed by the myriad components of typical software systems. Attack and defense methodologies based on years studying core technologies and real software systems will be presented. Scott Stender is a founding partner of iSEC Partners and brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC Partners, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Scott has previously presented at conferences such as Black Hat USA, OWASP, and the Software Security Summit. He holds a BS in Computer Engineering from the University of Notre Dame."
  continue reading

86 episoder

Tüm bölümler

×
 
Loading …

Velkommen til Player FM!

Player FM scanner netter for høykvalitets podcaster som du kan nyte nå. Det er den beste podcastappen og fungerer på Android, iPhone og internett. Registrer deg for å synkronisere abonnement på flere enheter.

 

Hurtigreferanseguide

Copyright 2024 | Sitemap | Personvern | Vilkår for bruk | | opphavsrett