VerSprite's Tony Uceda Velez presents Risk Centric Threat Models at the Cyber Security Summit in Atlanta, GA.
VerSprite's Scott Takaoka presents at the Bay Area Cyber Security Meetup on Cyber Liability Insurance.
VerSprite's Tony UcedaVélez and Scott Takaoka present at the RSA Conference on Vendor Risk.
VerSprite's Tony Uceda Velez presents Cloud Security Metrics.
The rapid growth in container technology adoption in the DevOps community presents new threat models for organizations relying on these tools to scale and run their operations. Watch VerSprite's Tony Uceda Véllez present a talk on Attack Tree Vignettes for Containers as a Service Applications at OWASP AppSec California 2016.
XPath Awakens - Attacks & Impact Around XPath Injection
OWASP Atlanta January Meeting
Thursday, January 21, 2016, 6:30 PM, Location TBD.
XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses XML. Threat agent goals are often aim to circumvent authentication and/or access information in an unauthorized manner.
Developers today use XPaths to perform actions over XML based documents, however insecure coding practices could lead allow for injection issues to surface in web applications. Blind XPath Injection retrieves information by making true/false interrogations with web applications, however they mostly focus on retrieving current query information, skipping sensitive information on XML nodes outside of current query requests. This presentation will extend beyond these blind injection attacks and discuss how to retrieve the entire XML document, using Blind XPath Injection techniques.
Bio: Luis Torres is a security consultant with VerSprite. An avid pen tester, researcher, CTF participant, and bug bounty winner - Luis is a key consultant for VerSprite's AppSec Consulting practice where he focuses his time on client-server, cloud, web services, and fat client security testing. His recent research has been around more damaging exploits around XPath injection which he seeks to share with you today.
VerSprite's Tony Uceda Velez presents Addressing Cybercrime via PASTA Threat Modeling
VerSprite's Tony Uceda Velez presents at the CSX North America Conference, October 2015 discusses how risk centric threat modeling can help unify disparate security efforts across Application Security, Risk Management, and Regulatory Compliance drivers.
VerSprite's Tony Uceda Velez presents Healthcare Threat Modeling Vignettes at the ISC2/ ASIS International 2015 Security Conference in Anaheim, CA.
VerSprite's Tony Uceda Velez presents Application Security On A Dime at Great Wide Open event in Atlanta, Ga.
VerSprite's Tony Uceda Velez gives the PASTA Threat Modeling – One Day Training at AppSec Cali 2015 in Santa Monica, CA.
VerSprite's Tony Uceda Velez presents Security Metrics Rehab at Hacker Halted & EC-Council event.
VerSprite's Benjamin Watson presents at BSidesATL. This talk is about reviewing the vulnerabilities discovered for Java Web Application Frameworks, the impact they present, and why stack traces should never be considered a low risk. It will serve as an introduction to the vulnerability classes, how to identify and test for them in web application security assessments and penetration tests.