David Mirza (Subgraph)

Vega is a cross-platform, open-source toolkit for testing the security of web applications, developed by Montreal-based Subgraph. Vega includes an automated vulnerability scanner and an intercepting proxy. The Vega vulnerability checks are implemented as Javascript modules. While Vega comes with a set of modules comprising the standard checks, a rich API makes it possible to extend the functionality of Vega. In this talk we will explain how some of the standard modules work, and then introduce the API for the development of new ones.

You've been hacked, and you're both the web developer and the sysadmin. It was probably through that sketchy plugin you just added to your third-party PHP application. You removed it, but they're back. Now what? In this presentation we will walk through the steps of dealing with security incidents, from identifying that the compromise occurred, how it happened, and what they did after they got in. We'll go through several very real post-compromise scenarios that we hope are never useful

Almost every day now, we are told in the news about some huge hacking incident resulting from a vulnerable application in some organization. Unfortunately, we are rarely told about less sensational intrusions. Who are the guys behind those incidents and what suddenly brings their attention to a particular victim?

During this presentation, the audience will discover the "who", "what" and "why" of application security. We will not only talk about the "bad guys" but also about what is being done on the bright side of the picture, by developers, and by other people also involved in software defense.