Steve Kosten

Cypress Data Defense

Steve Kosten is a Principal Security Consultant at Cypress Data Defense and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course. He’s previously performed security work in the defense and financial sectors and led the security department for a financial services firm. At Cypress, Steve performs secure code review assessments, vulnerability assessment, penetration testing, and risk management reviews. He is also the Open Web Application Security Project (OWASP) Denver chapter leader, and presents security talks at various conferences. Steve holds a bachelor of science in Aerospace Engineering from the Pennsylvania State University and a Master of Science in Information Security from James Madison University. He currently maintains GSSP-JAVA, GWAPT, CISSP, and CISM certifications.

Secure DevOps: A Puma’s Tail

Day 2 - 18th Oct 15:20-16:10 Hall 2 (Main Side) Advanced Steve Kosten, Aaron Cure

DevOps is changing the way that organizations design, build, deploy and operate online systems. Engineering teams are making hundreds, or even thousands, of changes per day, and traditional approaches to security are struggling to keep up. Security must be reinvented in a DevOps world and take advantage of the opportunities provided by continuous integration and delivery pipelines.

In this talk, we start with a case study of an organization trying to leverage the power of Continuous Integration (CI) and Continuous Delivery (CD) to improve their security posture. Then, we will focus on static analysis, how it fits into Secure DevOps, and introduce you to Puma Scan: a new open-source .NET static analysis tool. Live demonstrations will show Puma Scan identifying vulnerabilities inside Visual Studio and in a Jenkins continuous integration (CI) build pipeline. Attendees will walk away with a better understanding of how static analysis fits into DevOps and a .NET static analysis engine to help secure your organization’s applications.

Hacking the OWASP Top 10

Day 2 - 18th Oct 09:30-10:20 Hall 1 (Main Center) Advanced Steve Kosten, Aaron Cure

Developers are always up against rigid deadlines, changing requirements, and constant production support issues. This leaves little time for keeping up with the current threats and defenses, and it inevitably makes security an afterthought. In this presentation, we will be discussing 4 of the vulnerabilities from the OWASP Top 10:

  • A1: Injection
  • A3: Cross-Site Scripting
  • A4: Insecure Direct Object Reference
  • A8: Cross-Site Request Forgery

After exploiting these vulnerabilities with a variety of tools (e.g. sqlmap, BeEF, and Burp Suite), we will demonstrate mitigation techniques to correct the vulnerability.

Slides