Toyota Motor Corporation recently suffered a data breach due to a mistakenly exposed access key on GitHub. That hardcoded access key evaded detection for five years! This news was the latest in a long line of headlines about the damage caused by hardcoding secrets in code. To combat this pervasive risk, security teams are turning to code scanners that look for secrets, but soon realize that their visibility into all the places hardcoded secret...

Organizations are moving data and applications into public cloud services at a rapid pace. As the public cloud footprint expands, red teams and attackers are reinventing the kill chain in the cloud. Public cloud services provide new, creative ways to discover assets, compromise credentials, move laterally, and exfiltrate data. In this keynote, we explore common techniques from the MITRE ATT&CK Cloud Matrix. For each technique, attendees wi...

Conventional wisdom suggests that a zero-trust framework or architecture be implemented as part of a holistic security strategy. “Trust nothing, verify everything” seems like the safest bet. Yet, it remains unclear how this approach keeps your organization's connectivity, which supports your most critical business applications, more secure without impeding their business intent. Uncover the most pressing network security policy iss...

In “The 2021 State of Enterprise Breaches,” Forrester found that enterprises spend a median of 37 days and a mean of $2.4 million to find and recover from a breach. Ensure your team is prepared for advanced threat actors. Forrester recommends that security leaders must advocate for investment in efforts like digital transformation to help the organization be more adaptable and focus on data and metrics to uncover prevalent attack v...

DNS provides one of the best methods for command and control, covert tunneling, and blind data exfiltration. Burp Collaborator provides a great way to both confirm blind injection, and also exfiltrate data. Penetration testers may prepend names to each DNS request, allowing data exfiltration subject to DNS's length limitations (63 characters per label, 255 characters total name) and character limitations. This webcast will describe methods for...

In today’s world of enterprise security, many technology options are available—perhaps too many. Despite all the options available, security teams still ask the same questions: What is the “right” telemetry? How do we best integrate, and where can we find the best return on our investment? In response to these questions, and the need to disrupt adversary TTPs, eXtended Detection and Response (XDR) technologies have emer...

This engaging session takes a light-hearted look at securing your cloud-native applications and gives a detailed list of what (not) to do. We’ll cover how to ensure your developers never create insecure or vulnerable code, we’ll talk about how to enable complete zero trust, and most importantly we’ll talk about how to guarantee 100% security of your cloud-native applications.

Bad actors don’t knock on the front door. They find a way into your infrastructure whether through your supply chain, a misconfiguration, impersonating a user with stolen credentials, a zero-day exploit or other advanced techniques that we may not have seen yet. It is important to make sure that preventative measures are in place and following best practices, but you also need to be ready to detect attacks and take actions. Join SANS ana...

Enterprise security is a multi-billion-dollar industry, with multiple products and services available to help customers protect their networks. However, do the same types of protections, services, and security exist for personal users and/or employees within enterprises? After all – individuals are most at risk from attacks like account takeover and ID theft, which can also compromise enterprise networks. Unfortunately, most security mon...

In the old days, we used Nmap to find and scan systems. The old days are gone. Now we have "the cloud." Attackers have figured out new ways. Join Josh Wright as he shows how to find and scan modern cloud networks. This will be mostly demo in a live network. We've asked Murphy not to interfere. We'll wrap up with some tips for defense. We think it will be pretty awesome. Let us know what you think at the end!