Aaron Cure

Aaron is a security consultant and an instructor and contributing author for the DEV544 Secure Coding in .NET course. After ten years in the U.S. Army as a Russian Linguist and a Satellite Repair Technician he worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant.

At Puma Security, Aaron focuses on developing security rules, as well as leading research efforts for data flow and taint analysis.

Aaron holds the GIAC GSSP-.NET, GWAPT, GPEN, GMOB, and CISSP certifications and is located in Arvada, CO. Outside the office Aaron enjoys boating, travel, and playing hockey.

Secure DevOps: A Puma’s Tail

Day 2 - 18th Oct 15:20-16:10 Hall 2 Advanced Aaron Cure, Steve Kosten

DevOps is changing the way that organizations design, build, deploy and operate online systems. Engineering teams are making hundreds, or even thousands, of changes per day, and traditional approaches to security are struggling to keep up. Security must be reinvented in a DevOps world and take advantage of the opportunities provided by continuous integration and delivery pipelines.

In this talk, we start with a case study of an organization trying to leverage the power of Continuous Integration (CI) and Continuous Delivery (CD) to improve their security posture. Then, we will focus on static analysis, how it fits into Secure DevOps, and introduce you to Puma Scan: a new open-source .NET static analysis tool. Live demonstrations will show Puma Scan identifying vulnerabilities inside Visual Studio and in a Jenkins continuous integration (CI) build pipeline. Attendees will walk away with a better understanding of how static analysis fits into DevOps and a .NET static analysis engine to help secure your organization’s applications.

Hacking the OWASP Top 10

Day 2 - 18th Oct 09:30-10:20 Hall 1 Advanced Aaron Cure, Steve Kosten

Developers are always up against rigid deadlines, changing requirements, and constant production support issues. This leaves little time for keeping up with the current threats and defenses, and it inevitably makes security an afterthought. In this presentation, we will be discussing 4 of the vulnerabilities from the OWASP Top 10:

  • A1: Injection
  • A3: Cross-Site Scripting
  • A4: Insecure Direct Object Reference
  • A8: Cross-Site Request Forgery

After exploiting these vulnerabilities with a variety of tools (e.g. sqlmap, BeEF, and Burp Suite), we will demonstrate mitigation techniques to correct the vulnerability.