I love talking to people about software development and security and if I can talk to a lot of people at once, great! I've been speaking at conferences, user groups and other events since 2010.
If you'd like me to speak at your event, I'd love to hear from you. Here's my bio.
Current Talks
Here are some of the talks I have prepared. These have been presented previously and are updated for each event - technology doesn't stand still!
#FAIL - Lessons from infosec incidents
(60 minutes)
Securing a web application is a challenge. The internet is awash with malicious traffic and web applications are globally accessible. Don’t make it easy for them and the baddies will move on and find someone else to annoy.
We’ll look at the risks facing web applications, the basic steps you can take so that you don’t make yourself a target and the things you should do to avoid becoming a data breach statistic. We’ll also look at lessons that can be learnt from mistakes that others have made.
We’ll demo some of the techniques and tools in both attack and defence with examples for any web application developer.
HALT! Who goes there?
(60 minutes)
Is the visitor to your website friend or foe?
Authentication is the sentry to your web application or API. "Bad dudes" are ready to march into your app but you have to control who gets through the gate.
This session will show you how to authenticate your users and keep your application secure. We'll look at the threats to your system and how to avoid pitfalls. We'll compare options in the .NET ecosystem and consider when they might be used.
We'll look at examples in .NET Framework and .NET Core, tackle integration with Identity Server and look at third-party authentication systems. By the end of this session, you'll have learned how to change your authentication for the better or what to choose if you're starting out.
XSS: Don't die of ignorance
(60 minutes)
Cross-site scripting vulnerabilities are bad news. We'll demonstrate these attacks (with Clippy!) and look at how to protect against them.
Description:
You wouldn't allow any Tom, Dick or Harry to add code to your application; but cross-site scripting (XSS) vulnerabilities allow exactly that.
This session aims to prevent these issues from keeping you awake at night. We'll look at the mechanics of XSS, how protections can be bypassed and how defence in depth is your friend. We'll demonstrate XSS in action using the Browser Exploitation Framework Project to illustrate the power of this attack. Examples are in C# and React.js; lessons will be useful to any web developer.
We’ll learn how to protect ourselves from XSS so we can all get a better night’s sleep.
OWASP ZAP FTW
(10-minute lightning talk)
You wouldn't deploy code without testing but security testing often doesn't get a look in. The earlier we find bugs of any kind, the cheaper they are to fix so we shouldn't be waiting for QA, the security team or an attacker to find problems.
OWASP Zed Attack Proxy can help you automatically find security vulnerabilities in your web applications while you are developing and testing. It's free and great for developers and security professionals alike.
We'll look at the features of ZAP, demo how it can be used during development and how you might scan your web application for issues. We'll discuss some more advanced features and alternatives to investigate. You'll come away knowing how to better test your app.