Join HD Moore as he discusses his experience implementing mandatory audits of new products and services in the office of the CSO and how the results led to better decisions across the organization. Security researchers tend to see the world in an odd light; every product is a source of potential exploits, exposed services are an invitation to attack, and vendors are not to be trusted. By contrast, the folks who are responsible for enterprise security have to focus on business enablement, risk management, and juggling costs with accumulating technical debt. Over the last 15 months, we have implemented a security program that tries to bridge these worlds by bringing security audits into the first phase of due diligence for new products and services. The results have been extremely positive; we have able to identify bad solutions prior to investing substantial amounts of time in implementation, have improved the security of the solutions we did accept, and developed tons of new vulnerability checks, exploit modules, and advisories in the process. While this talk will cover the overall process and some of the most surprising results, it will also dive into the technical details of the most interesting vulnerabilities and their exploits.
CSO and Chief Architect, Metasploit
HD is Chief Security Officer at Rapid7 and Chief Architect of Metasploit, the leading open-source penetration testing platform. HD founded the Metasploit Project in the summer of 2003 with the goal of becoming a public resource for exploit code research and development. Prior to joining Rapid7 and continuing his work on the Metasploit Framework, HD was the Director of Security Research at BreakingPoint Systems, where he focused on the content and security testing features of the BreakingPoint product line. Prior to BreakingPoint, HD spent seven years providing vulnerability assessments, leading penetration tests, and developing exploit code.