Shape Security Customer Summit 2018 brings together some of the world’s most innovative people to challenge, inspire and energize each other. Contact your rep for an invitation and details.
Category: Events
FS-ISAC Summit
Monday, May 21st
Going to FS-ISAC Summit? Join us Monday, May 21st from 9pm-11pm at the Boca Beach Club as we kick off the conference in style – enjoy dessert, open bar, and two live DJ sets as we cap off Day 1. We will be celebrating our new product, Blackfish!
We’re back at Fluent this year!
A load of Shapers will be at O’Reilly’s Fluent Conference again this year and we’ll have a lot more in store than we did last year. Ariya and I (Jarrod) will be speaking, we’re sponsoring an event, and we’ll have a booth with (awesome!) prizes, JavaScript trivia, and demos of some really crazy technology. If you’re heading out to SF next week, make sure to look out for all of us and say hi:
- Ariya Hidayat
- Jarrod Overson
- Michael Ficarra
- Tim Disney
- Lewis Ellis
- Shilpi Jain
- Eli Mattson
- Kevin Gibbons
- and Jamie Moore
At our booth we’ll be giving away a bunch of prizes that will allow you to make or control your own (benevolent) bots – Lego Mindstorms sets, remote control BB-8s, and arduino starter kits.
If you’re at all interested in working with JavaScript in ways you’ve never thought of before, we’re hiring a lot of new positions doing really fun stuff. If you’re curious, please reach out in advance so we can make sure to reserve some time. We really like talking about these things so just give us an excuse and we’ll make time for it.
Definitely make sure to check Ariya’s and my talks at the conference. I’m really excited to give the security talk and go over some of the insanity we get to work with at Shape.
From zero to hero: Toward frontend craftsmanship by Ariya Hidayat
After you have built a nice JavaScript application using Backbone, AngularJS, or React, written some unit tests, integrated a linter, and hooked up a continuous-build system, what should you do next? To reach the next level and create the highest-quality applications, you must first master a few more skills. Ariya Hidayat gives a step-by-step overview of adding code-coverage tracking and a dashboard, utilizing Git hooks to prevent regressions, leveraging Docker for a consistent development platform, and implementing cross-browser testing (including with evergreen browsers).
The Dark Side of Security by Jarrod Overson
Ashley Madison data stolen… Twitch.tv breached, passwords need to be reset… 10 million passwords leaked! 13 million! 80 million!
What does this mean to you and your websites? You use secure passwords, your sites haven’t been compromised, and you have safeguards in place to protect your customers, so you don’t need to worry, right?
Right?
Jarrod Overson reveals the world where these passwords are traded, sold, verified, and used to exploit your sites. Even if you are diligent, doing everything you can to protect yourself and your users, you can’t protect against legitimate logins. So what can you do? Jarrod explains how you can start exploring how vulnerable you really are, how you might start recognizing malicious traffic, and what you can do to start taking a stand against your attackers.
See you at Fluent!
Imitation Game – The New Frontline of Security at QCon San Francisco
This week over 1400 software developers are gathering in San Francisco for QCon to share the latest innovations in the developers’ community. The conference highlights best practices in a wide range of emerging technology trends such as microservices, design thinking, and next generation security.
Below are three sessions that will inspire your thinking in next-gen web security and technology.
Wednesday Keynote: The Imitation Game – The New Frontline of Security, 9:00 am, Grand Ballroom, Shuman Ghosemajumder
As one of the four keynote speakers, Shuman Ghosemajumder, Shape’s VP of product management, will discuss the next wave of security challenges: telling the difference between humans and bots. From Blade Runner to Ex Machina, robots in sci-fi have become increasingly sophisticated and hard to distinguish from humans. How about in real life? How are bots taking advantage of user interfaces designed for humans? In his keynote on Wednesday, Shuman will explain how a complex bot ecosystem is now being used to breach applications thought to be secure.
Wednesday Track: The Dark Side of Security, 10:10 am, Bayview A/B, Nwokedi Idika
As Sun Tzu noted in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” To win the battle against rising cyber criminals, you must know your enemy. How do they think? What do they do before and after the compromise? How do they monetize? In this track, Dr. Nwokedi Idika, Senior Research Scientist at Shape, will guide you on a journey into the minds of the cyber criminals.
Wednesday Track: Javascript Everywhere, 10:10 am, Pacific LMNO, Jarrod Overson
JavaScript usage has been expanding past the browser for years. It’s now used in server applications at companies like Paypal and Walmart, native apps like Slack and Atom, mobile apps like Untappd, and even compilers for game engines like Unreal and Unity. Come to this track led by Jarrod Overson, Director of Software Engineering at Shape and JavaScript super fan, to learn why and how JavaScript is used everywhere.
Want more QCon inspirations? Follow #ShapeSecurity and #QConSF on twitter now.
Web Security Guide to Black Hat 2015
An important web security concept around “A Breach Anywhere is Breach Everywhere,” will be highlighted at Shape’s booth during Black Hat conference this week. Prominent attacks such as Uber account hijackings highlight how spilled credentials obtained from previous breaches can lead to account hijackings on another B2C site.
Make sure to check out Black Hat sessions relevant to escalating web security threats such as password cracking (Cracklord) as well as expanding web attack surface on technologies like EdgeHTML and Node.JS. You can also engage with web security anti-automation experts at the Shape Security booth #558. On Wednesday at 2:30 pm Shape will be hosting Ted Schlein, Partner at Kleiner Perkins (investor in ArcSight, Fortify, Mandiant), former CEO of Fortify and executive at Symantec.
Cracklord – A Friend of Credential Stuffers
If credential stuffing allows criminals to turn lead into gold, hash cracking is the act of digging lead from the Earth. Cracklord, a system designed to crack password hashes, will be explained by researchers from Crowe Horwath. As password cracking tools increase the pool of available credentials, B2C companies need to strengthen their web security defenses to defeat credential stuffing and account hijacking attacks.
New web attack surfaces revealed
Web attack surfaces are constantly expanding as new web technology frameworks and browser technologies continue to be developed and popularized. Those web frameworks offer both the opportunity for built-in security, as well as the risk of a vulnerability affecting the entire user base. In this year’s BlackHat, two briefings on EdgeHTML and Node.JS are particularly relevant.
Researchers from IBM will talk about new attack surfaces within Microsoft’s next generation rendering engine EdgeHTML (codename Project Spartan). Researchers from Checkmarx will talk about different attack methods on Node.JS as well. It’s important for B2C companies to be aware of these new vulnerabilities as attackers are likely to exploit them.
Stop by Shape’s booth #558
Stop by to engage with Shape’s anti-automation specialists to evaluate risks to your website and learn how to protect your web application and mobile API services. On Wednesday, you will get a chance to meet with Ted Schlein, Veteran VC at KPCB (investor in ArcSight, Fortify, Mandiant) and former CEO of Fortify and exec at Symantec.
Have fun and hope you enjoy your week at Black Hat!
Links for relevant sessions on web security
Please follow Shape Security on Twitter – #ShapeSecurity
Come see Shape at FluentConf!
Shape will be at O’Reilly’s Fluent Conference in a big way next week and we’re hoping to meet a huge round of new faces in the web community. Several of us will be speaking, doing a book signing, and hanging around our booth in the sponsor’s hall. Make sure you stop by and say hello to:
- Ariya Hidayat (@ariyahidayat)
- Wesley Hales (@wesleyhales)
- Michael Ficarra (@jspedant)
- Bei Zhang (@ikarienator)
- Ben Vinegar (@bentlegen)
- Seth McLaughlin (@sethmc)
- Jarrod Overson (@jsoverson)
We’ll probably be chatting about ES2015 (and beyond), JavaScript parsing, the Shift tools, esprima, phantomjs, speedgun, plato, as well as security and performance, of course.
Definitely stop by to see us if you’re still curious as to what Shape is all about. We’re a quiet company doing some amazing things and we’ll take any opportunity to go into detail in person.
Don’t miss the talks below!
PhantomJS for Web Automation by Ariya Hidayat
PhantomJS, the scriptable headless WebKit-based automation tool, has gained a lot of traction in its first 4 years of existence. With >11,000 GitHub stars and ~10M downloads, it becomes the de-facto tool for web application continuous integration, whether to run basic tests or to catch rendering regressions. Many JavaScript test frameworks work well with PhantomJS. In addition, because PhantomJS permits the inspection of network traffic, it is suitable to run various analysis on the network behavior and performance. This talk will highlight the basic usages of PhantomJS and explore various PhantomJS-tools for web applications testing, screen capture, performance analysis, and other page automation tasks.
High Performance Web Sockets by Wesley Hales
Adding a WebSocket service to an application is often misunderstood to be high performance by default, however there are many more considerations that must be made, both on the client and server, before the best performance can be achieved. Real-time technologies like SPDY, WebSocket, and soon HTTP 2.0 have their own sets of hurdles and anti-patterns to overcome and this talk will provide the checklist you need to fine tune your application’s real-time performance.
Debunking Front-end Performance Myths by Ben Vinegar
High Performance Websites, by Steve Souders, was first released in 2007. The follow-up – Even Faster Web Sites – was published in 2009. These books have served as web optimization canon for a generation of web developers. The problem is: it’s now 2015. Browsers, browser features, internet connectivity – they’ve all changed dramatically. A lot of the best practices from 2007 and 2009 no longer apply. And yet, many developers are still holding on to those practices – advocating for performance tweaks that are no longer relevant.
See you there!
Join our RSA session
The Emperor’s New Password Manager: Security Analysis of Password Managers
Friday, April 24, 2015
9:00 AM – 9:50 AM
West
Room: 3009
Session abstract: We conducted a security analysis of popular web-based password managers. Unlike local password managers, web-based password managers run in browsers. We identify four key security concerns and representative vulnerabilities. Our attacks are severe: in four out of the five password managers we studied, attackers can learn credentials for arbitrary websites. This work is a wake-up call for developers.
Speaker: Zhiwei Li, Research Scientist @ Shape
