Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation shows how identify and limit attack surface (both application and network layer), perform basic security testing using simple tools, and the difference in effort between finding a bug and exploiting it. A live demo will be given on how to identify and exploit a previously unknown security bug across the network.

—–

Tom Gallagher has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom co-authored the MSPress title “Hunting Security Bugs” and has presented at OWASP (Seattle), Black Hat, and the TechEd conferences.