Ted takes your audience to the front lines of ethical hacking and security research. He helps them experience the wild, unexpected, often shocking stories of both companies who got security right, and those who didn't.
He then extracts the key insights from those stories, translating them into advice your audience can go implement. (Much of which, he covers in his book Hackable).
Your audience will learn exactly what to do, why to do it, and how.
Format & Options
Main Stage Keynotes
My commitment to you:
Be the easiest speaker you've ever worked with.
My commitment to your audience:
Help you think differently, and teach you how to act on it.
First of all, it's custom to you
But here's a sense of the areas we can cover, depending on what you need:
The Lies (and Truths) about Application Security
There's lots of good advice out there. Some of it is even good advice. Much of it, though, is straight up wrong.
Don't think like a defender, think link an attacker. Don't hoard information, share it. Don't rely on the basics, seek the advanced tactics. Don't rely on "annual" testing, get it more frequently.
With so many misconceptions running rampant, how are you to know what to trust and what to reject?
In this program, you'll learn how to identify the common falsehoods, and what to replace them with instead.
Start With The Right Mindset and the Right Partner
Security can feel uncertain, but it doesn't need to be that way. It all starts with how you think, and how well you pair that with an outside expert to help you produce explosive resutls.
But how do you know what to look for?
In this program, you learn the foundation that leads to security excellence, including:
Why it's not just about doing security, it's about security excellence
What to look for in a security partner, and how to vet their capabilities
Choose The Right Assessment Methodology
When working with outside security consultants, people often think it's best to withhold information from them. After all, the attackers don't have that info and you want to emulate the attackers, right?
In this program, you learn how to get the most value out of your security partner, including:
The difference between white-box and black-box testing
Why information is a shortcut your attackers don't have
How to exponentially multiply your rate of vulnerability discovery
Get The Right Security Testing
If you have valuable assets to protect, you need to test your software system for security vulnerabilities. This has probably led you to seek out penetration testing.
But what if that's not even what you're actually getting?
This session exposes the common misconceptions around penetration testing, including especially the fact that you're usually sold something else (vulnerability scanning) yet usually need yet another thing entirely (vulnerability assessments). You'll learn:
The difference between penetration testing, vulnerability scanning, vulnerability assessments, and bug bounty programs
How to pick which one is right for you
Hack Your System
Your security vulnerabilities exist. The question is simply whether you find (and fix) them before your attackers exploit them. So, you get yourself some security testing.
But are you going deep enough?
Most testing programs are not going deep enough. In this program, you'll learn the core ideas behind effective security testing, including:
Why vulnerability scanning isn't enough
Why system design matters
How you win if you abuse functionality, chain exploits, and seek the unknown unknowns
Fix Your Security Vulnerabilities
Once you find those vulnerabilities. next you need to fix them. But developers are already overloaded, deadlines are looming, and there just isn't time to add remediation work. However, if you don't fix the vulnerabilities, you've wasted the money, effort, and time invested in finding them in the first place -- all while leaving a vulnerable system unnecessarily exposed.
How is a busy team to handle this conundrum?
In this program, you'll learn how to:
Prioritize Vulnerabilities by Severity
Hack It Again
Once you find vulnerabilities, are you done? No. Now you need to hack the system again.
But how can it also save money?
In this program, you learn some of the most unexpected aspects about security reassessments, including:
Why you'll keep find critical vulnerabilities
How the right cadence gets you more, better secure, for less money
What the right cadence even Is
You need to secure your software system and then prove that it's secure. However, you also have tremendous competing demands on the same resources of time and money it would take to do that.
How do you know how much to spend?
In this session, you'll learn:
What happens when you spend too little (and when you spend too much)
How to find "just right"
Benchmarks to help establish your security budgets
Establish Your Threat Model
A threat model is the core to every defense plan... yet most companies don't even know what it is, let alone have one implemented. A threat model is important because outlines the battle you're in.
If you don't understand the battle you're in, how can you possibly win?!
In this program, you'll learn the core ideas behind threat modeling, including:
What a threat model is, and how to establish one
How to think about assets, adversaries, and attack surfaces
How to think about misuse and abuse cases
Build Security In
Developers are under intense pressure, deadlines are looming, and anything that can be deferred must be. Security is often seen as one of those things.
How can an overloaded team also tackle security, in addition to the many other development priorities?
It's actually much simpler than you think. Not only is it more effective, it's less expensive, too! In this session you'll learn:
The difference between "build it in" vs. "bolt it on."
Why it's more effective & less expensive to "build it in."
Why security does not slow you down.
How to build it in, whether you use a linear-sequential methodology (like Waterfall) or an iterative one (like Agile)
Use Security to Win Sales
People often think of security as a tax on the business. But that's wrong: security is a sales enabler.
In this program, you learn about the most commonly overlooked aspect of security, including:
Why security is a competitive advantage
How to use your security assessment report and your security consultant in the sales process
How to make security questionnires become your sales tool
How to build an effective security page on your website