How BlackArch could be your best arsenal distro/repository for Pentesting. It has some unique features that makes it stand out from other distros.

Still not 100% convinced and you still want to keep using your old disro of choice?

No problem, I'll show you very easily how to stay in your comfort zone, using and taking advantage from both worlds (without dual booting)!

Ever wanted a new tool (r.g. from github) or update in your distro, but it is still not available ? Will you just set and wait ?

I'll show you how to quickly and easily add it to BlackArch with just Bash skills !

https://blackarch.org

Everyone is moving fast and needs to learn new things constantly. We're on call and seems also always on duty. We're trying to finish the iron man before training our mind and body. The results are exhaustion, anxiety and burnout. Let's check your awareness. Build your personal SIEM and learn how to read it.

Share your experience on Rubber Ducky, Pineapple and Co. Did they work as expected? Did they perfom well in pentesting or for security awareness trainings? Which code have you written for the device?

I will present the idea of Context-keyed Payloads and how it could be useful for Redteaming.

We will write a functional example in assembly (with some tricks) and then make it more useful by making a Metasploit module/encoder out of it.

Assembly debugging, Ruby debugging, shellcoding, IDA, gdb, Malware, Metasploit, ...

A short report the first year after GDPR and how it's getting along with the ISMS.

Do they really need to keep fighting each other, though we're in desperate need of both.

Can we give them a chance to co-exist and even enhance each other?

Also let's clear some common myths around compliance.

I'll be setting up some devices and a couple of challenges around IoT Security.

This will allow anyone to get their feet wet, maybe learn something and have fun with this

I'd like to share my experience working on IoT Security for the last couple of years: some cases, the tools, why it is exiting.

After that open a discussion and learn from the experience from others

We'll go over:

- What radare2 is

- What it can do

- Learning some basics

- Solving a simple crackme challenge

- Tips and tricks to get involved

What are CTFs anyway and why would I want to play them? This proposal will cover:

- What they are

- Lots of tips and fun facts

- Some hands-on practice on simple Web challenges

Warum ist Psychologie so wichtig in der Cyber-Security? Wie werden Mitarbeiter zur menschlichen Firewall eines Unternehmens?

I will give an intro on the attack method buffer overflow and how stack smashing works.

Vulnerabilities are often found by private bug hunters. Most companies don't offer a way to submit security related reports in an easy way. Instead the only way is to contact the customer support which is normally unable to handle the request.

Related topics are:

- Personal experience with bug reporting

- Defining a tolerated scope for private security testing

- Offering a simple way to submit a report

- Dealing with reports (Bounties, Disclosure, ...)

An open discussion about your Threat Modeling experience.

I actually have some questions:

- What should tools be like that help DevOps Teams to perform continuous threat modeling?

- Is there a learning curve for teams? Shall one start with the most advanced tool?

- Beyonde STRIDE: Which are the controls we really need to look at? What are the Flaw patterns?

I will give a short intro to LangSec to answer the question: Why are parsers, unparsers, and theoretical computer science key to most of the vulnerabilities we see today?

I would love to discuss options and opinions how to get out of this software crises by discussing:

- use of tools

- does knowledge alone help

- new programming language features to prevent entire bug classes like Injections

With a focus of teaching web security to developers, I would like to discuss:

* What attacks are actually relevant in practice?

* What are the challenges currently faced by developers?

* What are the latest mitigiation techniques for XSS, SQLi, etc.? (Should we start teaching Trusted Types? CSP Level 3? ...)

Open discussion on common approaches for security scanning and monitoring of microservice-based architectures.

The IETF OAuth Working Group is working towards a new Security Best Current Practice (BCP) RFC that aims to weed out insecure implementation patterns for OAuth 2.0. It based on lessons learned in practice and on new attacks found through formal security analyses of OAuth and OpenID Connect.

I would like to present and discuss this work.

I would like to have a discussion about the "public clouds".

Topics I have in mind are:

- security advantages

- privacy disadvantages

- centralization of the internet at Amazon, Google, Microsoft

Industrial safety and security. Konsequenzen für den Arbeitsschutz durch Angriffe auf Industriesteuerungen.