When Thursday 17th April 2014
Where CSIT Seminar Room, N101, CSIT Building, Building (108), North Road, ANU
Time 6:00 PM
After Talks Uni Pub, 17 London Circuit
Organisers Silvio Cesare, Andrew Muller, Brian Candlish
Save Event

Notification List

Please sign up to our email notification list for advanced notification of planned Ruxmon events and presentation details.



A Decade of Building Security In - Jacob West

Level: Introductory

Over the last decade, the industry has made great progress in building security into software from the ground up. However, 84% of breaches still target the software layer and the pronounced skill and resource gap between defenders and adversaries resulted in a 20% increase in breaches in 2013. At the same time, our defences are weakened with 40% of IT security roles projected to be vacant in 2014. To combat ever-more-capable adversaries, the industry must focus on getting the basics right every single time.
A maturity model is critical in light of the challenges we face today because improving software security almost always means changing the way an organisation works<people, process, and technology are all required. The Building Security in Maturity Model (BSIMM) is the result of a multi-year study of real-world dozens of software security initiatives at firms ranging from Adobe to Zynga. This talk describes the observation-based maturity model and draws examples from many real software security programs. While not all organisations need to achieve the same security goals, all successful large-scale software security initiatives share common ideas and approaches.


Jacob West Chief Technology Officer, Enterprise Security Products, HP Jacob West is chief technology officer for Enterprise Security Products at HP. In his role, West influences the security product roadmap and leads HP Security Research, which conducts research and leverages partnerships to deliver security intelligence to HP customers.
West spent the last decade developing, delivering, and monetizing security solutions beginning with academic research and as an early researcher at Fortify prior to its growth and acquisition by HP. Most recently, West served as CTO and head of research for Fortify products.
West co-authored the book, "Secure Programming with Static Analysis" with Fortify founder Brian Chess and co-authors the Building Security in Maturity Model. A graduate of the University of California, Berkeley, West resides in San Francisco, California.

Breaking the Security of Physical Devices - Silvio Cesare

Level: Intermediate

In this talk I look at a number of household or common devices and things, including a popular model car and physical security measures such as home alarm systems. I then proceed to break the security of those devices. The keyless entry of a 2004/2005 popular make and widely used car is shown to be breakable with predictable rolling codes. The actual analysis involved not only mathematics and software defined radio, but the building of a button pushing robot to press the keyless entry to capture data sets that enable the mathematical analysis. Software defined radio is not only used in the kelyess entry attack, but in simple eavesdropping attacks against 40mhz analog baby monitors. But that's an easy attack. A more concering set of attacks are against home alarm systems. Practically all home alarm systems that had an RF remote to enable and disable the system were shown to used fixed codes. This meant that a replay attack could disable the alarm. I built an Arduino and Raspberry Pi based device for less than $50 dollars that could be trained to capture and replay those codes to defeat the alarms. I also show that by physically tampering with a home alarm system by connecting a device programmer, the eeprom data off the alarm's microcontroller can be read. This means that an attacker can read the secret passcode that disables or enables the alarm. In summary, these attacks are simple but effective in physical devices that are common in today's world. I will talk about ways of mitigating these attacks, which essentially comes down to avoiding the bad and buying the good. But how do you know what's the difference? Come to this talk to find out.


Silvio Cesare is one of Ruxmon Canberra's organisers. He is a researcher, writer, and presenter in industry and academia. He is the author of the academic book Software Similarity and Classification, published by Springer. He has spoken at multiple industry conferences including Black Hat, Ruxcon, Auscert, and Cansecwest. He holds a Doctorate from Deakin University in Australia. He has also worked in industry within Australia, France and the United States. This work includes time as the scanner architect of Qualys – now the world's largest vulnerability assessment company. At present he is again at Qualys in developing next-generation malware protection based on his University research. In 2008 he was awarded $5000 USD tied 3rd prize for the highest impact vulnerability reported to security intelligence company IDefense for an implementation specific IDS evasion bug in the widely deployed Snort software. He has a Bachelor of Information Technology and a Master of Informatics by research from CQUniversity where he was awarded with two academic prizes during his undergraduate degree, a University Postgraduate Research Award full scholarship during his Masters degree and an award for the highest achieving Ph.D. student during his candidature.


When Title Speaker Materials

Thursday 17th April 2014

A Decade of Building Security In

Jacob West

Not available

Thursday 17th April 2014

Breaking the Security of Physical Devices

Silvio Cesare

Not available

Supported By