Recent Tweets
06 Apr 2016

Cyber Security Summit Atlanta, GA - Risk Centric Threat Models

VerSprite's Tony Uceda Velez presents Risk Centric Threat Models at the Cyber Security Summit in Atlanta, GA.

11 Mar 2016

Bay Area Cyber Security Meetup - Cyber Liability Insurance

VerSprite's Scott Takaoka presents at the Bay Area Cyber Security Meetup on Cyber Liability Insurance.

01 Mar 2016

RSA Conference 2016 - Vendor Risk

VerSprite's Tony UcedaVélez and Scott Takaoka present at the RSA Conference on Vendor Risk.

26 Feb 2016

9th Annual ISACA South Florida WOW!

VerSprite's Tony Uceda Velez presents Cloud Security Metrics.

26 Jan 2016

OWASP AppSec California 2016 Attack Tree Vignettes for Containers as a Service Applications

The rapid growth in container technology adoption in the DevOps community presents new threat models for organizations relying on these tools to scale and run their operations. Watch VerSprite's Tony Uceda Véllez present a talk on Attack Tree Vignettes for Containers as a Service Applications at OWASP AppSec California 2016.

21 Jan 2016

XPath Awakens - Attacks & Impact Around XPath Injection

XPath Awakens - Attacks & Impact Around XPath Injection
OWASP Atlanta January Meeting
Thursday, January 21, 2016, 6:30 PM, Location TBD.

XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses XML. Threat agent goals are often aim to circumvent authentication and/or access information in an unauthorized manner.

Developers today use XPaths to perform actions over XML based documents, however insecure coding practices could lead allow for injection issues to surface in web applications. Blind XPath Injection retrieves information by making true/false interrogations with web applications, however they mostly focus on retrieving current query information, skipping sensitive information on XML nodes outside of current query requests. This presentation will extend beyond these blind injection attacks and discuss how to retrieve the entire XML document, using Blind XPath Injection techniques.

Bio: Luis Torres is a security consultant with VerSprite. An avid pen tester, researcher, CTF participant, and bug bounty winner - Luis is a key consultant for VerSprite's AppSec Consulting practice where he focuses his time on client-server, cloud, web services, and fat client security testing. His recent research has been around more damaging exploits around XPath injection which he seeks to share with you today.

19 Oct 2015

Addressing Cybercrime via PASTA Threat Modeling

VerSprite's Tony Uceda Velez presents Addressing Cybercrime via PASTA Threat Modeling

19 Oct 2015

CSX North America - AppSec, Risk, Compliance Convergence

VerSprite's Tony Uceda Velez presents at the CSX North America Conference, October 2015 discusses how risk centric threat modeling can help unify disparate security efforts across Application Security, Risk Management, and Regulatory Compliance drivers.

29 Sep 2015

ISC2/ ASIS International 2015 Security Conference - Healthcare Threat Modeling Vignettes

VerSprite's Tony Uceda Velez presents Healthcare Threat Modeling Vignettes at the ISC2/ ASIS International 2015 Security Conference in Anaheim, CA.

02 Apr 2015

Great Wide Open - Application Security On A Dime

VerSprite's Tony Uceda Velez presents Application Security On A Dime at Great Wide Open event in Atlanta, Ga.

27 Jan 2015

AppSec Cali 2015 Santa Monica, CA - PASTA Threat Modeling – One Day Training

VerSprite's Tony Uceda Velez gives the PASTA Threat Modeling – One Day Training at AppSec Cali 2015 in Santa Monica, CA.

17 Oct 2014

Hacker Halted & EC-Council event - Security Metrics Rehab

VerSprite's Tony Uceda Velez presents Security Metrics Rehab at Hacker Halted & EC-Council event.

15 Dec 2013

Error 500 - Exceptions That Will Get You Owned

VerSprite's Benjamin Watson presents at BSidesATL. This talk is about reviewing the vulnerabilities discovered for Java Web Application Frameworks, the impact they present, and why stack traces should never be considered a low risk. It will serve as an introduction to the vulnerability classes, how to identify and test for them in web application security assessments and penetration tests.