SlideShare a Scribd company logo

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design

Download as PPTX, PDF
J
jonmccoy

This document outlines a presentation on securing .NET/C# applications. It discusses designing defendable systems through layered defenses, segmentation, and establishing a common security language between different teams. Examples are provided of strong versus weak software designs. The importance of security user stories and testing is emphasized to prevent vulnerabilities like SQL injection.

Technology
1 of 173
AppSec USA 2014 Denver, Colorado Hacking .NET/C# Applications: Defend By Design Jon McCoy DigitalBodyGuard
What is a Defendable System What is a Strong/Weak Design How to view a Software System This Speech
Thanks To Thanks AppSec/OWASP A Critical part of the security world
Introduction Jon McCoy - DigitalBodyGuard • Software Engineer • Digital Security • Application Level Security • .NET Framework Expert • Attack and Defense
Overview Work Area: PenTesting and Active Defender Specialize: .Net Framework Systems
What is a Thick Client? GrayWolf Demo Context
Share What I Have Seen Context
What is a Context Defendable API
What is a Context Defendable API
Focus of this talk Daemon API Service
Focus of this talk = =
Focus of this talk = =
Focus of this talk Daemon Business Units Service Security Network
Client World View
Cyber Attack Users Web Server DB
Client Wants it secure
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web Log
Communications Web Service SOPE/REST Encrypted Auth Auth Web Service SOPE/REST Encrypted
Unified ModUeMlinLg Language
Network Diagram
Cyber Attack
Critical Units Credit Cards Production DB $1,000,000 $20,000,000 User Info DB $100,000
Client Is Strong
Strong
Critical Units Credit Cards Production DB $1,000,000 $20,000,000 User Info DB $100,000
A Security Review
Lets say you are “Secure” I ”PenTester” will hit you at • Network • Computer Login • Employees • Hardware • TechSupport • ………..
Strong
Lets say you are “Secure” I ”The Hacker” will Attack • Users • Your Physical Infrastructure • Your Web-Face • All Digital Devices • ……….. • Except (X/Y/Z)
My Team
A Security Review
On Problem Still Good Everything is Bad
Security Review • We took full control of Domain Admin • We took full control of Network • We took full control of Database Systems • We took full control of Physical Security • We took full control of File Management • We took full control of Back Up….. • ………..
On Problem Everything is Bad
How do we Fix This
Critical Units Credit Cards Production DB $2,000,000 $20,000,000 User Info DB $200,000
Layered Defenses Credit Cards Production DB $2,000,000 $20,000,000 User Info DB $200,000
Layered Defenses Cards Hash User Info DB Credit Cards Production DB
Layered Defenses Cards Hash User Info DB Credit Cards Production DB
Guards
Quick Recommendations
API Type: OWIN.org REST – SOPE – Socket DB Type: Node.JS – Neo4Net de Database Node Database – Sharding & Segmentation Security: OAuth (2) RSA 4096 – AES 256 – MAC(message authentication code)
Layered Defense • Detect and Protect the Perimeter • Guard and Respond • Build Choke Points • Find the Weak Blind Spots • …………
“Client Remediates the Issues” Client is stronger
Layered Defense
Layered Defense Attacking as Hackers
Layered Defense
Security Review • We took Admin in 2-4 hours(Tell Client 8 Hours) • We took full control of Network • We took full control of Database Systems • We Failed to control of Physical Security • We took full control of File Management • We Failed to control of Back Up….. • ………..
How do we Fix This
Layered defense Detection and Response
Guard Post
Now Security Can Start Now we have started talking the same Language
IT => Developer = Pattern Anit-Pattern Segmentation = = Good Design Bad Design Separation
Developer => DBA Claims Facade Controllers = Authentication = View = Actions
Security => Developer Security Test Attack Vector Security Controls = Security Unit Test Security User Story Defendable Systems = =
Now Security Can Start Language = Context
Communications Get to know the Client Web Data Processing Strong API/DAL
Communications Data Access Layer
Communications Data Access Layer
Communications Data Access Layer
Communications
Strong vs Weak Software DEMO
Communications Security Level
Communications Security Level
Communications
Communications
Communications Domain Expert
Communications
Design Security DEMO
Communications Two Completely POS Different Systems Web
Communications POS Web
Communications POS Web IT/&/Networking DB
Teams POS != WEB != DB != IT
Mockup Project Defend the POS
Communications Trusted Network Point Of Sales Clients & Partners
Communications Built 5 Years ago Changes Twice a year Only X can Access it
Bad Fix
Bandage Security
Communications
Communications $250k You will prevent X/Y/Z Attacks Best “Buzzword” Protection
• Turn Key • Reliable • Low Long Term Cost • Free Upgrades for Three Years • ……….
Communications
Design Security
Communications
Communications Secure System
Communications Secure System Log System Passive Detection
Communications API/DAL Log Detection
Communications API/DAL Log Detection
Communications Honey-Pot API/DAL Log Detection
Communications Honey-Pot API/DAL Log Detection
Communications API/DAL Honey-Pot Log Detection API/DAL
Communications API/DAL Honey-Pot Log Detection Data Management & Point To Point Crypto API/DAL
Communications API/DAL Honey-Pot Log Detection Crypto Crypto API/DAL
Communications API/DAL Honey-Pot Log Detection Crypto Crypto
Communications Segmented Network POS Auth
Communications Data API POS Auth Auth
• Segmented Hardware • Segmented User Authentication(NO AD!) • Segmented Management • Segmented Data Storage/Backup • Segmented Buildings • Segmented Developers • Segmented IT/Security • Segmented Power…….
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web
Communications POS Web Data API
Communications Data API POS Web SQL
Communications Security User Stories ----SQL Injection---- • Detect SQL-injection • Prevent SQL-injection • Respond to SQL-injection Data API POS Web SQL
Communications POS API/DAL Crypto Honey-Pot SQL-Injection=> Log Detection Crypto Web
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web SQL-Injection Protection
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web SQL-Injection Protection SQL Protection
SQL-Injection Protection SQL-Injection Protection
SQL-Injection Security User Stories ----SQL Injection---- • Detect SQL-injection • Prevent SQL-injection • Respond to SQL-injection Security Unity Test ----SQL Injection---- • API -> SQL-injection • Processing Logic -> SQL-injection • BackEnd -> SQL-injection • Detect Injection
SQL-Injection Security User Stories Occurred ----SQL Injection Occurred---- • Evaluate SQL-injection • If Critical Respond • If non-Critical Notify/Fix Security Unity Test ----SQL Injection Detection--- • API -> Notify • Processing Logic -> Notify • BackEnd -> Notify • LockDown Each Layer
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web SQL-Injection
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web
Security Response
Communications Data API POS Web SQL
Communications SOAP POS API/DAL Crypto Honey-Pot Log Detection Crypto - REST Web
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web SQL Protection SQL SOAP - REST
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web
Communications Data API POS Web SQL Log
Communications Data API POS Web SOPE/REST
Communications Data API POS Web SOPE/REST
Communications POS Web SOPE/REST Why? Not encrypt?
Communications Web SOPE/REST Why? Not encrypt?
Communications Publicly Exposed Web Do Not Trust SOPE/REST
Design Pattern Exposed System BURN THEM!!!!
Communications I/O POS Web SOPE/REST
Communications I/O POS Web Detect and Burn SOPE/REST Detect and Burn
Communications I/O POS Web Service
Quick Tangent Better Web Server Layout
Communications Web Service SOPE/REST Encrypted SOPE/REST Encrypted Web Service
Communications Web Service SOPE/REST Encrypted Auth Auth Web Service SOPE/REST Encrypted
Segmentation Is Good
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web
Communications POS Web
Communications POS Web Bridge
Communications POS Web Bridge
Communications POS Web Bridge Detection is Easy Locking it down is Easy Everything is Hard Detection is Easy
If Breach Occurs POS Rotate Security Web Lock it All Down Respond Aggressively Burn it all Down Bridge Replace Server Fix Exploit
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web
For a Secure Segmentation - Developers Need To Design And Control • FireWalls • Network Layout • System Provisioning • System Security • ………
Communications API/DAL Honey-Pot Log Detection POS Web Port:1234 Incoming TCP/UDP From: 10.88.10.1 To: 10.88.11.255 Port:7676 Incoming TCP/UDP From: 10.88.88.1 To: 10.88.99.111
Layered Defense Security Test
For Developer Security User Stories ----Core DataBase is Hacked----
For Security Security User Stories ----Core DataBase is Hacked----
For SysAdmin Security User Stories ----Core DataBase is Hacked----
For CxO Security User Stories ----Core DataBase is Hacked----
For ……….. Security User Stories ----Core DataBase is Hacked----
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web Log
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web Log
Security User Stories ----Core DataBase is Hacked---- • Prevent Changing the Logs • Prevent Access to Other DBs
Systems Game Theory
Systems Game Theory Anti-Fragile
Security User Stories ----Lost DataBase Bridge---- • Keep WebServer Up • Take Services Down • Sync After Bridge is Up
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web Log
Security User Stories ----Lost DataBase Bridge---- • Keep WebServer Up • Take Services Down • Sync After Bridge is Up
Developer Response System
• Security User Stories • Security Unit Test • Security Response Stories
Communications POS API/DAL Crypto Honey-Pot Log Detection Crypto Web Log
Security Response Stories ----Hacker on Core Bridge---- • Guns • Fire • Pain
Security Response Stories ----Hacker on Core Bridge---- • Activate Full Security Response • Revoke All Security Tokens • Lock Down All Choke Points
Developer Response System
Security User Stories ----Lost POS Ingress--- • Revoke Old POS Privileges • Standup New POS System • Standup New POS Auth System
Communications Data API POS Auth Auth Auth
Communications Data API POS Auth Auth Auth
Network Diagram
If Extra Time Fun Attack Demo GrayWolf Demo Context
172 FIN
173 MORE INFORMATION @: www.DigitalBodyGuard.com JonM@DigitalBodyGuard.com Jon McCoy

Recommended

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
Steve Markey
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
Getting started in app sec
Getting started in app secGetting started in app sec
Getting started in app sec
Amit Dubey
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 

Recommended

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
Steve Markey
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
Getting started in app sec
Getting started in app secGetting started in app sec
Getting started in app sec
Amit Dubey
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
Flaskdata.io
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
sedukull
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
OWASP
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksDefcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networks
Priyanka Aash
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windows
arpit06055
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
OWASP
 
Rsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationRsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentation
Zeev Shetach
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
Imaginea
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
SecuRing
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
Puma Security, LLC
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
OWASPKerala
 
Mr L Mazimba CV
Mr L Mazimba CVMr L Mazimba CV
Mr L Mazimba CV
Luyanda Mazimba
 
Honey-pot profiles and malevolent e-reputation attacks on Facebook
Honey-pot profiles and malevolent e-reputation attacks on FacebookHoney-pot profiles and malevolent e-reputation attacks on Facebook
Honey-pot profiles and malevolent e-reputation attacks on Facebook
Nasri Messarra
 

More Related Content

What's hot

How to write secure code
How to write secure codeHow to write secure code
How to write secure code
Flaskdata.io
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
sedukull
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
OWASP
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksDefcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networks
Priyanka Aash
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windows
arpit06055
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
OWASP
 
Rsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationRsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentation
Zeev Shetach
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
Imaginea
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
SecuRing
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
Puma Security, LLC
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
OWASPKerala
 

What's hot (20)

How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksDefcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networks
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windows
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 
Rsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationRsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentation
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 

Viewers also liked

Mr L Mazimba CV
Mr L Mazimba CVMr L Mazimba CV
Mr L Mazimba CV
Luyanda Mazimba
 
Honey-pot profiles and malevolent e-reputation attacks on Facebook
Honey-pot profiles and malevolent e-reputation attacks on FacebookHoney-pot profiles and malevolent e-reputation attacks on Facebook
Honey-pot profiles and malevolent e-reputation attacks on Facebook
Nasri Messarra
 
Honeypots
HoneypotsHoneypots
Honeypots
Presentaionslive.blogspot.com
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
Ankita Mahajan
 
Honey pots
Honey potsHoney pots
Honey pots
Divya korrapati
 
Honeynet technolgy
Honeynet technolgyHoneynet technolgy
Honeynet technolgy
Mustakim Mullick
 

Viewers also liked (6)

Mr L Mazimba CV
Mr L Mazimba CVMr L Mazimba CV
Mr L Mazimba CV
 
Honey-pot profiles and malevolent e-reputation attacks on Facebook
Honey-pot profiles and malevolent e-reputation attacks on FacebookHoney-pot profiles and malevolent e-reputation attacks on Facebook
Honey-pot profiles and malevolent e-reputation attacks on Facebook
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
 
Honey pots
Honey potsHoney pots
Honey pots
 
Honeynet technolgy
Honeynet technolgyHoneynet technolgy
Honeynet technolgy
 

Similar to Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design

Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
MongoDB
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?
Rob Gillen
 
SeattleFall1
SeattleFall1SeattleFall1
SeattleFall1
Victor Angelbeat
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
iphonepentest
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
Gong Haibing
 
Mastering Chaos - A Netflix Guide to Microservices
Mastering Chaos - A Netflix Guide to MicroservicesMastering Chaos - A Netflix Guide to Microservices
Mastering Chaos - A Netflix Guide to Microservices
Josh Evans
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
C4Media
 
QConSF2016-JoshEvans-MasteringChaosANetflixGuidetoMicroservices-compressed.pdf
QConSF2016-JoshEvans-MasteringChaosANetflixGuidetoMicroservices-compressed.pdfQConSF2016-JoshEvans-MasteringChaosANetflixGuidetoMicroservices-compressed.pdf
QConSF2016-JoshEvans-MasteringChaosANetflixGuidetoMicroservices-compressed.pdf
SimranjyotSuri
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
MongoDB
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gates
 

Similar to Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design (20)

Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?
 
SeattleFall1
SeattleFall1SeattleFall1
SeattleFall1
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
 
Mastering Chaos - A Netflix Guide to Microservices
Mastering Chaos - A Netflix Guide to MicroservicesMastering Chaos - A Netflix Guide to Microservices
Mastering Chaos - A Netflix Guide to Microservices
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
QConSF2016-JoshEvans-MasteringChaosANetflixGuidetoMicroservices-compressed.pdf
QConSF2016-JoshEvans-MasteringChaosANetflixGuidetoMicroservices-compressed.pdfQConSF2016-JoshEvans-MasteringChaosANetflixGuidetoMicroservices-compressed.pdf
QConSF2016-JoshEvans-MasteringChaosANetflixGuidetoMicroservices-compressed.pdf
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 

Recently uploaded

9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 

Recently uploaded (20)

9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design

Editor's Notes

  1. First off, As Security by definition happens behind closed doors, AppSec/OWAS{P gives us the chance to talk openly about this, sharing in the win and burdens of what we are going up against. To me this out of band communication is a large part of what makes OWASP a critical part of the security world.
  2. I am here to condense my years of work in defending corporate players. I am going to take on a very specific roll of application defender, of company defender, of This is what I think Works for Me