Traps of Gold presented at Defcon19 2011

by Michael Brooks, Andrew Wilson,

Summary : The only thing worse than no security is a false sense of security. And though we know, "you can't win by defense alone", our modern approaches tend to act as though offense and defense are two entirely separate things. Treating security as an issue of quality has gotten us far, however, nearly everyday, some of the largest companies are still being compromised. It's become apparent that with enough time a skillful attacker will always get in. We have created new armaments to fight back. This style of fighting, known as maneuverability, aims to make your opponents expend their own resources while putting yourself in a position of strategic advantage. Using techniques that leverage deception, ambiguity, and tempo we believe we can do better to protect web applications. If time is an attacker's most important resource, let's steal it away from them. But talk is cheap. Not only will we demonstrate real world examples of this system, we encourage you to prove us wrong. An unofficial web application capture the flag competition, based on deceptive defense techniques, will be made available for testing throughout the conference.