Collin Berman is a pentester at Capital One Financial, focusing on web, cloud, and cryptography. After getting his start playing CTFs in high school, Collin went on to found the University of Virginia’s Computer and Network Security Club. When not on the Internet, Collin enjoys hiking, camping, climbing, and skiing.

Slippery SOP: Edge Cases in the Same Origin Policy

Why is the web full of cross-site scripting and cross-site request forgery even through browsers enforce the Same Origin Policy? Can we use the Same Origin Policy to mitigate these attacks? In this talk, we’ll answer these questions and more, including uncovering some shortcomings of the Same Origin Policy that can allow attackers to scrape sensitive information from internal websites without authorization.

Come see Collin at RVAsec! Register now!

Justin started his InfoSec career as a cryptographer at NASA, and 16 years later after exploring nearly every domain available, I’ve never been more excited to teach people how to use security to make their lives better.

Honeypot Boo Boo: Understanding Adversaries with Deception Technology

Breaches continue happening at unprecedented rates with huge financial impact to the global economy year after year and take a massive toll on the psychological well being of the security professionals tasked with constantly defending against threats from all angles.

Our traditional approach to breach detection that is focused on triaging alerts generated by massive amounts of aggregated data from disparate sources is not working. Adversaries know this fact and regularly benefit from it.

The average breach goes unnoticed for 287 days. That’s an exorbitant amount of time for anyone to surreptitiously run off with an organization’s crown jewels and inflict significant damage with ramifications that include consumer privacy violations, loss of trust, steep financial penalties, and irreversible reputational damage.

We need a new approach if we’re ever going to stop the madness.

This talk discusses this new approach to breach detection that is intended to improve alert fidelity, reduce time-to-detection, mitigate the blast radius of a breach, and prevent the massive level of burnout affecting the security community.

We will cover multiple methods for easily deploying effective breach detection technology right now regardless of the size and scope of your environment.

Come see Justin at RVAsec! Register now!

This year we will again have a single track conference! This decision was made as we continue to ensure that we have both a safe and engaging event.

We had many great submissions to the CFP and given the limited number of speaking spots it was extremely hard, but the CFP team has managed to select a great lineup for RVAsec 2022.

Without further delay, here are the speakers for the RVAsec 2022!

For the full details and times for specific talks, please see the schedule page.

Can you believe we are under 30 days away?  Please register as soon as possible so we can plan accordingly for a smooth event! Now is the time to register if you haven’t yet!  Please also help us spread the word and share with your colleagues.

Hotel Reservations @ the Richmond Omni

We were able to secure an excellent rate at our conference hotel of $145 per night, plus tax. The room block will expire on May 25, 2022. The rate is available 6/15 to 6/18. All overnight guests will be able to valet park at the reduced rate of $10 per day and receive free WiFi in their guest rooms. 

Please use this link to make your reservations as soon as possible: 

https://www.omnihotels.com/hotels/richmond/meetings/rvasec-2022-06152022

Things are looking great for the conference and we expect more details will be provided soon!

Tickets for RVAsec 2022 are now on sale!

 Registration the RVAsec 2022 security conference, located in Richmond, Virginia, is only $225 for two full days of talks, meals, snacks, drinks, reception, after party, prizes, a capture the flag contest, t-shirt & swag!

Once we sell out there will be no more tickets available.

Conference ticket prices and deadlines:

• $225 regular price until 3/31
• $300 late registration until 5/19
• $500 super late registration until 5/31

** Please note that the only the first 300 registrations will be provided an electronic badge. **

If you are unable to attend due to the price, please contact us to discuss as we have stipends available for students, and we have a volunteer opportunities that provide a great way to get in for free!

Once again there will be no tickets sold at the door, and don’t forget that RVAsec has sold out every year–so don’t wait!  Please note we are unable to provide refunds due to processing fees.  You can, however, easily transfer your ticket to another person.

Register now!

Due to several conflicts the conference will be now held June 16-17, 2022 at the Omni Richmond Hotel.

We thank you for your flexibility and we look forward to seeing you all in person later this year!

Quick reminder that the CFP is still open and tickets will go on sale shortly!

-Chris and Jake

We have finally recovered from RVAsec and wanted to bring you a quick recap!  We had over 450 attendees for this year and it was great to see everyone back in person!

What we were thrilled to bring you:

• Awesome keynote by Chris Tignor.
• Great speakers with great topics!
• Breakfast, lunch, coffee & snack breaks sponsored by Segra and World Wide Technology.
• Amazing badge from Hack.RVA.
• Capture The Flag  sponsored by SafeBreach & run by MetaCTF.
• After party with live music on Thursday sponsored by Risk Based Security and GuidePoint Security.
• Post-con reception sponsored by Corelight with beverages (and more food) on Friday.
• Awesome dinner for our speakers sponsored by Armis.
• Wifi Sponsored by AIS Network.

Thank you to everyone that took the time to provide us feedback.  We worked long and hard for several months to ensure that we are able to provide the safest conference possible and follow CDC and Virginia COVID recommendations.  We are pleased to report that while we were able to deliver that, in order to make that happen we modified the event from previous years.  We are very hopeful that we can get back to a “normal” RVAsec in 2022.

What to expect in the coming weeks:

• Videos will be posted to the RVAsec YouTube channel.
• CFP and Ticket sales will open for RVAsec 11

Thanks again to all our our speakers, sponsors and volunteers!

Next year, RVAsec will be June 16-17, 2022 at the Omni Hotel Richmond.

See you next year.

Jake and Chris

Anthony is just someone that has a passion for helping people and shares that passion through cybersecurity.

Why I Love Purple Teams, Even Though They Don’t Exist

The industry of Cybersecurity has grown over the years. As a group driven by innovation, we look to solve our own problems. We have mimicked the military by choosing to have blue and red teams but have also developed a new team, the Purple Team. If you asked a cybersecurity professional what a Purple Team is, they might respond with a simple “it’s red and blue combined.” This talk is questioning what a Purple Team is by breaking the problem down to a first principle. Once we have the first principle, we’ll open it up to see if this is really a unique situation to our industry or was it solved already.

Come see Anthony at RVAsec! Register now.

Richard Thayer has been in IT for over 35 years. From his early beginnings of working on IBM’s 8086XT system(s), to designing robust security architectures for Fortune 50 companies; Mr. Thayer has consulted for vertical markets within Finance, Energy, Manufacturing, Retail, Insurance, and DoD & Civilian Government.

Three Worlds of Application / Cloud Security

Application / Cloud security goes hand in hand in our ever-changing IT environments.  With the cloud actually “being” an application, we need to look at three areas of Application Security that encompass what goes into the cloud, the cloud itself, and how to secure its communications and workloads.

This discussion will start to the extreme “far left” in the security lifecycle, all the way to the developer’s keyboards. Then we will explore the DevSecOps security process, based on the “Defense in Depth” theory of security. Then finally we will address the workloads in the cloud, with some of the public cloud’s native functionality to protect itself, and how we can use additional toolsets to enhance them.

Companies need to identify not only the tools, but when to use them, and how to automate them.

Come see Richard at RVAsec! Register now.