Kris serves as the Chief Technology Officer and penetration testing lead for Critical Fault. After 10 years as a network administrator, Kris freelanced as a web developer for 2 years. Obsessing over the vulnerabilities within Kris’ own codebase, Kris began giving talks detailing the security issues and methods for stopping malicious attacks at the code level.

Since then, Kris has served as a penetration testing manager and as the co-founder for a penetration testing firm, regularly speaking at events on application security and digital forensics.

Digital Forensics: Reconstructing an Attack in Modern Web Apps

Application security struggles to keep up with modern development. Attacks against applications will only continue to grow. Web3? DevOps? Pipeline? Supply chain? With so many buzz words amidst a myriad of undiscovered vulnerabilities, where does your incident response team start after an incident?

Come see Kris at RVAsec! Register now!

Nick Popovich’s passion is learning and exploring technology ecosystems, and trying to find ways to utilize systems in unexpected ways. He works as a Red Team operator, trying to raise the overall security posture of organizations through adversarial simulation. Nick’s mission is the help individuals and organizations involved with defensive security operations to have an opportunity to observe the mechanics and methods of the attackers they’re defending against, and to assist in realistically testing those defenses. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of three and a husband to one.

Warning: This Message Originated from Outside of Your Organization

This talk is meant to highlight how end users have become desensitized to the ominous warning banners atop external emails, and can fall victim to phishing emails that abuse the trust in large, well-known organizations. The talk will run through examples of how threat actors can anonymously utilize built-in functionality to send phishing emails that originate from trusted, big-name, companies. These malicious emails genuinely originate from the large service provider’s email servers, and pass SPF, DMARC and DKIM security checks. The end-goal of this discussion that the risk is given more attention, and user awareness campaigns, technical email monitoring controls, and corporate communication strategies can take these risks into account.

Come see Nick at RVAsec! Register now!

Now that we are all able to get physical again, it’s time to get back to picking some locks! A variety of example locks, from simple to extremely hard, along with a picks of all shapes and sizes will be available in our lock pick village.

Stop by and have some fun testing your skills!  Provided hand sanitizer will be required to help reduce the modern risks while we explore the oldest security mechanism on earth!

If you fancy yourself a strong picker or have a competitive streak, we are planning to have a time contest of a series of locks, with the fastest through them all taking home something epic.

We are thrilled to bring this back to RVAsec!

Register now!

Alex started Hive Systems in 2018 with his passion for cybersecurity and the role it plays in today’s interconnected world. He brings executive-level expertise in the establishment and continuous improvement of preeminent cybersecurity programs and applies his work from various cybersecurity disciplines in a holistic approach that prioritizes organization’s operations. Alex has provided cybersecurity consulting for over a decade to the public sector for federal, state, and local agencies, and in the private sector for a wide variety of industry segments.

His work has reduced the cybersecurity risk for Fortune 500 tech, financial, healthcare, consumer goods, and energy companies; in addition to the US Department of Justice, Peace Corps, US Federal Aviation Administration, and US House of Representatives. Alex is also an active contributor to the development of the cybersecurity curriculum for grade school students in the Commonwealth of Virginia.

Talk the Talk: Communicating Business Risk During Cyber Incidents

It’s one thing to investigate and remediate a cyber incident with your team. It’s an entirely different beast to manage your organization’s leadership at the same time. Communicating about how an attack can disrupt business as usual is a critical piece of managing the incident response lifecycle. In this talk we’ll look at:

– Methods for effectively communicating about the types of cyber attacks;
– Shine a light on how business priorities may compete with incident response (including legal implications, crisis communications, and reputational risk); and
-Outline strategies to help you receive additional resources following a cyber incident.

Including your organization’s leaders will help, not hinder, your response in the long run. Add these tricks to your tool belt to conquer your next incident response.

Come see Alex at RVAsec! Register now!

Husband, Dad, Missionary, BJJ, Surfing, Hydrofoiling, Traveler, Hacker of all things. David is just a weirdo trying to fix interesting problems and raise up everyone around me through servant leadership.

Bootstrapping Your First AppSec Program

Application / product security is a massive challenge. From the technical to the social it can seem overwhelming. I want to help you get started in a seemingly overwhelming problem. It’s not, just like eating an elephant we will start one bite at a time. No budget….No problem.

Come see David at RVAsec! Register now!

Collin Berman is a pentester at Capital One Financial, focusing on web, cloud, and cryptography. After getting his start playing CTFs in high school, Collin went on to found the University of Virginia’s Computer and Network Security Club. When not on the Internet, Collin enjoys hiking, camping, climbing, and skiing.

Slippery SOP: Edge Cases in the Same Origin Policy

Why is the web full of cross-site scripting and cross-site request forgery even through browsers enforce the Same Origin Policy? Can we use the Same Origin Policy to mitigate these attacks? In this talk, we’ll answer these questions and more, including uncovering some shortcomings of the Same Origin Policy that can allow attackers to scrape sensitive information from internal websites without authorization.

Come see Collin at RVAsec! Register now!

Justin started his InfoSec career as a cryptographer at NASA, and 16 years later after exploring nearly every domain available, I’ve never been more excited to teach people how to use security to make their lives better.

Honeypot Boo Boo: Understanding Adversaries with Deception Technology

Breaches continue happening at unprecedented rates with huge financial impact to the global economy year after year and take a massive toll on the psychological well being of the security professionals tasked with constantly defending against threats from all angles.

Our traditional approach to breach detection that is focused on triaging alerts generated by massive amounts of aggregated data from disparate sources is not working. Adversaries know this fact and regularly benefit from it.

The average breach goes unnoticed for 287 days. That’s an exorbitant amount of time for anyone to surreptitiously run off with an organization’s crown jewels and inflict significant damage with ramifications that include consumer privacy violations, loss of trust, steep financial penalties, and irreversible reputational damage.

We need a new approach if we’re ever going to stop the madness.

This talk discusses this new approach to breach detection that is intended to improve alert fidelity, reduce time-to-detection, mitigate the blast radius of a breach, and prevent the massive level of burnout affecting the security community.

We will cover multiple methods for easily deploying effective breach detection technology right now regardless of the size and scope of your environment.

Come see Justin at RVAsec! Register now!