Fracturing Flex For Fun- An Alliterative Attackers Approach

The presentation
As Flash has evolved over the last several years, the programming paradigm has shifted from timeline-based movies to Flex applications written in ActionScript. During this progression, new and unique security risks have been uncovered which can be exploited to attack this new technology. This talk provides an attackers approach to exploiting flex technology, breaking developers assumptions, subverting applications, and then building them back up from the beginning in a defensive and secure manner. This talk is designed for anyone who builds, tests, or deploys flex applications and will provide the tools, techniques, and guidance for breaking and securing this technology. This talk will include real-world examples and demonstrations of common attacks performed against flex applications seen through the eyes of a pentester.

The speakers
Jon Rose is a security consultant for Trustwave - SpiderLabs. Jon has close to a decade of experience performing network and application security assessments, including network penetration testing, blackbox application testing, and code reviews across a wide range of programming languages and technologies. Jon has also led IT policy, standards, and guideline projects, as well as providing IT security remediation support for commercial and government clients. His security expertise also includes building enterprise security programs, providing guidance in an enterprise security architect role, and building security into organizations existing software development lifecycle. Jon has created and delivered security-training courses covering topics such as security awareness, defensive programming (Java and .Net), secure architecture and design, penetration testing, and code analysis.

Kevin Stadmeyer is a security consultant for Trustwave - SpiderLabs. Kevin Stadmeyer is a senior security consultant at Trustwave with the Application Security Group. His primary expertise is in web application security but he possesses extensive experience in network, thick/thin client, and physical security. He has spoken at OWASP and BlackHat conferences and a variety of interests including application, network and physical security.