Craig Barretto
Principal & Co-Founder, Proack Security Inc.
Craig is a Principal and Co-Founder of Proack Security Inc. He is an experienced security consultant & researcher who specializes in infrastructure and application penetration testing and threat and vulnerability management. He has extensive experience with mobile testing, specifically API and Android testing. In his spare time, he enjoys finding vulnerabilities in everyday household apps.
Certifications:
- Offensive Security Certified Professional (OSCP)
- Certified Information Systems Security Professional (CISSP)
- GIAC Web Application Penetration Tester (GWAPT)
- Certified Ethical Hacker (CEH)
@3lus1v3
De quel pays êtes vous? –Canada
Interventions
In 2022, most of us have bought goods and services online or using mobile apps, for convenience, for safety (e.g., pandemic) or as a matter of personal preference. As mobile payments and integrations with third-party payment processors become more and more prevalent, common AppSec mistakes from the past reappear under new forms. Merchants who overlook security best practices and fail to secure their systems can be victims of fraud.
In this talk, we will cover some examples of payment APIs and mobile in-app purchases (e.g., with Apple Pay or Google Play Store) that fail to perform sufficient validation in ways that may have devastating financial and reputational impact to merchants. We aim to bring awareness to these often-overlooked issues and provide recommendations to avoid these vulnerabilities with real-world examples.
As a security researcher, it is a herculean task not to wonder and poke at many of the apps we interact with on a daily basis. Platforms in industries such as banking, education, social media, security, document management, IoT, and healthcare are riddled with security vulnerabilities that go undetected for months or even years. While hackers have the luxury of exploiting these vulnerabilities under the guise of anonymity, white hats and cybersecurity researchers are often faced with resistance or are flat-out ignored when trying to responsible disclose vulnerabilities.
In this talk, I will discuss the pains of responsible disclosure and bug bounty programs and how companies should rethink how they handle disclosed vulnerabilities from researchers. The aim is to bring awareness to often overlooked and misunderstood issues and provide solutions that encourage healthy responsible disclosure interactions.