Viewing entries in

Bsides Melbourne 2019

Bsides Melbourne 2019

Excited be giving my talk at the upcoming Security Bsides Melbourne this year. The topic is helping teams build better threat models and is entitled “What are we worried about?”.

I have been running lots of workshops with product and engineering teams. Context is king, sharing incident and breach analysis from the Verizon DBIR and other sources with these teams so they can better understand the kinda of threats and incident thats actually happen in their industry.

I have also been experimenting with ways I can help teams explore different threat actors / security personas. I have found a way that makes understating attacker motivations, resources and likely behaviour much more accessible and easy to relate to. 

I wrote about it a little here but look forward to running through it at the conference where I can expand in more detail and answer questions.

Altogether when teams are equipped with data on breaches in their industry and have a solid understanding of the threat actors it becomes much easier for them to build realistic threat models.

The conference looks great and I am really looking forward to catching up with people and seeing lots of the other talks.

Hope to see you there!

My purplecon talk released

My purplecon talk released

Just a quick post to let you all know the video is up from my talk ‘Caring for our pen tester friends’ I did at purplecon in 2018.

The supporting material I wrote for their great archive is also on my blog here

Hope you enjoy it and as usual if you want to talk about the content with me you can shoot me an e-mail form the contact page or hit me up on twitter @SparkleOps.

Security BSides Perth

Security BSides Perth

Super proud to announce I’m heading to Perth later this year to talk at the Security BSides Perth conference about getting closer collaboration between defenders, engineers and external security testers. The talk is entitled "Caring for our pen tester friends”.


Quality assurance teams are becoming more context driven and collaborative. QA Testers are now needed from design through to supporting their applications into production.

Yet we still ask external security testers to test our applications engaging them at the end just before we ship to production. Often armed with very little handover we ask them “Did we built it securely?”.

I see a big gap between external security testers and development teams, its making life hard for both teams. I also see the damage it does to good security testing. Its time to bring these two team closer together and start take better care of our pen tester friends.

This talk covers advice for both engineering teams and their external penetration testers on collaborating more, ensuring the right context is exchanged and the teams work together for better security testing outcomes.

Looking forward to it and all the other talks released so far. Its going to be an outstanding weekend. The full line up is posted here.

If your coming along do come say hi :) 



If your interested in physical security, red teaming, lock picking and being with some friendly and inspiring hackers and infosec people then OzSecCon is for you. Everything about this conference was well run and I had an immensely enjoyable time. A huge thank you to conference organizers, ill be making the trip every year its on <3.

It was mentioned in the opening notes that the OzSecCon conference was pleased to be attracting and including in the more "digital" security folks and sharing the red team and physical security world together . It got me thinking a bit that besides the odd talk and a lock pick table at some of the security conferences I have been too there isn't much bringing these two groups. Well mission accomplished! From hanging out at the breaks and after parties it definitely attracted a wide range of people from all professions and interests :) 

The conference was run at the Melbourne Polytechnic West Heidelberg campus and allowed the conference attendees access some exceptional spaces including workshop facilities and tools which would normally be well out of reach for the average hobbyist lock picker all with then right supervision and people to help you use the facilities safely and learn if you were new.

Conference talks wise I was super amped to see @HydeNS33k from Walmart keynote and Auras Logan Woods & David Tredger talks on red teaming. Its super valuable for someone on a blue team to hear these war stories and get a better insight into the mindset and tactics employed by a red team during an audit.

Having this perspective helps me especially think about how I talk to other people if we are doing security awareness messaging / training being armed with some real world examples of things to be looking for. 

@attacus_au gave an excellent talk  about facial recognition technology and some of the initiatives people are working on to defeat it. Beyond camouflage (I was happy to hear the Vaporwave aesthetic is great for this) and other techniques this included a call to action to speak out against using this technology in ways that overreach and hurt our rights to privacy.  

I had gone to OzSecCon get some learns as a 'newbie' lock picker but never once picked up an actual lock. That's because aside from the talks I ended up spending a significant amount of my time at the Google tamper evident seal challenge. 

I've not done many CTF's like this before and was instantly hooked. There was an exceptional vibe of people working on different ways to beat tamper seals, steal items from mail bags or move seals from one place to another undetected. It was so much fun!

I was pretty happy to have placed 10/70 contestants in the tamper seal CTF and in awe of some of the people further up the ladder especially (including a few fellow Kiwi's , congrats on 5th @Phage_NZ). 

There is a fantastic write up and walk through by conference speakers Mos and Boo you should checkout if you were playing too. 

A huge thank you to Google and hosts who were on their feet all weekend making this a great competition and event. Kudos goes out to: Ben Low, Grace Nolan, Evengy Shatokhin, Tom Hennen, and David Wearing, you made my conference! 

Well done OzSecCon. It was fun, safe and I learned stacks and had a absolute ball. Also shout out to the team who put a huge effort into the  electronic badge, as a ex hardware guy I know this was huge ... its my first electronic hacker con badge so its hanging somewhere special at work. See you next year. 

Much love @SparkleOps