Loading…
THE MUST ATTEND EVENT FOR CYBERSECURITY PROFESSIONALS
Thursday September 26, 2024 2:15pm - 3:00pm PDT
You're a security analyst triaging a list of exposed credentials - how do you prioritize which key to rotate first? How do you even know what resources the key can access? Most SaaS providers make it difficult to enumerate the access granted to a particular credential without logging into their UI.


In this talk, we're releasing a new method (self-discovery) for enumerating the permissions and resources associated with API keys and other secrets, without requiring access to the provider's UI. We'll walk through the meticulous steps required to accurately assess different SaaS providers' permission and scopes, as well as share the logic behind how to validate key permissions, including string analysis, HTTP request brute forcing and more.


Finally, we'll demo a new open-source tool that automates the enumeration of API key permissions and accessible resources, without requiring access to the provider's UI.

Speakers
JL

Joseph Leon

Security Researcher, Truffle Security
Joe Leon is a security researcher at Truffle Security where he works to identify new sources of leaked secrets and contributes to the open-source security community. Previously, Joe led application security assessments for an offensive security consulting firm. Joe has taught technical... Read More →
avatar for Dylan Ayrey

Dylan Ayrey

CEO, TruffleHog
Dylan is the original author of the open source version of TruffleHog, which he built after recognizing just how commonly credentials and other secrets were exposed in Git. Coming most recently from the Netflix security team, Dylan has spoken at a number of popular information security... Read More →
Thursday September 26, 2024 2:15pm - 3:00pm PDT
Room: Seacliff CD
Feedback form is now closed.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Share Modal

Share this link via

Or copy link