Joshua Pennell

Founder and President, IOActive

Talk Title

Silicon: Security's New Layer


Mission accomplished – your firm is receiving top marks for its forward-thinking software security program, with SDL adoption from Hong Kong to Mountain View, code review teams, fuzzing teams, developer training, stack protection, WAFs, and IPs. You have it all: no line of code left unscrutinized; no input left to chance; attack surface reduced by 78% and counting.

But before you retire to the pub, there’s just one more question to ask: what happens to all of that beautiful security work if your symmetric key is extracted? Do you know?

Building an internal software security program without understanding the effects of potential weaknesses in your hardware does not demonstrate a real understanding of the risk in your security architecture. To build a proper secure architecture, you must align the security of both hardware and software. Unfortunately, many organizations inadvertently hang their brands and reputation on the hyperbole emanating from chip and hardware manufacturers, some of whom go so far as to claim security through trademarked proprietary methods.

But is your hardware really secure? What has history taught us about claims we can't test? Do hardware manufacturers really have a tried and true methodology for creating and maintaining secure architectures? What about their supply chains? Are all HSMs created equal? How technical are those FIPS-140 certifications anyway?

The industry has methodologies for reviewing software, but no current methodologies for the same level of review of hardware components. Hardware introduces a whole new class of challenges: from the physical to the logical, entire classes of tools and techniques must be built.

In this talk, we will explore where the silicon/hardware and software worlds collide, and what a next-generation holistic technical security program may look like, in order to secure your technology stack from top to bottom.

Speaker Bio

Joshua J. Pennell is the founder of IOActive with 0x13 years of experience in the field, and spends most of his time emptying office waste bins, watering plants, and avoiding buses whilst cycling the streets of London to the office.

As IOActive’s Founder and President, Joshua Pennell has a proven, 16-year track record of creating and growing a multimillion-dollar, independent security services organization. Under Josh’s leadership, IOActive has emerged as one of the world’s leading technical security consultancies based on cutting-edge research and meritocratic governance.

Josh serves on the advisory boards of Source, Vantos, and SiteScout, and is the Chairman of IOActive’s advisory board, which includes luminaries such as Steve Wozniak, Jim Reavis, and Ian Cook. He played an integral role in helping his team win Defcon’s Capture the Flag competition for three consecutive years. He also spent several years revolutionizing the competition’s technology before handing the game over to Kenshoto.

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved