Cassio Goldschmidt
On Information and Application Security

Sample Videos

Passwords, Password Management, and Two-Factor / Multi-Factor Authentication

Innovate Pasadena CyberSecurity - February 27 2017, Pasadena, California

Cassio Goldschmidt from Stroz Friedberg/AON, Art Poghosyan from Optiv, and Michael Cottingham representing the entertainment industry, join forces during this extremely informative Innovate Pasadena CyberSecurity Meetup. Hosted in the ADP Innovation Center and led by DatumSec's Michael Schell, the experts discuss access control risks, password management, and two-factor/multi-factor authentication. Some of the questions answered include:
- Why should people care that their personal email has been hacked?
- What are some of the credential theft trends you are seeing and how do they impact consumers and businesses?
- What are some best practices around password management?
- What are your thoughts on two-factor and multi-factor authentication?
- Any advice for password logging?
- How does human behavior change the way you apply and monitor controls?

Dissecting Bitcoin Security

OWASP AppSec Cali 2016 - January 26 2016, Santa Monica, California

Bitcoin introduced a new form of organization and consensus. Activities that previously required central authorities can now be decentralized. This has profound implications for security. In this presentation Cassio reviews and dissects some of Bitcoin’s core components and their security controls. Cassio analyzes each control and how they could be used in other domains.

Responsibility for the Harm and Risk of Security Flaws

Black Hat DC 2011 - January 18 2011, Washington DC

Software vulnerabilities are a vexing problem for the state of information assurance and security. Who is responsible for the risk and harm of software security is controversial. Deliberation of the responsibility for harm and risk due to software security flaws requires considering how incentives (and disincentives) and network effects shape the practices of vendors and adopters, and the consequent effects on the state of software security. This presentation looks at these factors in more detail in the context of private markets and public welfare.

The dark side of software engineering and how to defend against it

February 4 2009, Purdue University

If you create an application that runs on one or more computers connected to a network such as the internet, your code will be attacked.

Consequences of compromised systems often include loss of trust, reputation and revenue. Software will always have defects and vulnerabilities. Strikes against digital assets are unquestionably on the rise. We can, however, make it substantially harder to find and exploit vulnerabilities by identifying insecure coding practices and developing secure alternatives.

During this practical session, we'll examine in detail the principles behind some of the worst attack patterns seen today in the software industry. Most importantly, we'll learn effective defense programming techniques every developer must employ when building software.

Tracking the Progress of an SDL (Security Development Lifecycle) Program - Lessons From the Gym

August 26 2009, UC Irvine

Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking their weight lifting progress.

Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this pragmatic presentation we'll discuss metrics used at Symantec, the world's largest security ISV, to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We'll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally and how the numbers compare with the competition.