Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Rob Ragan and Oscar Salazar Present at ACoD 2020

Past Event
Trinity Hall 311 E 5th St, Austin, Texas 78701

Bishop Fox's Principal Researcher Rob Rogan and Principal Security Associate Oscar Salazar recently presented at Art Into Science. See details on their talk below.

Expose Yourself: Without Insecurity
Download the presentation

How do you find out what's on the internet in your cloud environments?

Smog Cloud

Find cloud assets that no one wants exposed
AWS Patterns

These are the patterns of exposure URIs that you may find in your AWS accounts:

s3 https://{user_provided}
cloudfront https://{random_id}
ec2 ec2-{ip-seperated}
es https://{user_provided}-{random_id}.{region}
elb http://{user_provided}-{random_id}.{region}
rds mysql://{user_provided}.{random_id}.{region}
route 53
cloudsearch https://doc-{user_provided}-{random_id}.{region}
iot mqtt://{random_id}.iot.{region}
mq https://b-{random_id}-{1,2}.mq.{region}
kafka b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}

ACodD Presentation Abstract:

Right now, at the click of a button, can you answer the question “What in my cloud environments is internet-facing?”

For most security teams the answer to this question would be a sigh and then “No.” We know that complexity is the enemy of security. We also know a comprehensive asset inventory is step one to any security program. How can we practically make the dynamic changes occurring in every cloud account easier to monitor for unnecessary exposures?

In this presentation we will look at the most pragmatic ways to continuously monitor your cloud environments and operationalize that information to identify vulnerabilities. From AWS Provable Security Model and Access Analyzer, to customized automation, and review the state of the art with major cloud providers.



  • Hat tip to anyone whose code was used
  • Inspiration
  • etc.

Rob Ragan

About the speaker, Rob Ragan

Principal Researcher

Rob Ragan is a Principal Researcher at Bishop Fox. Rob focuses on pragmatic solutions for clients and technology. He oversees strategy for continuous security automation. Rob has presented at Black Hat, DEF CON, and RSA. He is also a contributing author to Hacking Exposed Web Applications 3rd Edition. His writing has appeared in Dark Reading and he has been quoted in publications such as Wired.

Rob has more than a decade of security experience and once worked as a Software Engineer at Hewlett-Packard's Application Security Center. Rob was also with SPI Dynamics where he was a software engineer on the dynamic analysis engine for WebInspect and the static analysis engine for DevInspect.

More by Rob

Oscar salazar

About the speaker, Oscar Salazar

Principal Product Researcher

Oscar Salazar is a Principal Product Researcher at Bishop Fox. In this role, he has experience with red teaming, application penetration testing, source code review, network penetration testing, secure software design, and product security reviews. He focuses on research and development of the Continuous Attack Surface Testing (CAST) platform. Oscar has presented at many of the leading security conferences including Black Hat USA, DEF CON, RSA, BSides, Hacker Halted, SyScan 360, and SAS. His research, particularly surrounding anti-anti-automation, has appeared in Wired, eWeek, Fox News, Threatpost, and Gigaom.

Additionally, he has been a featured speaker on the Dark Reading Radio series. Prior to joining Bishop Fox, Oscar served as a web security research engineer at Hewlett Packard's Application Security Center where he designed and developed security checks for the WebInspect web application security scanner. In addition, his research involved developing more effective methods of scanning web applications.

More by Oscar

Ready to get started? We can help.

Contact Us

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.