Marco Lancini

Author of "The CloudSec Engineer", a book on how to enter, establish yourself, and thrive in the Cloud Security industry as an individual contributor.

Mentor in the Lead the Future program, a non‑profit that helps young Italian talents to pursue a career in the STEM field.

A framework to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering, aligned with NIST and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).

I curate CloudSecDocs.com, a website collecting and sharing my technical notes and knowledge on cloud-native technologies, security, technical leadership, and engineering culture.

I curate CloudSecList, a newsletter that keeps thousands of security professionals informed about current happenings and news related to the security of cloud-native technologies.

I am a maintainer of Cartography, a Python tool that consolidates infrastructure assets and the relationships between them in a graph view powered by a Neo4j database. As part of my involvement, I'm actively contributing new features as well as helping defining the long term roadmap for Cartography.

k8s-lab-plz is a modular Kubernetes lab which provides an easy and streamlined way to deploy a test cluster with support for different components.

I have been part of the CNCF committee tasked with creating the Certified Kubernetes Security Specialist (CKS) Certification.

Needle (https://github.com/FSecureLABS/needle) is the MWR's iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle… Show more

Needle (https://github.com/FSecureLABS/needle) is the MWR's iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.​

The release of version 1.0.0 provided a major overhaul of its core and the introduction of a new native agent, written entirely in Objective-C. The new NeedleAgent (https://github.com/FSecureLABS/needle-agent) is an open source iOS app complementary to Needle, that allows to programmatically perform tasks natively on the device, eliminating the need for third party tools. 

Needle has been presented at and used by workshops in various international conferences like Black Hat USA/EU, OWASP AppSec and DEEPSEC. It was also included by ToolsWatch in the shortlist for the Top Security Tools of 2016 (http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/), and it is featured in the OWASP Mobile Testing Guide (https://github.com/OWASP/owasp-mstg). On the week of its release, it reached #3 on Netsec, the first page of Hacker News, and it was trending on Github.
Show less

The Offensive iOS Exploitation workshop is an exercise-driven training course that uses detailed tutorials to guide the attendees through all the steps necessary to exploit a real iOS application, and in the process, provide them an understanding of the modern attacker's mind-set and capabilities. The course cover iOS hacking, from the basics of vulnerability hunting on the platform to advanced exploitation techniques. In addition, this workshop use MWR's newly released "Needle" to identify and… Show more

The Offensive iOS Exploitation workshop is an exercise-driven training course that uses detailed tutorials to guide the attendees through all the steps necessary to exploit a real iOS application, and in the process, provide them an understanding of the modern attacker's mind-set and capabilities. The course cover iOS hacking, from the basics of vulnerability hunting on the platform to advanced exploitation techniques. In addition, this workshop use MWR's newly released "Needle" to identify and exploit all the common mobile application security flaws, over and above the OWASP Mobile Top Ten.

At its conclusion, it will have imparted the information necessary to develop secure and robust applications. Other take-aways will include how to develop secure mobile applications that can withstand advanced attacks, how hackers attack mobile applications and iOS devices, and the most up to date and effective secure coding practices. Show less

AndroRAT++ is a proof-of-concept mobile malware, embedded in a legitimate application, that enhances the features of a well-know RAT application (AndroRAT).

We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information.
We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying… Show more

We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information.
We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software. Show less

FacePrivacy is an application that wants to demonstrate the possibility of identify a person from a photograph. Leveraging the broad base of photographs on Facebook, it was shown that, appropriately using a face recognition algorithm, it’s possible to violate the privacy of a stranger.