Loading…
Attending this event?
The Open Web Application Security Project (OWASP) Los Angeles Chapter has teamed up with the Orange County, Inland Empire, San Diego, and San Francisco Bay Area chapters to bring you another great AppSec California. Join us and your peers for amazing talks and networking on January 22-25, 2019!
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, January 22
 

8:00am

Registration and Breakfast
Tuesday January 22, 2019 8:00am - 9:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

9:00am

Attacking and Defending Containerized Apps and Serverless Tech [Day 1 of 2]
Course Abstract

With Organizations rapidly moving towards micro-service style architecture for their applications, container and serverless technology seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications. Serverless and Orchestration technologies like Kubernetes help scale such deployments to a massive scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.
Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. While container orchestrated deployments may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, shared kernel, shared resources, secret management, insecure configurations, role management issues and many more! Serverless deployments, on the other hand face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage. Attacking an infrastructure or Applications leveraging containers and serverless technology requires specific skill-set and a deep understanding of the underlying architecture.

Training Syllabus

Day 1:

Evolution to Container Technology and Container Tech Deep-Dive

* Introduction to Container Technology
* Namespace
* Cgroups
* Mount
* Hands-on Lab: Setting up a Minimal Container

Introduction to Containerized Deployments: Understanding and getting comfortable using Docker

* An Introduction to containers
* LXC and Linux Containers
* Introducing Docker Images and Containers
* Deep-dive into Docker
* Docker Commands and Cheatsheet
* Hands-on:
* Docker commands
* Dockerfile
* Images
* Docker Compose
* Introduction to docker-compose
* Hands-on:
* Docker-compose commands
* Application Deployment Using docker
* Hands-on
* Containerize the application
* Deploying a containerized application
* Deploy a containerized application using docker-compose

Threat Landscape: An Introduction to possible threats and attack surface when using Containers for Deployments

* Threat Model for Containerized Deployments
* Daemon-related Threats
* Network related Threats
* OS and Kernel Threats
* Threats with Application Libraries
* Threats from Containerized Applications
* Traditional Threat-Modelling for Containers with STRIDE
* Spoofing
* Tampering
* Repudiation
* Information Disclosure
* Denial of Service
* Elevation of privileges

Attacking and Securing Containers

* Attacking Containers and Containerized Deployments
* Hands-on
* Container Breakout
* Exploiting Insecure Configurations
* OS and Kernel level exploits
* Trojanized Docker image
* Container Security Deep-Dive
* Hands-on
* AppArmor/SecComp
* Restricting Capabilities
* Analysing Docker images
* Container Security Mitigations
* Hands-on: Container Vulnerability Assessment
* Clair
* Dagda
* Anchore
* Docker-bench

Introduction to Kubernetes

* Understanding Kubernetes Components and Architecture
* Hands-on:
* Exploring Kubernetes Cluster
* Deploying application to Kubernetes

Day 2:

Attacking Kubernetes Cluster

* Kubernetes Threat Model
* Hands on:
* Attacking application deployed on Kubernetes
* Exploiting a Vulnerable Kubernetes cluster

Kubernetes Security Deep-Dive

* Kubernetes Security Mind-Map
* Hands-on: Ideal Security Journey: Kubernetes
* Pod Security
* Access Control
* Secret Management
* Hands-on: Kubernetes Vulnerability Assessment
* Kube-sec
* Kube-hunter
* Kube-bench
* Hands-on: Logging and Monitoring
* Resource utilization
* Malicious behavioral activity monitor

Serverless Introduction

* Understanding Serverless and FAAS (Function-As-A-Service)
* Introduction to AWS Lambda and other Serverless options
* Hands-on: Deploying a Serverless application

Attacking Serverless applications

* OWASP-Top 10 for Serverless Applications
* Hands-on: Attacking Serverless applications
* Injection based attacks
* Broken authentication attack
* Deserialization attacks
* Securing Serverless applications
* Identity and Access Management
* Secret management
* Logging and Monitoring Functions
* Hands-on: Serverless Vulnerability Assessment
* Static Code Analysis [SCA]
* Static Application Security Testing [SAST]
* Dynamic Analysis Security Testing [DAST]

Upon completion of this training, attendees will know:

* Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture that attendees will be able to understand.
* This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments.
* Training will be extremely hands-on with exercises that are similar to real-world threat scenarios that the attendees will understand and take part in. This will help them understand all there is to attack and secure containerized and, serverless applications.
* On completion, attendees will also understand ways attack and securely deploy on Container Orchestration technology like Kubernetes and on Serverless.

Attendees should bring:

Minimum Laptop Requirements:

* Intel i5 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work.
* Minimum 80GB HDD space available
* Working WiFi adapter with ability to connect to third party wireless networks
* User must be able to use the USB port of the laptop to copy, install and run the Virtual Machine, which will be delivered in a USB Mass Storage Device (Flash Drive).
* Soft copy of the Slides and the VMs will be given to participants on a USB Flash Drive that will be formatted with the NTFS format.
* Please download and install the latest installation of Oracle VM VirtualBox
* We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization
--- You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu.
* Guide to enable virtualization: https://www.google.com/amp/s/www.howtogeek.com/213795/how-to-enable-intel-vt-x-in-your-co mputers-bios-or-uefi-firmware/amp/
* A valid AWS account with paid/free-tier access to Lambda with permission to deploy and run lambda applications will be necessary.

Pre-requisites for attendees:

1. Students should have a basic understanding of Linux environment and know their way around the terminal.
2. A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

CTO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →
avatar for Nithin Jois

Nithin Jois

Solutions Engineer who specialises in DevSecOps, We45
Nithin Jois is a Solutions engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production... Read More →


Tuesday January 22, 2019 9:00am - 5:00pm
Terrace Lounge

9:00am

Building Secure API's and Web Applications with the OWASP Top Ten and ASVS [Day 1 of 2]
Course Abstract

The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects. The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples. As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.

Training Syllabus

Day 1 of the course will focus on web application basics

- Introduction to Application Security
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- SQL and other Injection
- Cross Site Request Forgery
- Deserialization Security

Day 2 of the course will focus on API secure coding, Identity and other advanced topics

- Webservice, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth Security
- 3rd Party Library Security Management
- Application Layer Intrusion Detection
- OWASP Top Ten
- OWASP ASVS

We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Upon Completion of this training, attendees will know:

This course will teach software developers the details of approximately 200 various web security requirements needed to build secure software. Please review the syllabus to review the many topics this course will cover.

Attendees should bring:

Any laptop that can run an updated web browser and "Burp Community Edition".

Pre-requisites for attendees:

Familiarity with the technical details of building web applications and web services from a
software engineering point of view.

Speakers
avatar for Jim Manico

Jim Manico

Founder and Lead Trainer, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also a founding investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the... Read More →


Tuesday January 22, 2019 9:00am - 5:00pm
Garden Terrace Room

9:00am

Real World Red Team Attacks [Day 1 of 2]
Course Abstract

The days of exploiting MS08-067, encoding with Shikata Ga Nai, and blindly scanning are gone. Both Blackhat hackers and pentesters alike have shifted to using more advanced techniques to bypass AV, implement a smaller footprint to evade SIEM detection, and continually stay persistent to devastate enterprise networks. If you are looking to take your craft to the next level, this is the primer course for you.

This training course was custom developed to put you right in the action and simulate real world red team attacks. You'll take the approach as a red teamer to social engineer your way into a company, gain information about the network, pivot to valuable resources, and gain access to all the company's secrets.

This isn't your average pentest course! We built the labs around what we are seeing as red teamers.

Training Syllabus

Day 1:

- Red Team Mindset
- Recon
- Creating Malware For Your Campaigns
- Setting Up C2 Servers
- Social Engineering
- Compromise Your Victims
- Living Off The Land
- Moving Laterally In Windows/Active Directory

Day 2:

- Pivoting/Lateral Movement in Linux
- Compromising Common Applications for Post Exploitation
- DNS C2 And Network Limitations
- Local Linux Privilege Escalation
- Creating Valuable Reports
- CTF

Upon Completion of this training, attendees will know:

How to think like the bad guys do
How to evade AV and network detection tools
How to get around Windows protections
How to live off the land
How to write valuable reports to improve security

Attendees should bring:

Laptop with:
- administrator access (to disable host firewall)
- network connectivity and dongles
- capacity to run two virtual machines simultaneously using either VMware Workstation or Player or Fusion (for OS X).
- 30GB of free disk spaces

And, a passion to learn!

Pre-requisites for attendees:

Familiarity with Metasploit and similar tools
Basic understanding of penetration testing methodology and tools
Basic GNU/Linux command line
Basic understanding of Active Directory

Speakers
avatar for Peter Kim

Peter Kim

Director of Vulnerability Research, Blizzard Entertainment
Peter Kim has been in the information security industry for the last 12 years and has been running red teams/penetration testing for the past 8 years. He has worked for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and financial organizations.He... Read More →


Tuesday January 22, 2019 9:00am - 5:00pm
Club Room

9:00am

Seth & Ken's Excellent Adventures (In Code Review) [Day 1 of 2]
Course Abstract

Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we’ve learned along the way way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language. You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application code base.

Training Syllabus

Day 1:

● Overview
● Introductions
● Philosophy
● What to Expect
● Tools/Lab Setup
● OWASP Top 10
● Code Review Methodology
● Overview
■ Introduction to Methodology/Philosophy
■ Documentation
● What/When/Where
■ Automated Tools
■ Manual Analysis
● Information Gathering
■ Profiling
■ Mapping
■ Threat Modeling
■ Enumeration
■ AAA (Authentication/Authorization/Auditing)
■ Other interesting finds
● Comments
● Keys
● 3rd-party libraries
● Authentication
■ User Enumeration
■ Timing Attacks
■ Password Complexity
■ Typical Logic Flaws
■ Insecure Password Resets
■ Insecure Forgot Password Functionality
■ Password Storage
● Authorization
■ Broken Access Control
● Insecure Direct Object Reference
● Forced Browsing
● Missing Function Level Access Control
● Auditing
■ Sensitive Data Exposure
■ Logging Vulnerabilities
● Injection
■ Input Validation
■ SQL Injection
● ORM and ActiveRecord Patterns/Flaws
● Examples from previous assessments
■ XXE
■ Server-Side Request Forgery
■ HTML/Content Injection
● Cryptographic Analysis
■ Encoding vs. Encryption
■ Hashing
■ Stored Secrets
● Configuration Review
■ Framework gotchas
■ Configuration files
■ Dependency Analysis

Day 2:

● Technical Hands-On Review
● Java
● .Net
● Ruby On Rails
● Node.js
● Django

Upon Completion of this training, attendees will know:

Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization’s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course.

Attendees should bring:

Laptop with wireless and virtual machine (VMWare/Virtual Box) capabilities.
Preferred IDE

Pre-requisites for attendees: 

Attendees should be familiar with the development process (SDLC) and where security code reviews fit into the process. Attendees must have experience using an IDE, running command-line tools, and be able to read application source code. Attendee must have knowledge of the OWASP Top 10 and other common vulnerabilities.

Speakers
avatar for Ken Johnson

Ken Johnson

Application Security Engineer, GitHub
Ken Johnson, has been hacking web applications professionally for 10 years and given security training for 7 of those years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack... Read More →
avatar for Seth Law

Seth Law

Application Security Consultant, Redpoint Security, Inc
Seth Law is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager... Read More →


Tuesday January 22, 2019 9:00am - 5:00pm
Veranda 1

9:00am

The Bug Hunter's Methodology [Day 1 of 2]
Course Abstract

The Bug Hunter's Methodology is a comprehensive two day training on offensive web security testing. It is primarily focused for web application security testers and bug bounty hunters. TBHM focuses on the newest tools and techniques for web application testers. The class goes over such topics as:

  • Advents in web recon
  • Prioritizing target testing areas by technology and features
  • Crash course on Burp Suite
  • Blind XSS
  • Server-side template injection
  • Server-side request forgery
  • Code injection (SQLi, PHP, ++)
  • XXE
  • Robbing misconfigured infrastructure (AWS)
  • git pillaging
  • Github robbing
  • CI/Code repositories exploitation
  • Subdomain takeover
  • and more!

Training Syllabus

Day 1:

Emergent web recon (Large Module, LIVE labs)
- IP enumeration (ASNs and Cloud)
- Brand Enumeration (Acquisitions, RevWHOIS, Reverse tracker Analysis)
- Subdomain Enumeration (Scraping and Bruteforcing)
- Effective Port Scanning
- Version based vulnerability analysis
- Directory Bruteforcing / Content Discovery best practices
- Prioritizing target testing areas by technology and features

Crash course on Burp Suite
- Burp Setup and helpers
- Burp proxy and scope
- Burp Intruder
- Burp Repeater and configuration setting
- Getting to know Burp through use-cases: LABS

Blind XSS
- An introduction to BXSS
- Available BXXS frameworks
- LABS

Server-side template injection
- An introduction to SSTI
- SSTI Identification
- SSTI Tooling
- SSTI LABS

Day 2:

Server-side request forgery
- An introduction to SSRF
- SSRF Identification
- SSRF Tooling
- SSRF LABS

Code injection (SQLi, ++)
- Common (still available today) types of code injection
- SQLmap crash course
- SQLi common areas
- LABS

XML External Entity Injection
- An introduction to XXE
- XXE Identification
- XXE Tooling / payloads
- XXE LABS

Access Control Testing
- The ever-giving IDOR and MFLAC
- Examples
- LABS

Robbing misconfigured infrastructure
- introduction to AWS s3 Permissions
-- Labs
- git pillaging
-- Labs
- Github robbing
-- Live exercise
- CI/Code repositories exploitation (no lab)
- Subdomain takeover
-- Labs

Upon Completion of this training, attendees will know:

At the end of this course, students should have some solid fundamentals in web testing for vulnerabilities that are more likely to show up in the wild TODAY. Not only does the course aim to arm the student with the technique, tools, and labs, but also a contextual and data-driven methodology on where and how to look for each vulnerability.

Attendees should bring:

Laptop, Burp Suite (PRO preferably), VM or equivalent access to *nix command line.

Pre-requisites for attendees:

General Web application security testing knowledge required.
Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities.

Speakers
avatar for Jason Haddix

Jason Haddix

VP of Researcher Growth, Bugcrowd
Jason is the Director of Technical Operations at Bugcrowd. Jason trains and works with internal analysts to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the... Read More →


Tuesday January 22, 2019 9:00am - 5:00pm
Sand and Sea Room

9:00am

Women In AppSec Penetration Testing
Course Abstract

In this completely hands-on workshop, you will get to understand the techniques and methodologies that could be applied when performing a web application penetration testing. Throughout this workshop, you will use the Burp Suite tool, which is a conglomerate of distinct tools with powerful features. Apart from gaining familiarity with the tools and the techniques involved in application security testing, you will also get an opportunity to understand some of the common vulnerabilities from the OWASP Top 10 list. We will provide you with a vulnerable website, and you will uncover security issues in it even if you have never done this before!

Training Syllabus

● Opening

○ About the class
○ About OWASP

● Introduction

○ Security Awareness/hacker mindset
○ Introduction to the training environment and tools

● Reconnaissance

○ Web application Reconnaissance
○ HTTP / HTTPS basics
○ Web application and Web server fingerprinting

● Most common vulnerabilities, detection, and exploitation

○ XSS (HTML, Attribute, DOM)
○ SQLi
○ IDOR Vulnerabilities
○ XXE
○ File Upload Vulnerabilities
○ Insecure API
○ OWASP TOP 10

Upon Completion of this training, attendees will know:

● Scope a security review and prioritise the work
● Understand manual and automated tools and techniques available and when to apply them
● Understanding of DevSecOps including Agile Framework
● Gain confidence in customizing your Web Application Security Testing approach to suit application-specific pentesting needs, by gaining clarity on the powerful features provided by the Burp Suite tool.
● A Lots of hands-on web application hacking labs and exercises along with core concepts of web application security.

Attendees should bring:

1. Laptop with administrator access (mandatory)
2. Minimum 4 GB RAM
3. At least 10 GB of free hard disk space
4. Oracle VirtualBox 5.x or later installed.
5. Burp Suite Community Edition installed (https://portswigger.net/burp/communitydownload)

Prerequisites for attendees:

This is an introductory training for web application developers, students, including those new to application security. The course has been developed to train learners at all levels.

Speakers
avatar for Zoe Braiterman

Zoe Braiterman

Women in AppSec (WIA) Committee Chair, OWASP
Zoe Braiterman is an independent consultant and OWASP WIA Committee Chair.
avatar for Vandana Verma

Vandana Verma

Manager Information Security, WIA Asia Lead and Secretary, OWASP Bangalore Chapter Leader, OWASP
Vandana Verma (course creator and lead instructor): an experienced application security practitioner, OWASP Bangalore Chapter Leader, OWASP WIA Committee Secretary, and Asia Volunteer Coordinator. She has given talks and workshops at many colleges and security conferences including... Read More →


Tuesday January 22, 2019 9:00am - 5:00pm
Veranda 2
 
Wednesday, January 23
 

8:00am

Registration and Breakfast
Wednesday January 23, 2019 8:00am - 9:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

9:00am

Attacking and Defending Containerized Apps and Serverless Tech [Day 2 of 2]
Course Abstract

With Organizations rapidly moving towards micro-service style architecture for their applications, container and serverless technology seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications. Serverless and Orchestration technologies like Kubernetes help scale such deployments to a massive scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.
Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. While container orchestrated deployments may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, shared kernel, shared resources, secret management, insecure configurations, role management issues and many more! Serverless deployments, on the other hand face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage. Attacking an infrastructure or Applications leveraging containers and serverless technology requires specific skill-set and a deep understanding of the underlying architecture.

Training Syllabus

Day 1:

Evolution to Container Technology and Container Tech Deep-Dive

* Introduction to Container Technology
* Namespace
* Cgroups
* Mount
* Hands-on Lab: Setting up a Minimal Container

Introduction to Containerized Deployments: Understanding and getting comfortable using Docker

* An Introduction to containers
* LXC and Linux Containers
* Introducing Docker Images and Containers
* Deep-dive into Docker
* Docker Commands and Cheatsheet
* Hands-on:
* Docker commands
* Dockerfile
* Images
* Docker Compose
* Introduction to docker-compose
* Hands-on:
* Docker-compose commands
* Application Deployment Using docker
* Hands-on
* Containerize the application
* Deploying a containerized application
* Deploy a containerized application using docker-compose

Threat Landscape: An Introduction to possible threats and attack surface when using Containers for Deployments

* Threat Model for Containerized Deployments
* Daemon-related Threats
* Network related Threats
* OS and Kernel Threats
* Threats with Application Libraries
* Threats from Containerized Applications
* Traditional Threat-Modelling for Containers with STRIDE
* Spoofing
* Tampering
* Repudiation
* Information Disclosure
* Denial of Service
* Elevation of privileges

Attacking and Securing Containers

* Attacking Containers and Containerized Deployments
* Hands-on
* Container Breakout
* Exploiting Insecure Configurations
* OS and Kernel level exploits
* Trojanized Docker image
* Container Security Deep-Dive
* Hands-on
* AppArmor/SecComp
* Restricting Capabilities
* Analysing Docker images
* Container Security Mitigations
* Hands-on: Container Vulnerability Assessment
* Clair
* Dagda
* Anchore
* Docker-bench

Introduction to Kubernetes

* Understanding Kubernetes Components and Architecture
* Hands-on:
* Exploring Kubernetes Cluster
* Deploying application to Kubernetes

Day 2:

Attacking Kubernetes Cluster

* Kubernetes Threat Model
* Hands on:
* Attacking application deployed on Kubernetes
* Exploiting a Vulnerable Kubernetes cluster

Kubernetes Security Deep-Dive

* Kubernetes Security Mind-Map
* Hands-on: Ideal Security Journey: Kubernetes
* Pod Security
* Access Control
* Secret Management
* Hands-on: Kubernetes Vulnerability Assessment
* Kube-sec
* Kube-hunter
* Kube-bench
* Hands-on: Logging and Monitoring
* Resource utilization
* Malicious behavioral activity monitor

Serverless Introduction

* Understanding Serverless and FAAS (Function-As-A-Service)
* Introduction to AWS Lambda and other Serverless options
* Hands-on: Deploying a Serverless application

Attacking Serverless applications

* OWASP-Top 10 for Serverless Applications
* Hands-on: Attacking Serverless applications
* Injection based attacks
* Broken authentication attack
* Deserialization attacks
* Securing Serverless applications
* Identity and Access Management
* Secret management
* Logging and Monitoring Functions
* Hands-on: Serverless Vulnerability Assessment
* Static Code Analysis [SCA]
* Static Application Security Testing [SAST]
* Dynamic Analysis Security Testing [DAST]

Upon completion of this training, attendees will know:

* Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture that attendees will be able to understand.
* This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments.
* Training will be extremely hands-on with exercises that are similar to real-world threat scenarios that the attendees will understand and take part in. This will help them understand all there is to attack and secure containerized and, serverless applications.
* On completion, attendees will also understand ways attack and securely deploy on Container Orchestration technology like Kubernetes and on Serverless.

Attendees should bring:

Minimum Laptop Requirements:

* Intel i5 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work.
* Minimum 80GB HDD space available
* Working WiFi adapter with ability to connect to third party wireless networks
* User must be able to use the USB port of the laptop to copy, install and run the Virtual Machine, which will be delivered in a USB Mass Storage Device (Flash Drive).
* Soft copy of the Slides and the VMs will be given to participants on a USB Flash Drive that will be formatted with the NTFS format.
* Please download and install the latest installation of Oracle VM VirtualBox
* We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization
--- You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu.
* Guide to enable virtualization: https://www.google.com/amp/s/www.howtogeek.com/213795/how-to-enable-intel-vt-x-in-your-co mputers-bios-or-uefi-firmware/amp/
* A valid AWS account with paid/free-tier access to Lambda with permission to deploy and run lambda applications will be necessary.

Pre-requisites for attendees:

1. Students should have a basic understanding of Linux environment and know their way around the terminal.
2. A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

CTO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →
avatar for Nithin Jois

Nithin Jois

Solutions Engineer who specialises in DevSecOps, We45
Nithin Jois is a Solutions engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production... Read More →


Wednesday January 23, 2019 9:00am - 5:00pm
Terrace Lounge

9:00am

AWS Security 101
Course Abstract

Learn how to secure your AWS environment.

Areas within AWS that will be covered:

1. The 3 Layers in AWS
2. Security Constructs in AWS
3. What does an ideal architecture look like
4. How do I build it
5. How do I maintain/monitor it
6. How do I break it

The first part of each topic will bring the students up to speed followed by hands on exercises to put their knowledge to the test. Each area covered focuses on core resources within AWS that need to be understood in order to successfully secure your AWS cloud environment. In the end, students will walk away with hands-on experience and ready to implement solutions in their corporate environment.

Upon Completion of this training, attendees will know:

The AWS security gotchas, basics, and ways to monitor their environment.

Attendees should bring:

Laptop with power supply.

Pre-requisites for attendees:

A thirst for knowledge on AWS and what they hope to learn.

Speakers
avatar for Will Bengtson

Will Bengtson

Senior Security Engineer, Netflix
Will Bengtson is senior security engineer at Netflix focused on security operations and tooling. Prior to Netflix, Bengtson led security at a healthcare data analytics startup, consulted across various industries in the private sector, and spent many years in the Department of Defense... Read More →
avatar for Nag Medida

Nag Medida

Sr. Security Engineer, Netflix
Nag Medida is a Senior Security Engineer at Netflix working in the SecOps team, where he loves to spend his time on AWS, building tools and automating stuff with a passion for cloud security. Nag's expertise lies in security automation for the cloud in big data world, penetration... Read More →


Wednesday January 23, 2019 9:00am - 5:00pm
Veranda 2

9:00am

Building Secure API's and Web Applications with the OWASP Top Ten and ASVS [Day 2 of 2]
Course Abstract

The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects. The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples. As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.

Training Syllabus

Day 1 of the course will focus on web application basics

- Introduction to Application Security
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- SQL and other Injection
- Cross Site Request Forgery
- Deserialization Security

Day 2 of the course will focus on API secure coding, Identity and other advanced topics

- Webservice, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth Security
- 3rd Party Library Security Management
- Application Layer Intrusion Detection
- OWASP Top Ten
- OWASP ASVS

We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Upon Completion of this training, attendees will know:

This course will teach software developers the details of approximately 200 various web security requirements needed to build secure software. Please review the syllabus to review the many topics this course will cover.

Attendees should bring:

Any laptop that can run an updated web browser and "Burp Community Edition".

Pre-requisites for attendees:

Familiarity with the technical details of building web applications and web services from a
software engineering point of view.

Speakers
avatar for Jim Manico

Jim Manico

Founder and Lead Trainer, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also a founding investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the... Read More →


Wednesday January 23, 2019 9:00am - 5:00pm
Garden Terrace Room

9:00am

Real World Red Team Attacks [Day 2 of 2]
Course Abstract

The days of exploiting MS08-067, encoding with Shikata Ga Nai, and blindly scanning are gone. Both Blackhat hackers and pentesters alike have shifted to using more advanced techniques to bypass AV, implement a smaller footprint to evade SIEM detection, and continually stay persistent to devastate enterprise networks. If you are looking to take your craft to the next level, this is the primer course for you.

This training course was custom developed to put you right in the action and simulate real world red team attacks. You'll take the approach as a red teamer to social engineer your way into a company, gain information about the network, pivot to valuable resources, and gain access to all the company's secrets.

This isn't your average pentest course! We built the labs around what we are seeing as red teamers.

Training Syllabus

Day 1:

- Red Team Mindset
- Recon
- Creating Malware For Your Campaigns
- Setting Up C2 Servers
- Social Engineering
- Compromise Your Victims
- Living Off The Land
- Moving Laterally In Windows/Active Directory

Day 2:

- Pivoting/Lateral Movement in Linux
- Compromising Common Applications for Post Exploitation
- DNS C2 And Network Limitations
- Local Linux Privilege Escalation
- Creating Valuable Reports
- CTF

Upon Completion of this training, attendees will know:

How to think like the bad guys do
How to evade AV and network detection tools
How to get around Windows protections
How to live off the land
How to write valuable reports to improve security

Attendees should bring:

Laptop with:
- administrator access (to disable host firewall)
- network connectivity and dongles
- capacity to run two virtual machines simultaneously using either VMware Workstation or Player or Fusion (for OS X).
- 30GB of free disk spaces

And, a passion to learn!

Pre-requisites for attendees:

Familiarity with Metasploit and similar tools
Basic understanding of penetration testing methodology and tools
Basic GNU/Linux command line
Basic understanding of Active Directory

Speakers
avatar for Peter Kim

Peter Kim

Director of Vulnerability Research, Blizzard Entertainment
Peter Kim has been in the information security industry for the last 12 years and has been running red teams/penetration testing for the past 8 years. He has worked for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and financial organizations.He... Read More →


Wednesday January 23, 2019 9:00am - 5:00pm
Club Room

9:00am

Seth & Ken's Excellent Adventures (In Code Review) [Day 2 of 2]
Course Abstract

Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we’ve learned along the way way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language. You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application code base.

Training Syllabus

Day 1:

● Overview
● Introductions
● Philosophy
● What to Expect
● Tools/Lab Setup
● OWASP Top 10
● Code Review Methodology
● Overview
■ Introduction to Methodology/Philosophy
■ Documentation
● What/When/Where
■ Automated Tools
■ Manual Analysis
● Information Gathering
■ Profiling
■ Mapping
■ Threat Modeling
■ Enumeration
■ AAA (Authentication/Authorization/Auditing)
■ Other interesting finds
● Comments
● Keys
● 3rd-party libraries
● Authentication
■ User Enumeration
■ Timing Attacks
■ Password Complexity
■ Typical Logic Flaws
■ Insecure Password Resets
■ Insecure Forgot Password Functionality
■ Password Storage
● Authorization
■ Broken Access Control
● Insecure Direct Object Reference
● Forced Browsing
● Missing Function Level Access Control
● Auditing
■ Sensitive Data Exposure
■ Logging Vulnerabilities
● Injection
■ Input Validation
■ SQL Injection
● ORM and ActiveRecord Patterns/Flaws
● Examples from previous assessments
■ XXE
■ Server-Side Request Forgery
■ HTML/Content Injection
● Cryptographic Analysis
■ Encoding vs. Encryption
■ Hashing
■ Stored Secrets
● Configuration Review
■ Framework gotchas
■ Configuration files
■ Dependency Analysis

Day 2:

● Technical Hands-On Review
● Java
● .Net
● Ruby On Rails
● Node.js
● Django

Upon Completion of this training, attendees will know:

Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization’s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course.

Attendees should bring: 

Laptop with wireless and virtual machine (VMWare/Virtual Box) capabilities.
Preferred IDE

Pre-requisites for attendees: 

Attendees should be familiar with the development process (SDLC) and where security code reviews fit into the process. Attendees must have experience using an IDE, running command-line tools, and be able to read application source code. Attendee must have knowledge of the OWASP Top 10 and other common vulnerabilities.

Speakers
avatar for Ken Johnson

Ken Johnson

Application Security Engineer, GitHub
Ken Johnson, has been hacking web applications professionally for 10 years and given security training for 7 of those years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack... Read More →
avatar for Seth Law

Seth Law

Application Security Consultant, Redpoint Security, Inc
Seth Law is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager... Read More →


Wednesday January 23, 2019 9:00am - 5:00pm
Veranda 1

9:00am

The Bug Hunter's Methodology [Day 2 of 2]
Course Abstract

The Bug Hunter's Methodology is a comprehensive two day training on offensive web security testing. It is primarily focused for web application security testers and bug bounty hunters. TBHM focuses on the newest tools and techniques for web application testers. The class goes over such topics as:

  • Advents in web recon
  • Prioritizing target testing areas by technology and features
  • Crash course on Burp Suite
  • Blind XSS
  • Server-side template injection
  • Server-side request forgery
  • Code injection (SQLi, PHP, ++)
  • XXE
  • Robbing misconfigured infrastructure (AWS)
  • git pillaging
  • Github robbing
  • CI/Code repositories exploitation
  • Subdomain takeover
  • and more!

Training Syllabus

Day 1:

Emergent web recon (Large Module, LIVE labs)
- IP enumeration (ASNs and Cloud)
- Brand Enumeration (Acquisitions, RevWHOIS, Reverse tracker Analysis)
- Subdomain Enumeration (Scraping and Bruteforcing)
- Effective Port Scanning
- Version based vulnerability analysis
- Directory Bruteforcing / Content Discovery best practices
- Prioritizing target testing areas by technology and features

Crash course on Burp Suite
- Burp Setup and helpers
- Burp proxy and scope
- Burp Intruder
- Burp Repeater and configuration setting
- Getting to know Burp through use-cases: LABS

Blind XSS
- An introduction to BXSS
- Available BXXS frameworks
- LABS

Server-side template injection
- An introduction to SSTI
- SSTI Identification
- SSTI Tooling
- SSTI LABS

Day 2:

Server-side request forgery
- An introduction to SSRF
- SSRF Identification
- SSRF Tooling
- SSRF LABS

Code injection (SQLi, ++)
- Common (still available today) types of code injection
- SQLmap crash course
- SQLi common areas
- LABS

XML External Entity Injection
- An introduction to XXE
- XXE Identification
- XXE Tooling / payloads
- XXE LABS

Access Control Testing
- The ever-giving IDOR and MFLAC
- Examples
- LABS

Robbing misconfigured infrastructure
- introduction to AWS s3 Permissions
-- Labs
- git pillaging
-- Labs
- Github robbing
-- Live exercise
- CI/Code repositories exploitation (no lab)
- Subdomain takeover
-- Labs

Upon Completion of this training, attendees will know:

At the end of this course, students should have some solid fundamentals in web testing for vulnerabilities that are more likely to show up in the wild TODAY. Not only does the course aim to arm the student with the technique, tools, and labs, but also a contextual and data-driven methodology on where and how to look for each vulnerability.

Attendees should bring:

Laptop, Burp Suite (PRO preferably), VM or equivalent access to *nix command line.

Pre-requisites for attendees:

General Web application security testing knowledge required.
Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities.

Speakers
avatar for Jason Haddix

Jason Haddix

VP of Researcher Growth, Bugcrowd
Jason is the Director of Technical Operations at Bugcrowd. Jason trains and works with internal analysts to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the... Read More →


Wednesday January 23, 2019 9:00am - 5:00pm
Sand and Sea Room
 
Thursday, January 24
 

7:30am

Registration and Breakfast
Thursday January 24, 2019 7:30am - 8:15am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

8:15am

Welcome Address
Speakers
avatar for Richard Greenberg

Richard Greenberg

Global Board of Directors-Elect, OWASP
Richard Greenberg, CISSP, Chair of AppSec California, is the President of both the OWASP and ISSA Los Angeles Chapters and is the Information Security Officer for the Los Angeles County Department of Public Health. He brings over 25 years of management experience and has been a strategic... Read More →


Thursday January 24, 2019 8:15am - 8:30am
Sand and Sea Room

8:30am

Diamond Sponsor Greetings
Thursday January 24, 2019 8:30am - 8:40am
Sand and Sea Room

8:40am

Opening Keynote
Speakers
avatar for Adrienne Porter Felt

Adrienne Porter Felt

Engineer & manager for Chrome, Google
I like to make software easier to use. I manage the Chrome Personalization and Metrics teams. Outside of Google, I'm best known for my advocacy of usable security & HTTPS adoption.


Thursday January 24, 2019 8:40am - 9:30am
Sand and Sea Room

9:40am

Cache Me If You Can: Messing with Web Caching
As application security gained in popularity and maturity, attackers and researchers have turned to more creative methods for exploiting web applications. In 2017, security researcher Omer Gil introduced the Web Cache Deception attack. This attack, while trivial to understand and leverage, showed the potential of attacking caching mechanisms instead of targeting the application itself in order to extract sensitive information. In 2018, GoSecure introduced a new class of attack known as Edge Side Include Injections, exploiting a design flaw introduced nearly two decades ago in popular caching servers and cache providing solutions. Again in 2018, James Kettle released his research on Web Cache Poisoning, which leverages unkeyed input to reflect arbitrary data in an HTTP response in order to get a cross-site-scripting payload cached across users.

The findings from this research show the obvious flaws we failed to identify in caching specifications for so long. This talk aims to be a precautionary tale for the next time you need to implement a web caching solution by providing a practical overview of caching attacks in web applications. We'll look at attacks targeting both modern and legacy web applications, how to detect these design oversights and leverage them, and more importantly how to mitigate them.

Speakers
avatar for Louis Dion-Marcil

Louis Dion-Marcil

Information Security Analyst
Louis Dion-Marcil is a consultant working for Mandiant. He specializes in offensive appsec and pentesting medium to large scale organizations. A seasoned CTF participant and sometimes finalist with the DCIETS team, he has also written challenges for various competitions. His prior... Read More →


Thursday January 24, 2019 9:40am - 10:30am
Club Room

9:40am

Automated Account Takeover: The Rise of Single Request Attacks
Account takeover is growing. Attackers swoop in after credential spills and use software to automatically match breached email addresses with the top 10 most common passwords. While this approach, known as a single request attack. may appear unsophisticated, attackers commonly use headless browsers, execute JavaScript like a legitimate human user, and present dynamic client and network fingerprints. This session reviews real-world case studies where ATOs have been scaled via single request attacks.

These case studies unpack the compounding effect caused when businesses use depreciated mitigation strategies and profiles the growing incentive attackers have across other use-cases and verticals. The session scrutinizes past approaches to curbing ATO and explains why single request attacks have increased and examines tested pathways toward mitigating and preventing single request attacks.

Speakers
avatar for Kevin Gosschalk

Kevin Gosschalk

Founder and CEO, Arkose Labs
Kevin Gosschalk is the CEO and Founder of Arkose Labs, where he leads a team of people focused on telling computers and humans apart on the Internet. He gained early recognition for his work with the Institute of Health and Biomedical Innovation (QUT) as part of the LANDMark (Longitudinal... Read More →


Thursday January 24, 2019 9:40am - 10:30am
Garden Terrace Room

9:40am

CISO Panel: Baking Security Into the SDLC
How are CISOs coping with the rapid changes in application development methodologies and the constant resulting updates and pressures to publish? Where when and how do you get security in the mix? Come here real-world experiences on how CISOs are managing this.

Moderators
avatar for Richard Greenberg

Richard Greenberg

Global Board of Directors-Elect, OWASP
Richard Greenberg, CISSP, Chair of AppSec California, is the President of both the OWASP and ISSA Los Angeles Chapters and is the Information Security Officer for the Los Angeles County Department of Public Health. He brings over 25 years of management experience and has been a strategic... Read More →

Speakers
avatar for Coleen Coolidge

Coleen Coolidge

Head of Security, Segment
Coleen Coolidge is Head of Security at Segment in San Francisco. Previously, she was at Twilio (pre-to-post IPO) as Sr Director of Trust and Security. She's also served in security-leadership positions at more traditional, enterprise companies like First American Title and CoreLogic... Read More →
avatar for Martin Mazor

Martin Mazor

CISO, Entertainment Partners
avatar for Bruce Phillips

Bruce Phillips

SVP & Chief Information Security Officer, Williston Financial
avatar for Shyama Rose

Shyama Rose

Chief Information Security Officer, Avant
Shyama is the Chief Information Security Officer for Avant and an accomplished Information Security leader with a 18-year track record for assessing risks and building ground-up security initiatives for Fortune 100 companies. | | With a unique blend of technical and business acumen... Read More →


Thursday January 24, 2019 9:40am - 10:30am
Sand and Sea Room

9:40am

Cloud Forensics: Putting The Bits Back Together
Cloud computing security response is no different to servers racked in a regular datacenter, except for a key difference: When a server is breached, and the need exists to perform a forensic evaluation of that server, the responder has no idea where, or what, that server is. The very first steps of imaging a disk need to be rethought in an environment where disks are of variable sizes and capabilities, and are only exposed via APIs. Many things which are taken for granted in the physical world are implementation details in the cloud. Recent product launches in AWS, such as the next-generation of EC2 instances which access EBS in a different manner, as well as bare-metal instances, have changed some of these implementation details— which potentially changes what an incident responder may encounter.

Speakers
avatar for Brandon Sherman

Brandon Sherman

Sr. Cloud Infrastructure Engineer, Twilio
Brandon has been working with AWS infrastructure for four years and is a Senior Cloud Infrastructure engineer at Twilio, where the challenge of real-time cloud communications requires thinking about security in new and exciting ways. He wants to replace himself with microservices... Read More →


Thursday January 24, 2019 9:40am - 10:30am
Terrace Lounge

10:30am

Break and Vendor Expo
Thursday January 24, 2019 10:30am - 11:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

10:30am

CTF / Capture the Flag and IoT Village
CTF: Bring your laptop (and a ethernet/usb adapter if you do not have an ethernet port on your laptop).

IoT Village: Want to learn how to attack IoT devices? We will have a network of new and old IoT products along with automotive and medical devices to play with! A free virtual machine (VM) with vulnerable emulated firmware and tons of preloaded tools will be available for download!! The IoT Village is hosted by Aaron Guzman of Aon Cyber Solutions. You don't want to miss out!

Thursday January 24, 2019 10:30am - 5:10pm
Marion Davies Guest House

11:00am

The White Hat’s Advantage: Open-source OWASP tools to aid in penetration testing coverage
White hat penetration testers are generally at a disadvantage compared to the malicious attackers they help defend against. They have limited time and resources to secure the entire application, whereas attackers have unlimited time and may only need a single vulnerability. This session will discuss how web application penetration testers can improve the efficiency and comprehensiveness of their white box testing using two new open source OWASP tools. These tools leverage access to application source code and server bytecode to provide an advantage to the penetration tester working with the development team.

The first tool, OWASP Code Pulse, uses glass box testing techniques to instrument the web application server bytecode to provide real-time code coverage while testing the application. This allows the penetration tester to measure how much of the application’s server code their testing has touched, and visually displays gaps in their testing coverage. This real-time feedback helps testers tune their testing to maximize the amount of code covered, compare performance of different testing tools and activities, and communicate useful metrics of testing activity to others.

The second tool, Attack Surface Detector performs static code analysis to first detect the web application endpoints, parameters, and parameter datatypes. This information is then pulled into the Burp Suite and OWASP ZAP web application testing suites to allow for rapid dynamic testing of the discovered attack surface. The benefit of this approach over traditional spidering techniques is that hidden endpoints are found without brute force guessing, and optional parameters not seen in the client-side code are discovered. The Attack Surface Detector is being continually updated; the most recently added functionality includes seeing endpoint differences between application versions, so penetration testers can focus their testing only on the changes.

Recent features and major releases will be discussed, a brief demonstration of the tools will be given, and a question and answer portion will complete the session. We are particularly interested in feedback from the audience on whether these tools help their specific needs and what future improvements would make them even better.

Speakers
VH

Vincent Hopson

Field Applications Engineer, CodeDx
Vincent Hopson is a Field Application Engineer at Code Dx. Vincent has been working in the application security and software quality field for over 20 years and has worked with many organizations on integrating software security into their software development process.


Thursday January 24, 2019 11:00am - 11:50am
Club Room

11:00am

11:00am

Can Kubernetes Keep a Secret?
We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions.

Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues.

But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else.

The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t).

The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management.  Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real.

Speakers
avatar for Omer Levi Hevroni

Omer Levi Hevroni

DevSecOps Engineer, Soluto
I’ve been coding since 4th grade when my dad taught me BASIC and haven’t looked back since. AppSec/DevSecOps enthusiast, and always curious about integrating more hacking tools into the CI/CD pipeline. Always looking for new interesting ways to increase security awareness over... Read More →


Thursday January 24, 2019 11:00am - 11:50am
Terrace Lounge

11:00am

Minimum Viable Account Security
A lot of concepts behind account security predate application security. The account security recommendations of yore have not aged well and “just throw a two factor on it” won’t make it any better.

Account security is one of the most overlooked hard problems today. It goes far beyond password complexity rules and offering two factor. In this talk we will explore all of the various options one has when considering account security for the users or applications they protect.

We will not tell you what you should do. We will show you what various platforms do and GitHub’s journey towards improving account security. What works for others doesn’t work for us and some of the things we do won’t work for others. We hope to spark ideas and provide insight for attendees to take home and apply tomorrow. Like everything in security: “it depends”


Speakers
avatar for Matt Langlois

Matt Langlois

Product Security Engineer, GitHub
Matt is a junior product security engineer at GitHub. Over the course of his University career he developed a passion for cyber security. Matt has gained a plethora of AppSec knowledge participating in bug bounty programs and CTFs. He previously organized monthly DefCon 613 meetups... Read More →
avatar for Neil Matatall

Neil Matatall

Security Engineer, GitHub
Neil is a product security engineer at GitHub and a co-founder of Brakeman Pro. He has spent the last 12 years doing mostly AppSec work and is heavily involved in AppSec communities. Previously, Neil has been an engineer at Twitter, a W3C-webappsec group member, an OWASP Chapter leader... Read More →


Thursday January 24, 2019 11:00am - 11:50am
Garden Terrace Room

12:00pm

Lightning Talk: Working with Developers for Fun and Progress
Forging a strong relationship with developers is essential part of creating an impactful AppSec program. Without it your team will have little idea what's going on and have trouble getting bugs fixed. Segment has built strong ties to developers using our competition-based training featuring Burp Suite and OWASP Juice Shop, hands threat-modeling, and contributions to the existing codebase. We'll also talk about our future plans for our security champions and embed programs.

Speakers
avatar for Leif Dreizler

Leif Dreizler

Security Engineer, Segment
Leif works on the AppSec team at Segment, partnering with engineers to continuously improve their security story and protect customer data. Leif got his start in the security industry at Redspin doing security consulting work, and was later an early employee at Bugcrowd. He was a... Read More →


Thursday January 24, 2019 12:00pm - 12:25pm
Garden Terrace Room

12:00pm

Lightning Talk: Building Cloud-Native Security for Apps and APIs with NGINX
NGINX is a very flexible platform that can be enhanced with strong security capabilities -- if you know what components you need and how to cook them. With our set of modules and tricks, everyone can get security visibility and real-time protection against OWASP Top10 attacks, bots, application abuse and potential data leakage issues. We will provide practical methods that your Dev, Sec and Ops teams can use whether NGINX is deployed as an ingress controller, an API gateway, a load balancer or an application server.

# Alerting and visibility
- Building a security dashboard to gain visibility of malicious traffic
- Easy & flexible alerting with NGINX and ElasticSearch
- Elegant analysis of web server log files for anomalies
- Mirroring traffic for async analysis with 3rd party tools

# APIs and microservices security
- Mitigating OWASP Top10 threats (SQL injections, XXE, XSS etc.)
- Up-to-date WAF options overview
- Proper WAF configurations and reducing false-positives.
- Detecting information data leakage events.
- Blocking traffic from Tor, data-centers and malicious IP addresses

# Protecting from bots and behavioral attacks
- Fingerprinting and blocking bots, account take-over attacks and identifying good crawlers (Google bot, etc).
- Catching scrapers with hidden links and honeypots.

# Ingress security:
- How and why to add a security layer on top of NGINX Ingress controller in cloud-native environments.

Speakers
avatar for Stepan Ilyin

Stepan Ilyin

Co-Founder, Wallarm
Stepan Ilyin is a co-founder and COO of Wallarm, an AI startup focused on the security of websites, microservices and APIs running on public and private clouds. He is a frequent speaker at tech conferences and an author of more than 500 publications for DevOps, developers and security... Read More →


Thursday January 24, 2019 12:00pm - 12:25pm
Club Room

12:00pm

Lightning Talk: How to Lose a Container in 10 Minutes
Moving to the cloud and deploying containers? In this talk I discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life (albeit redacted) examples. We’ll also look at what happens to a container that’s been left open to the Internet for the duration of the talk.

Despite the fact that many organisations are already using/wanting to use containers and quite possibly moving to the cloud at the same time, I find that there is still an inherent lack of understanding from both devs and security teams as to how containerised applications should be designed and run. Many teams simply try to run a containerised application like it would be run on a virtual machine or in the traditional monolithic application stack, and to accompany that they use the traditional security toolset. This opens up the potential for security breaches and or simply an ineffective application that doesn't take advantage of the benefits containerised environments provide.

As I'm conscious this could be a bit of dry topic and I don't want it to sound like a lecture, my talk has many GIFs and memes and real life examples (they are redacted as I can't name where I saw some of these, unfortunately). More seriously though, it includes relevant stories and was developed with input from my real-life experiences and some stories from other engineers and security professionals. I will spin up a container in WebGo and leave it open to the Internet for the talk, and see what happens to it during the course of the talk.

Speakers
avatar for Sarah Young

Sarah Young

Security Architect, Versent
Sarah is a security architect based in Melbourne, Australia. She has a decade of experience in tech and is particularly interested in cloud security, container security and good ol' fashioned networking and infrastructure security (having previously worked as a network engineer... Read More →


Thursday January 24, 2019 12:00pm - 12:25pm
Sand and Sea Room

12:00pm

Lightning Talk: Inducing Amnesia in Browsers: the Clear Site Data Header
The Clear Site Data HTTP header is a relatively new mechanism available to web application developers and security teams and offers just what business leaders are looking for: security and privacy benefits with low level of effort. We will share original research on Clear Site Data adoption and details on how to use Clear Site Data for maximum benefit.

Speakers
avatar for Caleb Queern

Caleb Queern

Cyber Security Services Director, KPMG


Thursday January 24, 2019 12:00pm - 12:25pm
Terrace Lounge

12:30pm

Lunch and Vendor Expo
Thursday January 24, 2019 12:30pm - 2:00pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

1:15pm

Vendor Spotlight Talk
Thursday January 24, 2019 1:15pm - 1:50pm
Terrace Lounge

1:15pm

Vendor Spotlight Talk
Thursday January 24, 2019 1:15pm - 1:50pm
Club Room

1:15pm

Vendor Spotlight Talk
Thursday January 24, 2019 1:15pm - 1:50pm
Garden Terrace Room

1:15pm

Vendor Spotlight Talk
Thursday January 24, 2019 1:15pm - 1:50pm
Sand and Sea Room

2:00pm

Startup security: Starting a security program at a startup
Have you ever started a security program? Your security program’s first year is critical to its success. Learn the dos and don’ts of building an effective and beloved security program at high growth tech startups.

Speakers
avatar for Evan Johnson

Evan Johnson

Senior Security Engineer, Cloudflare
Evan Johnson is a member of the Product Security team at Cloudflare. He loves diet pepsi, chicken nuggets, and golang. No relation to the prolific Linkedin content producer, Mike Johnson.


Thursday January 24, 2019 2:00pm - 2:50pm
Sand and Sea Room

2:00pm

Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team
The good old days of waterfall! You had "The One Design To Bind Them All" and once it got all agreed, the developers would happily implement it "per spec". But alas, we are not there anymore. Agile methodologies basically guarantee that the deployed system will change, and change fast, since inception. Design emerges as it develops. How do we cope with that in Threat Modeling? This talk explores the way Autodesk is moving to a team-based collaborative and continuous Threat Modeling methodology, and how the dialog has moved the dependency away from security SMEs and into the team. PyTM, an Open Source threat-modeling-as-code support system is also presented.

Speakers
avatar for Izar Tarandach

Izar Tarandach

Lead Product Security Architect, Autodesk
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he's willing to admit to in the information... Read More →


Thursday January 24, 2019 2:00pm - 2:50pm
Garden Terrace Room

2:00pm

Behind the scenes: Securing in-house execution of unsafe third-party executables
So you want to run FFMpeg or ImageMagick or any other third-party processing library inside your Production environment, and still hope for a good night’s sleep?

In-house third-party code execution has its unique set of security challenges. One cannot help but wonder how the "ImageTragick" bug got so infamously popular in affecting the production state of security for so many enterprises worldwide.

Historically speaking, such third-party libraries have been subject to several critical security impacting vulnerabilities, including but not limited to, remote code execution attacks. When coupled with untrusted user-provided inputs, execution of such dangerous executables can become a nightmare for security teams to thoroughly secure.

As in-house execution of untrusted code becomes more prevalent, a secure-by-design framework is necessary to help guide organizations to better safeguard their production state of security.  In this talk, I would like to present a framework that was incepted on the basis of security best practices and defense-in-depth principles, and can be leveraged to secure third-party code execution environments.  

Speakers
avatar for Mukul Khullar

Mukul Khullar

Staff Security Engineer, LinkedIn
Mukul Khullar is a security researcher with over 9 years of industry experience, primarily focused on application security and penetration testing. At Linkedin, Mukul holds the Staff security engineer title, and is responsible in identifying vulnerabilities and security design flaws... Read More →


Thursday January 24, 2019 2:00pm - 2:50pm
Club Room

2:00pm

Contact Center Authentication
You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?

Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.

Speakers
avatar for Kelley Robinson

Kelley Robinson

Developer & Security Advocate, Twilio
Kelley works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of API platform and data engineering roles at startups in San Francisco. She believes in making technical... Read More →


Thursday January 24, 2019 2:00pm - 2:50pm
Terrace Lounge

2:30pm

Career Fair
Are you a job seeker looking for opportunities and career advice to further your cyber security career? Whether you are a seasoned pro, or transitioning military personnel and students seeking a challenging information security career, this is the right place for you to be.
Many companies will be setting up shop January 24, 2019 2:30 – 4:30 pm in the guest house garden to collect resumes and talk with candidates.

Thursday January 24, 2019 2:30pm - 4:30pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

3:00pm

Pose a Threat: How Perceptual Analysis Helps Bug Hunters
Every picture I take, I pose a threat. By picture, I mean screenshot. By threat I mean attacker. What if there was a way to find more exposures without exactly knowing what we’re looking for? OWASP DirBuster had the right idea but was missing the power of perceptual analysis.

This talk is full of dirty tricks to optimize the hunt for security exposures. Unlimited storage, scalable serverless infrastructure, and machine learning powered by collaborative filtering will enable us to usher in a new age of visibility into our attack surface. Around the world, bug hunters are leveraging OSINT techniques (e.g. using OWASP Amass) to find security vulnerabilities for organizations. However, they need better ways to perform analysis at scale. Traditional scanners require in-depth knowledge of each issue in order to write a signature. All we need with this new approach is a target, a path, and as output we will get potential exposures. Do this properly at scale and you have effectively taken what would be millions of results to review and filtered it to thousands of likely vulnerable candidates.

Come watch the revolution unfold with new ways to:
* Distribute requests to targets and paths using scalable serverless infrastructure
* Screenshot results with unlimited storage and organize them by visual similarity
* Automate identification of more exposures more quickly using collaborative filtering

Focus these techniques on identifying RCEs and you now have a formidable weapon. In conclusion, this approach can be used for a variety of analysis use cases. Penetration testers, bug bounty, SOC analysts, threat researchers, vulnerability scan jockeys, will all benefit from this next generation approach.

Speakers
avatar for Rob Ragan

Rob Ragan

Partner, Bishop Fox
Rob Ragan is a Partner at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. Rob focuses on client solutions and relationships, he also oversees red teaming and continuous security automation development... Read More →
avatar for Oscar “One Line Man” Salazar

Oscar “One Line Man” Salazar

Managing Security Associate, Bishop Fox
Oscar Salazar is a Principle at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on continuous security assessment, red teaming, application penetration testing, source code... Read More →


Thursday January 24, 2019 3:00pm - 3:50pm
Club Room

3:00pm

(in)Secure Development - Why some product teams are great and others … aren’t...
In this presentation, Koen will share his experiences with Product Teams at Riot Games and how those teams do or do not take security into consideration. Every product team is unique; but they all behave in similar security patterns, and care about security in predictable ways. Using metrics of our Bug Bounty program and security review process, we’ll dissect the impact that team culture and process have on the security posture of a product. The framework that we’ve created allows you to quickly see what makes a good team good, and how other teams can improve. Taking into account how agile organisations want to operate, we will look at some tools you can introduce into your product teams to help raise the security bar.

Speakers
avatar for Koen Hendrix

Koen Hendrix

Development Manager - InfoSec, Riot Games
Koen has worked as a Development Manager at Riot Games for almost 5 years. During that time he has acted in that capacity with almost every security team at some point. Throughout his time at Riot, Koen has been closely involved with the Application Security team, and focused on integrating... Read More →


Thursday January 24, 2019 3:00pm - 3:50pm
Terrace Lounge

3:00pm

A​ Pragmatic Approach for Internal Security Partnerships
Why do we have such a hard time getting engineering teams to care about vulnerabilities? How is it that we are fixing lots of vulnerabilities, yet are still falling ever further behind on the actual risks? These questions both have the same answer, but getting to it requires empathy, trust, courage, and a giant step back from our day-to-day approach to security.

In this talk we will share our experiences about creating proactive partnerships with engineering and product teams. From the ways we have seen this fail to recent success stories, we will illustrate specific practices that help developers and security teams focus and align on a shared view of risk, rather than a laundry list of vulnerabilities: the leverage that comes from enabling rather than gating, automating for visibility and action to manage scale, threat modeling across organizations rather than individual applications, and the particulars of how we get big security features onto busy product teams' roadmaps.

Speakers
avatar for Scott Behrens

Scott Behrens

Senior Application Security Engineer, Netflix
Information security engineer with a focus on helping organizations enable their business's success. Extensive experience in application security, penetration testing, and security automation at scale. Researcher and publisher of multiple articles discussing social media, code obfuscation... Read More →
avatar for Esha Kanekar

Esha Kanekar

Senior Technical Program Manager, Security, Netflix
Responsible for leading and delivering full life cycle of projects which includes conducting risk assessments, gap analysis based on security assessments and providing remediation road maps to organizations.Security professional with experience and background in manual penetration... Read More →


Thursday January 24, 2019 3:00pm - 3:50pm
Sand and Sea Room

3:00pm

Leveraging users engagement to improve account security
In this day and age, where companies disclose security breaches almost daily, protecting users data can become a daunting task. Users tend to use the same credentials across different applications and platforms. A third party data breach can end up affecting some of your own users. In this session, we will explore the different techniques we use to make data from these breaches yet another tool in our account security toolset. As prevention is never 100%, we take a defense in depth approach when it comes to securing users accounts.

We will go over:
(i) how we use this data to prevent users using weak passwords
(ii) how we correlate this data with other signals to improve efficiency and quality of our detection and protection rules
(iii) how we leverage users engagement, and upsell them to migrate to a better more secure state

Speakers
avatar for Amine Kamel

Amine Kamel

Head of Security, Pinterest
Amine Kamel is a leading security technologist. As Head of Security at Pinterest, he is responsible for overseeing all security projects, strategy, and roadmap. He was instrumental in building Pinterest’s security engineering team and led major initiatives spread across different... Read More →


Thursday January 24, 2019 3:00pm - 3:50pm
Garden Terrace Room

3:50pm

Break and Vendor Expo
Thursday January 24, 2019 3:50pm - 4:20pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

4:20pm

How to Start a Cyber War: Lessons from Brussels-EU Cyber Warfare Excercises
Nation-state offensive digital attacks are on the rise. Especially considering the news headlines. But, what is cyber warfare and what’s realistic? Come on a journey into a twisted but realistic game scenario with real-world implications. What decisions would you make considering the tools at your disposal? Embassy insider threats, leaked Intel agency data & tools, hacked back the wrong system, all the way up to causing mass casualties on internet connected mass transit. Who are your diplomatic “”friends”” and who can you trust? This presentation gives participants a (sanitised) peek behind the diplomatic curtain, revealing some of the challenges, decisions and tools at their disposal. What US allies are preparing for and expectations. How your organisation can use similar techniques such as cooperating with peers against market-wide attacks, scrutinising data before attribution and how computer emergency response teams can help. Studying the outcome, what can be done to improve the situation.

Speakers
avatar for Christina Kubecka

Christina Kubecka

CEO, HypaSec
Chris Kubecka, Security Researcher and CEO of HypaSec. Formerly, setting up several security groups for Saudi Aramco’s affiliates after the Shamoon 1 attacks. Implementing and leading the Security Operations Centre, Network Operation Centre, Joint International Intelligence Group... Read More →


Thursday January 24, 2019 4:20pm - 5:10pm
Sand and Sea Room

4:20pm

Offensive Threat Models Against the Supply Chain
Threat models are often used by security champions to discover flaws in application environments. Many threat models are built thru defensive lens, foregoing realistic attack patterns that reflect adversarial goals vs. simply using a limited, non-mutable threat category.

This talk will focus on applying a more adversarial threat model to supply chain systems that are integrated into client environments. Supply chain software is highly attractive to cybercrimnals due to being implicitly trusted by many of the [vendor] respective client infrastructuress. Threat actors in this area include nation states, competing corporations, and private hacker syndicates. Emulating realistic offensive attack patterns in threat models yields better results for defensive measure by providing attack patterns that are more realistic based upon criminal cyber trends.

Goals for this talk will be as follows:
- View a sample threat library for Supply Chain threat models
- Understand threat sources that substantiate these types of threat models
- Exemplify the threat model against a real world MNCs (one or two will be exemplified)
- Build a sample attack tree to blueprint exploit development and testing
- Understand how an operationalized attack tree yields granular countermeausres development and more specific risk reduction measures for the application
- See how such an exercise can bolster other activities in a security program (vendor risk management, legal/ procurement, etc.) in order to shore up supply chain risks associated with a given threat model.

Speakers
TU

Tony UcedaVelez

CEO, VerSprite


Thursday January 24, 2019 4:20pm - 5:10pm
Terrace Lounge

4:20pm

Browser fingerprints for a more secure web
Browser fingerprints can be used to invade users' privacy by tracking them across websites. But they can also be used to protect users against account takeovers. At Salesforce, we have successfully deployed browser fingerprints to detect session roaming. We have build a machine learning model to detect anomalies in changes in the browser and device configuration. This model has successfully detected actual session takeover. This talk will explain how browser fingerprints can be used, how to collect data in the background and how to model unusual changes.

Speakers
avatar for Julien Sobrier

Julien Sobrier

Lead Security Product Owner, Salesforce
Julien Sobrier has spent 10+ years in the Security industry, as a Security Researcher at Netscreen/Juniper and Zscaler, then Product Manager at Zscaler and now Product Security Owner at Salesforce. He as co-author Power Security Tools (O'Reilly) and released many browser security... Read More →
avatar for Ping Yan

Ping Yan

Research Scientist, Salesforce
Ping spent a decade innovating ways of making sense of data in various domains, from consumer behavior modeling to algorithmic security threat detection. Her works were published as journal articles, monographs and books. Ping has a Ph.D. in Management Information System from the... Read More →


Thursday January 24, 2019 4:20pm - 5:10pm
Club Room

4:20pm

The Call is Coming From Inside the House: Lessons in Securing Internal Apps
Locking down internal apps presents unique and frustrating challenges for appsec teams. Your organization may have dozens if not hundreds of sensitive internal tools, dashboards, control panels, etc., running on heterogenous technical stacks with varying levels of code quality, technical debt, external dependencies, and maintenance commitments. How do you tackle this problem scalably with limited resources?

Come hear a dramatic and humorous tale of internal appsec and the technical and management lessons we learned along the way. Even if your focus is on securing external apps, this talk will be relevant for you. You’ll hear about what worked well for us and what didn’t, including:
- Finding a useful mental model to organize your roadmap
- Starting with the basics: authn/z, TLS, etc.
- Rolling out Content Security Policy
- Using SameSite cookies as a powerful entry point regulation mechanism
- Leveraging WAFs for useful detection and response
- Using internal apps as a training ground for new security engineers

Speakers
avatar for Hongyi Hu

Hongyi Hu

Security Engineer, Dropbox
Hongyi Hu is a security engineer at Dropbox, where he leads the Application Security team and frequently advises the Product and Privacy Counsel teams. He is passionate about solving problems where technology, people, and public policy intersect. Previously, he was a member of the... Read More →


Thursday January 24, 2019 4:20pm - 5:10pm
Garden Terrace Room

5:20pm

Closing Keynote
Speakers
avatar for Bryan Payne

Bryan Payne

Director of Engineering, Product & Application Security, Netflix
I am currently leading the Product & Application Security organization at Netflix. We are paving the road for security best practices in large-scale cloud applications. We help keep Netflix secure by creating and running critical security services, consulting on security design, and... Read More →


Thursday January 24, 2019 5:20pm - 6:10pm
Sand and Sea Room

6:10pm

Closing remarks
Thursday January 24, 2019 6:10pm - 6:20pm
Sand and Sea Room

6:20pm

Opening Reception
A great outdoor Opening Reception will commence on January 24th on the beautiful decks of the historic Annenberg pool area next to the Vendor Expo, as conference goers network, drink, and eat as they listen to the waves and make new friends under the stars.

Thursday January 24, 2019 6:20pm - 9:00pm
Pool
 
Friday, January 25
 

7:30am

Registration, Breakfast, and Vendor Expo
Friday January 25, 2019 7:30am - 8:30am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

8:30am

Welcome Address
Speakers
avatar for Richard Greenberg

Richard Greenberg

Global Board of Directors-Elect, OWASP
Richard Greenberg, CISSP, Chair of AppSec California, is the President of both the OWASP and ISSA Los Angeles Chapters and is the Information Security Officer for the Los Angeles County Department of Public Health. He brings over 25 years of management experience and has been a strategic... Read More →


Friday January 25, 2019 8:30am - 8:35am
Sand and Sea Room

8:35am

Diamond Sponsor Greetings
Friday January 25, 2019 8:35am - 8:40am
Sand and Sea Room

8:40am

Opening Keynote
Speakers
avatar for Fredrick “Flee” Lee

Fredrick “Flee” Lee

Head Of Information Security, Square
Fredrick “Flee” Lee is the head of information security at Square. Fredrick has a history of solving security problems for a range of organizations all the way from large enterprises (Bank of America) to small startups (Twillio) and building and leading global security teams... Read More →


Friday January 25, 2019 8:40am - 9:30am
Sand and Sea Room

9:40am

Lightning Talk: Endpoint Finder - A static analysis tool to find web endpoints
JavaScript files contain an increasing amount of information about server endpoint. Existing tools use regex search patterns to extract this information statically. This kind of approach has several limitations. With static code analysis, we can get more accurate results with less false positives. This talk will cover how to use static code analysis to achieve this goal.

Endpoint Finder is a tool that extracts endpoint URL from JavaScript file. It also provides information about the method and the parameters of each endpoint. The tool is available as a plugin for Burp and Zap.

Speakers
avatar for Olivier Arteau

Olivier Arteau

Desjardins, Olivier Arteau
Olivier Arteau is a security advisor at the financial cooperative Desjardins. He was a Web developer during his early days and later transitioned into the security field. He has an undergraduate degree from Ecole de Technologie Superieure, a Canadian university. In the last few years... Read More →


Friday January 25, 2019 9:40am - 10:00am
Terrace Lounge

9:40am

Lighting Talk: Node.js and NPM ecosystem: what are the security stakes?
NPM and the Node.js ecosystem have vastly changed the way modern software is built. Today, everyone use these tools.  The real question is: "how is security handled in that ecosystem?".

Vladimir is one of the key individual in this ecosystem and will detail the security initiatives and process of the Node.js project. He will also go through recent security reports of Node.js and the ecosystem (including ESLint) to present what measures have been taken in reaction to them.

Speakers
avatar for Vladimir de Turckheim

Vladimir de Turckheim

Software Engineer, Sqreen
Vladimir works as a software engineer at Sqreen where he builds a tool to secure web applications. He used to be a professional security auditor and a web developper in agencies.   He is one of the most active members of the Node.js Security Working Group where he handles the security... Read More →


Friday January 25, 2019 9:40am - 10:00am
Club Room

9:40am

Slack App Security: Securing your Workspaces from a Bot Uprising
Slack’s developer platform has some powerful functionality that allows you to customize your org’s workflow. But with great power comes great responsibility. While Slack has a robust security posture, do you suffer from insomnia pondering the security aspects of third-party apps? Are coworkers pleading with you to install Slack apps with scopes that frighten you?  Join Kelly and Nikki as we walk through the history of the Slack app directory, the unique security problems surrounding it, and what Slack’s doing to make it easier for you and all our users to sleep at night.





Speakers
avatar for Kelly Ann

Kelly Ann

Security Engineer, Slack
Kelly Ann is a security engineer on the Product Security team at Slack, where she works on security assessments of Slack features, as well as educational materials for security best practices for developers. Before joining Slack, Kelly was a penetration tester at NCC Group, and she... Read More →
avatar for Nikki Brandt

Nikki Brandt

Senior Security Engineer, Slack
Nikki Brandt is a Senior Security Engineer on the Product Security team at Slack, where she currently leads the SDL process, and performs internal security assessments of the platform. Before joining Slack, Nikki was a senior security consultant at Matasano, and a security engineer... Read More →


Friday January 25, 2019 9:40am - 10:00am
Sand and Sea Room

9:40am

Lighting Talk: Usable Security Tooling - Creating Accessible Security Testing with ZAP
Intoducing security testing tools to a QA or developers workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time.

This talks focuses on how the a new development for the OWASP ZAP project, the Heads Up Display, and how it can enable developers and security professionals alike to get the most out of the attack proxy. By coupling ZAP closer to the browser and presenting a new UI we can enable new ways to interact with and extend ZAP that will make using it more intuitive to use. The talk will cover the motivation behind the project, the browser technologies that power it, and how you can start using it.

Speakers
avatar for David Scrobonia

David Scrobonia

Security Engineer, Segment
David Scrobonia is a part of the AppSec team at Segment working to secure modern web apps and AWS infrastructure. He has contributed to the OWASP AppSensor project and has more recently contributing to the OWASP ZAP project as a member of the ZAP Core Team.


Friday January 25, 2019 9:40am - 10:05am
Garden Terrace Room

10:00am

CTF / Challenge Room
Friday January 25, 2019 10:00am - 4:10pm
Marion Davies Guest House

10:10am

Break and Vendor Expo
Friday January 25, 2019 10:10am - 10:45am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

10:45am

BoMs Away - Why Everyone Should Have a BoM
The benefits of using third-party and open source components are often negated by the inherent risks that come with them. Systematically reducing risk while allowing the benefits to prevail can be challenging. Organizations often rely on methods of identification that provide instant gratification, but fall short on delivering a simple, coherent strategy for long-term risk identification and remediation. This session will cover current best practices, explore how they will evolve over time, and provide concrete examples attendees can put into practice with minimal effort. Demonstrations will cover the creation of software bill-of-material (S-BoM) documents from a polyglot build environment, using OWASP Dependency-Track to automatically identify outdated and vulnerable components, and how organizations can automate their response to specific types of security events. Advanced topics of discussion will include current and emerging standards as well as government initiatives that may shape the view of the status quo. 


Speakers
avatar for Steve Springett

Steve Springett

Senior Security Architect, ServiceNow
Steve educates teams on the strategy and specifics of developing secure software.He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive... Read More →


Friday January 25, 2019 10:45am - 11:35am
Terrace Lounge

10:45am

It depends....
From the time we choose to rise each morning, to the time we finally rest our heads, almost every decision made in our daily lives, depends on something. When we understand these dependencies, we are better equipped to control our responses. Managing vulnerability response is no different. In fact, the quality of a response correlates closely to the degree in which dependencies are known and understood. This is especially clear when managing the response for third party components. As developers incorporate more and more open source and commercial third party components into their products, the complexity of these dependencies continues to increase, threatening the ability of a PSIRT to provide quality vulnerability response. A framework for managing dependencies (and their dependencies!), is critical to enabling developers to understand the downstream impact of decisions (made upstream) on a PSIRT. A framework opens the door for PSIRTs to shape the decisions that are made around third party components, much earlier in the product lifecycle. By driving a dialogue through dedicated PSIRT controls upstream, we lay the foundation for a PSIRT response that truly shifts from reactive to proactive. In this talk, come and learn about the framework that Dell EMC has used with good success!

Speakers
avatar for Kristen Pascale

Kristen Pascale

Principal, Technical Program Manager, Dell EMC
Kristen Pascale has worked as part of the Dell Product Security Incident Response Team (Dell PSIRT) for over 6 and a half years. While Kristen’s time at Dell EMC has been primarily focused on handling and responding to vulnerabilities in third party software, she has also been involved... Read More →
avatar for Tania Ward

Tania Ward

Consultant Program Manager, Dell
Tania Ward has worked as a program manager within Dell Product Security Incident Response Team for just under 6 years. In that time, she revamped the vulnerability response program, instituted company wide KPIs and participated in a number of FIRST initiatives. Tania is from Northern... Read More →


Friday January 25, 2019 10:45am - 11:35am
Garden Terrace Room

10:45am

The Art of Vulnerability Management
“I am just going to ignore these tickets until they go away”
“These security tickets are ruining my product roadmap”
“This is the most obscure corner case of security, this can never happen in real life”
“Yes, I’ll fix this in……...2022”

We have all heard these things from engineering teams, when it comes to vulnerability management (or mismanagement). And on the other hand, the security teams continually feel that engineers don’t listen to them or don’t care about security.

How do we get away from this adversarial relationship and collaborate on vulnerabilities to make real progress?
How do we drive a sense of urgency and ownership of security so it becomes everyone’s responsibility?
How do we bring a great customer experience to everyone involved in the vulnerability management process?

This talk is our story of how we transformed our vulnerability management process from a nuisance or an invisible process to a collaborative process that drives accountability and transparency.

To shift the mindset of how vulnerability management was perceived, we sought to engage with the people who interact with the program the most. In the initial investigation we conducted interviews with Security Champions, Engineering Teams, Release Management, Engineering Leadership, Security Engineers and Compliance. It was important to understand our users’ perspective so that we could change the conversation around vulnerability management towards a more decentralized model.  From the moment a vulnerability is opened (whether from an automated tool or a human), there are a lot of decisions to be made. In this talk, we will discuss the parameters we put in place to set up every hand-off of a bug’s life. Whether it’s using CVSS V3 scoring to help prioritize vulns, recommending due dates, allowing engineers to scope the work and propose a due date, or how tickets are even acknowledged, you will learn the best practices that we have found successful in building out a strong, yet ever maturing vulnerability management program. Furthermore, we will share screenshots and demo the life of a vulnerability managed in our Jira Kanban boards from both the security team and engineering team’s perspective that support a self-service type model. When you decentralize and empower engineers to make decisions in the workflow, you have now enabled them to take ownership of security.

With all the decision-making authority, also comes accountability. This is one area that we were really passionate about to ensure there is accountability of decisions made and visibility across the management chain. We defined key metrics that the leadership cares about and are also important to the success of security strategy. While the metrics showed long term trends, we figured out effective ways of tactically managing escalations and driving ownership through real time dashboards. In the talk, we will share the specific metrics / charts that we reported on and also the various forums (meetings) that we setup with stakeholders up and down the hierarchy, that helped us drive day to day execution on vulnerability remediation.

To summarize, in this talk we will discuss the pain points that most organizations face in getting traction to vulnerability remediation, how we decided to tackle the challenge, the solution we built and how we drove accountability to improve metrics. We will talk about the key decisions we made that the audience can relate to and improve their own vulnerability management program. Finally, we will show templates of our Jira boards, metrics and charts that helped in measuring success of the program.

Speakers
avatar for Alexandra Nassar

Alexandra Nassar

Senior Technical Program Manager, Medallia
Alexandra works at Medallia - a customer experience management software company - as a Sr. Technical Program Manager supporting the security organization. She started her career as a project coordinator in the Dietary Supplement industry and made a big jump to software development... Read More →
avatar for Harshil Parikh

Harshil Parikh

Director of Security, Medallia
Harshil Parikh leads the security team at Medallia, Inc. He is currently helping democratize security within Medallia for functions like Secure Product Development Lifecycle, DevSecOps, Monitoring & IR.


Friday January 25, 2019 10:45am - 11:35am
Sand and Sea Room

10:45am

Cyber Insurance: A Primer for Infosec
The market for cyber insurance is expected to reach $14 Billion by 2022. Many companies, large and small, have purchased insurance or are in the process of evaluating it. Technical information security professionals are being asked to participate in this process with little to no background information on how the commercial insurance industry works, what these policies cover, and more specifically how the cyber insurance market works. Many insurance carriers are entering into the marketplace but what do they really covering? How do they underwrite this risk and are they pricing this risk correctly? What datasets are they using and how could they better understand the risk, price and write this risk. This talk will explore the commercial insurance industry as a whole, review specific cyber insurance policies, their coverages, policy limits and exclusions.

Speakers
avatar for Nicole Becher

Nicole Becher

Director of Information Security & Risk Management, S&P Global Platts
Nicole Becher is currently the Director of Information Security & Risk Management at S&P Global Platts. She has been in the cybersecurity space for over ten years working mostly in offensive security capacities. She has led penetration testing and red teams, forensics and incident... Read More →


Friday January 25, 2019 10:45am - 11:35am
Club Room

11:45am

An Attacker's View of Serverless and GraphQL Apps
Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud component.

On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others.  

This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications.

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

CTO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →


Friday January 25, 2019 11:45am - 12:35pm
Garden Terrace Room

11:45am

Game On! Adding Privacy to Threat Modeling
The Elevation of Privilege card game has been designed for threat modeling based on STRIDE threats, and has since become a widely-deployed tool for security and development teams. One of its many feats is to bridge the knowledge gap between development and security when analyzing a software system, allowing for a structured conversation with intensive knowledge sharing. This is achieved by leveraging elements of game design, allowing for reciprocity and better engagement. These feats make it an ideal candidate to help with other closely related areas where developers need to cooperate with departments like compliance, legal, or privacy. Specifically looking at privacy, due to its obvious relevance recently, this presentation will show an extension of the Elevation of Privilege card game that LogMeIn has adopted to meet its privacy by design requirements. It will show the research that helped define the cards of the suit and give a quick overview of the individual cards. By the end of the talk, practitioners will have a new toolset to include into their security and privacy processes. Furthermore interested listeners will hear methods on how to design extensions to already available games, allowing to incorporate topics they feel necessary for their work practices into fun exercises.

Speakers
avatar for Mark Vinkovits

Mark Vinkovits

Manager, AppSec, LogMeIn
Mark studied computer science and information security and did his PhD on usable and secure computing. He worked as software, security, and privacy engineer over the past decade, his current position being Mgr. of AppSec at LogMeIn. Since his research in user centered computing, he... Read More →


Friday January 25, 2019 11:45am - 12:35pm
Sand and Sea Room

11:45am

Preventing Mobile App and API Abuse
Think a good user authentication solution is enough protection? Think again. Follow the ShipFast courier service’s evolving mobile app and API security approach as it beats back malicious ShipRaider.  

As ShipFast launches its mobile app with hidden API keys and OAuth2 user authorization, we'll start discussing the existing security threats and how to counter them. Along the way, TLS, certificate pinning, HMAC call signing, app hardening, white box crypto, app attestation and more will strengthen ShipFast's security posture, but ShipRaider will be working hard trying man in the middle attacks, app decompilation and debugging, exploit frameworks, and other reverse engineering techniques to keep exploiting ShipFast's API. This fast-paced overview of mobile attacks and counter-measures demonstrates the defense in-depth techniques required to protect your both your mobile apps and your API backends.

You'll walk away with access to fully worked open source examples and some additional homework assignments if you want to go deeper.

Speakers
avatar for Skip Hovsmith

Skip Hovsmith

Principal Engineer, CriticalBlue
Skip Hovsmith is a Principal Engineer and VP Americas for CriticalBlue, working on securing API usage between mobile apps and backend services. Previously, Skip consulted with CriticalBlue customers on accelerating mobile and embedded software running on multicore and custom coprocessor... Read More →


Friday January 25, 2019 11:45am - 12:35pm
Club Room

11:45am

Securing Third Party Applications at Scale
Third party applications can pose a significant risk to a company. You are forced to trust the maintainer with sensitive data and access to internal networks. As a company scales, managing security across a fleet of third party applications becomes difficult. Salesforce has reviewed over 4000 applications in the process of securing all apps listed on our AppExchange. Participants will learn the best practices around tooling, processes, and manual reviews that work at Salesforce. These practices have prevented thousands of vulnerabilities from reaching victims, and are flexible enough to mature as the threat landscape changes (goodbye TLS 1.0, hello credential stuffing). Through a combination of automation, manual review, and well defined processes, you can drive down risk for your company.

Speakers
avatar for Ryan Flood

Ryan Flood

Manager, ProdSec, Salesforce
Ryan Flood is a manager of product security at Salesforce and oversees the AppExchange security review process. Using the lessons he learned as a security reviewer within the AppExchange security process, he has made security education a top priority. Through his talks at Salesforce... Read More →
avatar for Prashanth Kannan

Prashanth Kannan

Product Security Engineer, Salesforce
Prashanth Kannan is currently Product Security engineer at Salesforce. He is currently security engineer for Health cloud, Financial services cloud, and does Appexchange security reviews. Prior to this, he did his masters at Johns Hopkins university and worked as a developer in M... Read More →


Friday January 25, 2019 11:45am - 12:35pm
Terrace Lounge

12:35pm

Lunch and Vendor Expo
Friday January 25, 2019 12:35pm - 2:00pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402, USA

2:00pm

Authorization in the Micro Services world with Kubernetes, ISTIO and Open Policy Agent
Micro Services enables developers to break down the monolithic application into smaller and manageable micro services. It is accelerated by Cloud Native platform such as Kubernetes and ISTIO. However the challenge of enforcing finer grained authorization at API got even more complicated. Earlier the API Gateway used to be monolithic gateway that can enforce authorization policy. Now when services are being build in different platforms and deployed at a faster speed, the single monolithic gateway approach is not scalable without architectural changes. Open Policy Agent is one option that provides the programmatic flexibility to enforce authorization at end point or at data level and still maintain the interoperability using OAuth.

In this talk we will explore how Open Policy Agent can be used to enforce fine grained authorization programmatically and integrated with ISTIO. We will also compare how Kubernetes as a platform has made it possible to enforce programmatic finer grained authorization that is external to Kubernetes infrastructure. Attendees will walk away with challenges of enforcing Authorization in Micro Services world and how OPA can help achieve fine grained authorization for your Micro Services in the Kubernetes/ISTIO world. Attendees will also learn how to use OPA to enforce authorization policies for Kubernetes API.

Speakers
avatar for Sitaraman Lakshminarayanan

Sitaraman Lakshminarayanan

Senior Security Architect, Pure Storage
Sitaraman Lakshminarayanan is a Sr Security Architect at Pure Storage focused on Cloud and Platform Security and Operations. He has over 20 years of experience in building security within applications and platforms. He is the author of Web Services Security using Oracle Web Services... Read More →


Friday January 25, 2019 2:00pm - 2:50pm
Club Room

2:00pm

Lessons Learned from the DevSecOps Trenches (Panel)
The adoption of agile development practices and DevOps has enabled companies to iterate more quickly, allowing them to be more responsive to customer needs and deliver features in a fraction of the time. While this rapid release cycle has a number of benefits for the engineering team, it can tax already time- and person-limited security teams, who are usually outnumbered by engineers 100:1 or more.

To keep up with growing engineering teams and the rapid pace of development, security teams have begun investing heavily in tools, processes, and policies that more efficiently and effectively amplify their efforts.

Join us for a candid panel discussion of how several companies have worked to scale their AppSec program, including senior security team members from Dropbox, Netflix, Datadog, DocuSign, and Signal Sciences.

We’ll discuss a number of relevant topics, including:
* What are some initial, high ROI minimal security engineering efforts that are valuable to pursue first?
* Which security tools, processes, or libraries have been the biggest wins at your company?
* What are three things you’d do in any organization you join?
* What are three spectacular failures you’ve had?

Attendees will leave with specific, practical and actionable lessons they can apply immediately to their organizations. We’ll leave extra time for questions at the end to ensure we answer the audience’s most pressing needs.

Moderators
avatar for Clint Gibler

Clint Gibler

Senior Security Consultant, NCC Group
Dr. Clint Gibler is a senior security consultant and research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. By day, he performs penetration tests of web applications, mobile apps, and networks for companies... Read More →

Speakers
avatar for Devdatta Akhawee

Devdatta Akhawee

Director of Security Enginering, Dropbox
Devdatta heads the Product Safety Organization at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams. He is a... Read More →
avatar for Scott Behrens

Scott Behrens

Senior Application Security Engineer, Netflix
Information security engineer with a focus on helping organizations enable their business's success. Extensive experience in application security, penetration testing, and security automation at scale. Researcher and publisher of multiple articles discussing social media, code obfuscation... Read More →
avatar for Doug DePerry

Doug DePerry

Director, Product Security, Datadog
Doug DePerry is the Director of Product Security for Datadog. Prior to his current position, Doug lead the bug bounty program at Yahoo. Much of his 10+ years of experience in the security industry is on the offensive side, as a security researcher and consultant at Leaf SR and iSec... Read More →
avatar for Divya Dwarakanath

Divya Dwarakanath

Security Engineering Manager, Snap
Divya leads the Application Security team at Snap, focusing on developing frameworks and tools to prevent vulnerabilities, assessing the security of products and educating developers. Prior to Snap, Divya has worked as a security consultant and software engineer.
avatar for John Heasman

John Heasman

Deputy CISO, DocuSign
John Heasman is the Deputy CISO at DocuSign, focused on proactive approaches to securing software. Prior to DocuSign, he spent 10 years working as a consultant for the NCC Group. John has released numerous security advisories in widely used software and has presented original research... Read More →


Friday January 25, 2019 2:00pm - 2:50pm
Sand and Sea Room

2:00pm

Detecting Credential Compromise in AWS
Credential compromise in the cloud is not a threat that one company faces, rather it is a widespread concern as more and more companies operate in the cloud. Credential compromise can lead to many different outcomes depending on the motive of the attacker who compromised the credentials. In some cases in the past, it has led to erroneous AWS service usage for bitcoin mining or other non-destructive yet costly abuse, and in others it has led to companies shutting down due to the loss of data and infrastructure.

This presentation describes an approach for detection of compromised credentials in AWS without needing to know all IPs in your infrastructure beforehand.

Speakers
avatar for Will Bengtson

Will Bengtson

Senior Security Engineer, Netflix
Will Bengtson is senior security engineer at Netflix focused on security operations and tooling. Prior to Netflix, Bengtson led security at a healthcare data analytics startup, consulted across various industries in the private sector, and spent many years in the Department of Defense... Read More →


Friday January 25, 2019 2:00pm - 2:50pm
Garden Terrace Room

2:00pm

On the Frontlines: Securing a Major Cryptocurrency Exchange
The high transaction speed, lack of traceability, and multi-national nature of cryptocurrencies make them prime targets for small-time thieves and well-financed attackers alike. As such, cryptocurrency exchanges continually face a barrage of website/API attacks, sophisticated takeover attacks of their customers' accounts, malicious code embedded in 3rd-party software components, and security attacks on the underlying cryptocurrencies. This presentation discusses these attacks and the novel defenses that exchanges are implementing.

Speakers
avatar for Neil Smithline

Neil Smithline

Security Architect, Circle
Neil has been focused on application security for the past 20 years, working at numerous companies including BEA Systems/Weblogic and Autodesk. He currently is the security architect for Poloniex/Circle, a major cryptocurrency exchange. Neil is co-leader of the OWASP Top-10.


Friday January 25, 2019 2:00pm - 2:50pm
Terrace Lounge

3:00pm

Closing Keynote
Speakers
avatar for Jim Manico

Jim Manico

Founder and Lead Trainer, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also a founding investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the... Read More →


Friday January 25, 2019 3:00pm - 3:50pm
Sand and Sea Room

3:50pm

Raffle Drawings
Friday January 25, 2019 3:50pm - 4:30pm
Sand and Sea Room