Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, January 26
 

8:30am

Training: Enterprise Incident Response

Register for Training

Incident Response is a multidisciplinary approach to understanding the methodologies, techniques, and tools for both offensive and defensive security. This course introduces a tactical approach for instrumenting, alerting, and responding for enterprises. Using a combination of new tools, and uncommon techniques students will learn how to defend a network against today’s evolving threats. Real world attacks concentrate heavily on a number of methodologies including; compromising systems without depending upon standard exploits, Personal Security Product (PSP) evasion, unique stealth approaches, persistence mechanisms, and varying degrees of collection strategies. Attendees will learn how real attackers use these strategies and how to detect, alert, respond, and defend against these techniques.

Students will learn:

  1. How to manipulate enterprise tools and infrastructures in unusual ways for better security
  2. Build and employ custom logging tools for detecting lateral movement, persistence mechanisms, data targeting, and exfiltration
  3. How to provide actionable data to help decision makers
  4. Properly defend against and respond to incidents on a network
  5. Offensive mindset for defensive purposes

The following items are the topic areas that will be covered in the class:

  1. Real offensive mindsets, not penetration testing mindsets, for enterprise response
  2. Proper response mechanisms and communication
  3. Host and network indicator extraction for enterprise results
  4. Quickly gather and identify data for incident use
  5. Host logging and auditing
  6. Leveraging active directory
  7. PCAP and network intelligence extraction
  8. Advanced host and file triage capabilities
  9. Host command and process monitoring across a host

Students will get the chance to work with real “APT” tools and see the unique differences between how they are used in real attacks vs the penetration testing tools used today. These differences will help students learn how to truly detect real adversaries. The labs will be interwoven into the lecture so that students will receive a significant amount of time exercising these new skills as they learn. By the end of the class students will have spent 50% of the time in a lab environment. A significant portion of the class will be dedicated to building new tools, on the fly, to solve the challenges posed by a difficult adversary. Questions can be sent to training@attackresearch.com.


Speakers
avatar for Russ Gideon

Russ Gideon

Director of Malware Research, Attack Research
Russ Gideon has many years of experience in information security, having fulfilled diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as... Read More →


Monday January 26, 2015 8:30am - 5:00pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

8:30am

Training: Iron-Clad Development : Building Secure Applications


Register for Training

The major cause of application insecurity is insecure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects.

This class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications and how to defend against them in a variety of programming frameworks.

The following topics, and more, will be covered.

  1. HTTP Basics
  2. SQL and other Injection
  3. Authentication
  4. XSS Defense
  5. Content Spoofing
  6. HTML Hacking
  7. Access Control
  8. Cross Site Request Forgery
  9. Clickjacking
  10. Applied Crypto Basics
  11. Mobile Security
  12. SDLC Architecture
  13. App Layer Intrusion Detection
  14. Webservice Security
  15. HTML5 Security Considerations
  16. Multi-form Workflow Security Considerations

This course is built for the software developer, but any application security professional wishing to learn more about secure coding techniques will benefit.


Speakers
avatar for Jim Manico

Jim Manico

Troll, The Internet
Jim Manico is an author and educator of developer security awareness trainings and has a 17 year history building software as a developer and architect. He is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects... Read More →


Monday January 26, 2015 8:30am - 5:00pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

8:30am

Training: Risk Centric Threat Modeling & Metrics in the SDL

This training will walk through the 7 stages of the Process for Attack Simulation and Threat Analysis (PASTA), a risk centric approach to threat modeling that can be paralleled to SDL activities for developers, architects, system engineers, and (of course) security professionals. Students will begin by learning about threat modeling fundamentals that are agnostic to any methodology. Activities such as application deconstruction, data flow diagramming, enumeration exercises, use/ abuse case mapping will all be exemplified in the training. The key benefit will be in applying a risk centric approach to threat modeling via the PASTA approach which looks to identify the most likely attack vectors based upon harvesting threat intelligence sources and evaluating other factors such as deployments models, inherent industry threat agents/ motives, and overall application architecture. An outline of the training to be provided is included below:

I. Threat Modeling Intro & Primer
  A. Objectives & Approaches
  B. Threat Modeling Taxonomy & Syntax
  C. Tools & Techniques
  D. PASTA Methodology Overview
II. P1 – Define Business Objectives of Application Threat Model (Goal: Define Impact)
  A. Enumerate business objectives serving as application drivers
  B. Identify application data types (privacy implications)
  C. Identify regulatory impact/ landscape for application environment
  D. Identify SLAs associated with product app
III. P2. Define Technology Scope (Component Enum)
  A. Enum Application Frameworks leveraged by Framework
  B. Enum platform components (system OS, etc.)
  C. Enum actors running component processes
  D. Enum network services supporting various layers of application architecture
  E. Enum third party product (COTS) supporting application solution
  F. Enum data components across application layers
  G. Enum existing countermeasures (processes, technological controls, etc.)
IV. P3 – Application Decomposition (Call Tracing – Understanding calls amongst app components)
  A. Identify Use Cases using Components
  B. Map Call Flows amongst App Components
  C. Identify Trust Boundaries in the Application
  D. Perform CRUD exercises on back data storage sources (DBs, disk, client data storage)
  E. System level permissioning review
  F. Open and Integrated Auth Model Considerations
  G. Cloud API considerations
V. P4 – Threat Analysis
  A. Harvesting relevant threat intel sources (external sources)
  B. Harvesting threat data (internal sources)
  C. Probabilistic threat analysis
  D. Deployment models and architectural review of apps
  E. Identifying Threat Agents and Motives for targeted app
VI. P5 – Vuln Analysis
  A. Leveraging vulnerability assessments
  B. Using a strong Weakness/ Vulnerability Library (CVE/ CWE)
  C. Identifying & Correlating flaws in application model
  D. Identifying & Correlating system/ DB/ framework related vulnerabilities
VII. P6 – Attack Modeling
  A. Leveraging a valid attack library (CAPEC)
  B. Understanding Kill Chains and Attack Trees
  C. Assigning probabilities to attack branches (probabilistic analysis of attacks)
D. Exploit DB & Common Attack Patterns
VIII. P7 – Residual Risk Analysis & Countermeasure Development
  A. Inherent countermeasures
  B. Inherent countermeasure effectiveness
  C. Residual Risk Analysis
  D. Impact Analysis from Threats
  E. Prioritizing Countermeasures
IX. Threat Modeling Vignettes
  A. Threat Modeling Exercises in groups
X. Maturity Modeling & SDLC Integration
  A. OpenSAMM Use
  B. SDLC Metrics
  C. RACI for PASTA


Speakers
TU

Tony UV

With nearly 20 years of IT/ IS experience across three different continents, Tony has accumulated both hands on operational and management experience at a global level. Founder of VerSprite – a risk focused security consulting firm in Atlanta – Tony works with the global Fortune 500 organizations that are seeking something beyond compliance driven approaches to security challenges. Tony is an author of the only risk centric threat modeling... Read More →


Monday January 26, 2015 8:30am - 5:00pm
Annenberg Guest House

8:30am

Training: Safely Riding the Rails

Register for Training

This course focuses on building secure Ruby on Rails applications. In addition to covering existing vulnerabilities within the OWASP Project built by the instructor dubbed “Railsgoat”, there will be comprehensive discussion on the implementation of Rails specific defense mechanisms. Students will learn attack techniques, all of which are specific to the Rails framework. The OWASP Top 10 Risks and Controls will be covered at great length as well.

After an overview on the fundamentals of Ruby on Rails, students will be immersed in modifying and improving the security flaws within the Railsgoat application. In addition to Rails-specific manifestations of the OWASP Top 10 vulnerabilities, students will learn about advanced topics such remote code execution and MetaProgramming vulnerabilities.

At the end of this course, attendees should understand how to review and protect their Rails applications, implement proactive defensive measures, and perform penetration testing geared towards Ruby on Rails applications.

High-level Course Outline:

- Secure use of cryptographic libraries
- Authentication system
• Password complexity
• Time-based attacks
• Enumeration
• Lockout
• Insecure forgot password functions
- Authorization
• Insecure direct object reference
• Impersonation functionality
• Role Based Access Controls
- Metaprogramming Issues
• Common flaws
• Secure usage of metaprogramming methods
- SQL Injection
• Scoping
• String interpolation or concatenation
• Insecure use of unsafe methods such as pluck
- Insecure usage of validation functions
- Insecure application configuration(s)
- Cross-Site Scripting (XSS)
• Types of XSS
• XSS Context - JS, HTML, JSON, CSS
• Vulnerable templating language methods
• Demonstrate impact
• CSP + Secure Header RubyGem
- Session management issues
• Client-side cookies
• Improper destruction
• Session Fixation
- Remote Code Execution flaws
• Serialization libraries
- Misconfiguration in application settings
- Denial of Service
- Sensitive Data Exposure
• Model attribute exposure
• Application log handling
- Defensive Measures
• Guard
• Brakeman
• Bundler-Audit
• Security-based Unit-Tests

 


Speakers
KJ

Ken Johnson

Ken Johnson is the CTO of nVisium. Ken co-authored the Railsgoat project, is the creator of SecCasts, and is responsible for product development @nVisium. Ken has spent an enormous amount of time reviewing Ruby on Rails applications, developing them, securing them, and performing training centered around Rails security.


Monday January 26, 2015 8:30am - 5:00pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

8:30am

Training: OWASP Top 10 – Exploitation and Effective Safeguards
David Caissy

Register for Training

Most web application developers have heard about SQL Injection and Cross-Site Scripting, but few know which safeguards are really effective against expert hackers. Exploitation techniques have greatly evolved in the last few years and programmers need to keep their guard up. They are in the tough position of securing systems against experienced hackers. What help do they have?

The OWASP Top 10 web application vulnerabilities list has done a great job promoting awareness on the subject. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against these vulnerabilities. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

At the end of the course, participants will have learned:
• What are the OWASP Top 10 vulnerabilities
• How hackers exploit them
• Which safeguards are effective… and which ones are not!

The course will cover the following topics:

  1. SSL Certificates
  2. Effective Password Management
  3. Secure Application Architecture
  4. Injection Attacks
  5. Command Injection
  6. File Injection
  7. SQL Injection
  8. Cross-Site Scripting (XSS)
  9. Cross-Site Request Forgery (CSRF)
  10. Broken Authentication and Session Management
  11. Insecure Direct Object References
  12. Security Misconfiguration
  13. Sensitive Data Exposure
  14. Missing Function Level Access Control
  15. Using Known Vulnerable Components
  16. Unvalidated Redirects and Forwards
  17. Securing Web Services (REST and SOAP)
  18. Secure Coding Best Practices
  19. List of Effective Safeguards

Hands-on Exercises:

  1. Session Initialization and Client-Side Validation
    1. Part 1: Web Proxy and Session Initialization
    2. Part 2: Client-Side Validation
  2. Online Password Guessing Attack
  3. Account Harvesting
  4. Using a Web Application Vulnerability Scanner
  5. Optional Exercises:
    1. Sniffing Encrypted Traffic
    2. Command Injection
    3. Create SSL certificates
Prerequisites

This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of HTML, XML and SQL, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

Requirements

Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.


Speakers
DC

David Caissy

David Caissy, OSCP, GWAPT, GPEN, GSEC, CISSP, CEH has 15 years of experience as a security consultant and a web application architect. He has performed security audits, vulnerability assessments, web application penetration tests and has designed several secure systems. He has worked for banks, the Department of National Defense, various government agencies and private companies. He has been teaching information security in colleges and in many... Read More →


Monday January 26, 2015 8:30am - 5:30pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

8:30am

Training: Cryptography For The Modern Developer

Register for Training
Year after year, cryptography is incorporated in to more and more systems. Whether it be encrypting data in transit with off-the-shelf protocols, or implementing custom encryption mechanisms for data at rest, software developers are increasingly expected to leverage cryptography to meet security demands.

However, few developers have the experience or training to implement cryptography safely. The significant learning curve associated with using any cryptographic primitive properly, combined with the error prone APIs that most development environments expose to developers has led to countless flaws in modern applications.

This course is designed to provide attendees with the core concepts required to make informed decisions about what cryptographic primitives and APIs are safest to use in practice. Attendees will further learn that with a proper implementation, cryptography can make their development tasks easier, in addition to being more secure.

No significant background in cryptography is required to take this one-day course. However, attendees are expected to have a software development background. Lab sessions will include short exercises which ask students to write simple programs in their chosen language to solve various challenges. The content will include approximately 50% lecture and 50% labs or other exercises to reinforce the concepts presented.

Expected Outline:

0. Intro

1. Cryptography Primer/Refresher
– Symmetric Encryption
– Pseudorandom Number Generators
– Hashing and Integrity Protection
– Asymmetric Encryption
– How Crypto Makes Life Easier

1L. Crypto Basics Quiz & VM Setup

2. Overview of Modern Attacks and Common Mistakes
– PRNG issues, APIs
– Integrity Problems
– Padding Oracle Attacks
– Modern Password Cracking

2L. Exercise: Fix their Code

3. Key Exchange and PKIs
– Man-in-the-middle attacks
– PKI approaches
– Problems with PKIs
– Certificate Pinning

3L. Certificate Validation Testing

4. Practical Concerns
– Recent SSL/TLS bugs
– Standard API Overviews: Java, .NET, OpenSSL
– Better APIs: NaCl, KeyCzar,
– Ciphertext Fuzzing Techniques ?

4L. Exercise: Implement a Safe Token


Speakers
TD

Timothy D. Morgan

Blindspot Security LLC
Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied... Read More →


Monday January 26, 2015 8:30am - 6:00pm
Annenberg Guest House

6:00pm

Bug Bash

This event requires separate registration: https://pages.bugcrowd.com/Appsec-California-Bug-Bash.html

Bugcrowd is proud to host the AppSec Cali Bug Bash - a bug bounty hackathon where cash bounties will be rewarded to those who discover vulnerabilities in companies such as Heroku, Indeed, Blackphone, and more who utilize Bugcrowd's Crowdcontrol platform.

We'll be rewarding the best bug with a Parrot 2.0 AR Drone 2.0: Power Edition, so make sure to bring your laptop for some hacking! Note: You must be physically present at the event for a chance to win the drone.

You'll learn the steps researchers go through to find vulnerabilities by acting as one, and how Bugcrowd's Crowdcontrol simplifies the validation process for security teams. 


Monday January 26, 2015 6:00pm - 9:00pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

8:00pm

BJJ Smackdown

Forget the golf course – security folks do Brazilian jiu-jitsu!

For whatever reason, there is a high proportion of infosec folks who train BJJ. The BJJ Smackdown is a chance for us to do what we love best – training jiu-jitsu – with our friends and peers in the industry when we get together at infosec and appsec security conferences like RSA and Blackhat. For the first time OWASP AppSec California will offer its own Smackdown.

The event will take place at the academy of Shawn Williams, a 3rd degree black belt under the one and only Renzo Gracie. If you watch any IBJJF broadcasts, you’ll recognize Shawn as he’s one of the commentators! Shawn’s academy is holding open mat that evening and it’s close (~25 minutes) by Los Angeles standards.

If you’d like more information, please reach out to Caleb


Speakers
avatar for Caleb Queern

Caleb Queern

Chief Scientist, Cyveillance
Caleb Queern is the Chief Scientist at Cyveillance, and the creator of securityheaders.com.



Monday January 26, 2015 8:00pm - 9:30pm
5 Star Martial Arts 4201 Wilshire Boulevard #105, Los Angeles, CA
 
Tuesday, January 27
 

9:00am

Welcome Address
Speakers
avatar for Yev Avidon

Yev Avidon

Vice President, 2016 Board of Directors, ISSA-LA Chapter
Yev Avidon is the Security Summit 2016 Co-Chair and Vice President for ISSA-LA Chapter. He is an information privacy, security and compliance professional. Yev started his career as an IT auditor working at major players in Finance and Healthcare industries. Pursuing his career further, Yev moved to information security and risk management working for a large media and telecommunication companies. Throughout his career, Yev has been involved with... Read More →
avatar for Neil Matatall

Neil Matatall

Security Engineer, GitHub
Neil Matatall is a security engineer at GitHub based in Irvine, CA that focuses on the GitHub Enterprise product. Neil has bounced back and forth between development and security roles and tries to remember both roots when talking about technology. | | Neil is a co-organizer for the AppSec California conference and a board member of the Orange County chapter of OWASP. Previous employers include... Read More →


Tuesday January 27, 2015 9:00am - 9:30am
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

9:00am

Challenge Room

This even twill consist of a variety of challenges and will test a variety of skills. Some sugjects might include but are not limited to:

  • Physical Security
  • Web application security
  • Reversing
  • Forensics

This is an open event where people can etner at any time throughout the main event.


Tuesday January 27, 2015 9:00am - 5:00pm
Annenberg Guest House

9:30am

Opening Keynote
Speakers
avatar for Alex Stamos

Alex Stamos

Vice President of Information Security, Yahoo
Alex Stamos is Yahoo’s Vice President of Information Security and Chief Information Security Officer. Alex leads all aspects of information security at Yahoo, including the team of Yahoo “Paranoids”, charged with making Yahoo’s products as secure as possible. This is a broad role which includes implementing top-to-bottom security for products and systems but also to lead the company and the industry in not just how... Read More →


Tuesday January 27, 2015 9:30am - 10:30am
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

10:30am

Morning Coffee & Snack Break
Tuesday January 27, 2015 10:30am - 11:00am
Annenberg Community Beach House: Common Area 415 Pacific Coast Hwy, Santa Monica, CA 90402

11:00am

.NET Reversing and Exploitation for Cool Kids
Java isn't the only managed language with bugs. This talk will cover the current state of .NET reverse engineering and exploitation, including practical examples of both application-level and framework vulnerabilities. We'll cover the various strengths and weaknesses of .NET security features, including bypassing strong-name signing including the GAC. Finally, I will provide a short demo on how to modify the behavior of the .NET framework through DLL byte patching.

Speakers
avatar for Kelly Lum

Kelly Lum

Security Engineer, Tumblr
Kelly Lum is a Security Engineer at Tumblr. She has worked in Information Security since 2003 in various capacities at start-ups, government organizations, and financial companies. She regularly speaks on reverse engineering at conferences such as BlackHat, SummerCon, and Countermeasure. Kelly is also an adjunct professor of Application Security at NYU.


Tuesday January 27, 2015 11:00am - 12:00pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

11:00am

Devil in the Haystack
Application security lies in the core of Salesforce.com's products, for which the reason is obvious. As much as one has strengthened on perimeter defenses, an in-depth defense strategy that lies right in the app is much needed.

This talk focuses on the application of statistics and machine learning techniques on in-app events to detect and eventually prevent attacks and abuses on Salesforce platform.

OWASP group laid out a framework of intrusion detection response in applications - Appsensor. Our work is distinct from the Appsensor project in that the data-driven statical approaches are built with online learning methodologies and adaptive behavior modeling techniques; it thus require as little configuration and supervision as possible. Unsupervised learning and bootstrapping are established techniques within machine learning. This research dramatically differs from the previous detection techniques for two reasons: 1) The in-app detection inspects transactions in the context of the application’s semantics, interaction and enhanced information about their users, whereas an IDS or IPS usually operates on the perimeters at the firewall or at the network gateway. They have no to little knowledge of the behavior within an application. 2) Our methods are adaptive to behavior changes, while the previous techniques largely rely on signature-based misuse detection with rather stale configuration that are thus susceptible to a higher level of false positives. One example of the adaptive behavior based detections include detecting a fraud user who is stepping through a multi-step business process in an anomalous order. The determination of the anomaly is based on firstly a learned regular behavior over time, and secondly automatically adjusted by evidences of changes in a user's role or business process. Other examples include alerting on abnormal timing or volume of certain in-app activities or geolocation abnormality of user's access points in a single session.
In this talk, we will also give our experience of the big data technologies around the Apache Hadoop ecosystem, in particular, Apache Spark as the major enabling technologies for in-depth app platform threat detection.

Speakers
avatar for Ping Yan

Ping Yan

Research Scientist, Salesforce.com
Ping spent nearly a decade conducting academic and applied data analytics research, innovating machine learning models in various domains, from consumer behavior modeling to algorithmic security threat detection. Her works were published as journal articles, monographs and books. | | Ping has her PhD degree in Management Information System from University of Arizona with a focus on machine learning, consumer analytics and healthcare... Read More →


Tuesday January 27, 2015 11:00am - 12:00pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

11:00am

Fixing XSS with Content Security Policy
Cross-site scripting (XSS) has been dominating OWASP Top 10 for many years. Although input validation and output encoding are good traditional defenses against XSS, it is often difficult to ensure that they are used in all required places in large applications. Content Security Policy (CSP) is a promising new HTML5 feature that can help prevent traditional and DOM-based XSS on your website. If you keep dynamic data and static code separate, you can have conforming browsers enforce your CSP to ensure that the data never gets interpreted as code. The intricacies of the technology are in how CSP policies are combined and what limitations they place on web development.
The first version of CSP, which is supported by most modern browsers, requires complete separation of JavaScript (static code) from HTML (which contains dynamic data). This is not feasible for large existing web applications as it can require completely rewriting the user interface. CSP 1.1 introduces new keywords that can be used to apply policies to existing code bases without requiring a re-write from scratch. The talk will help the audience understand:
• What the differences between CSP 1.0 and CSP 1.1 are, and what these mean for web application developers?
• How CSP protects web applications from cross-site scripting?
• Whether input validation and output encoding are necessary if CSP is used properly.
• What is the different browser support for this technology?
• How you can get started with using CSP on your website?

Speakers
avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Security Consultant, Cigital
Ksenia Dmitrieva is a Senior Security Consultant at Cigital with over six years of experience developing and securing web applications. Ksenia holds a M.S. in Computer Science from George Washington University. As a Senior Consultant, she performs penetration testing and code review focusing on web applications, web services, new web technologies and frameworks for clients in financial services, entertainment, telecommunications, and enterprise... Read More →


Tuesday January 27, 2015 11:00am - 12:00pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

11:00am

Medical Device Security: An Infectious Disease
Medical devices touch almost every one of us, whether through personal experience or that of a close friend or family member. They save countless lives and ensure a better quality of life for many. Although medical devices are key to quality care and undergo rigorous testing, many are not sufficiently tested for adversarial resiliency. Some question whether our dependence on these life-saving medical devices has grown more quickly than our ability to secure them.There is no question that medical devices save countless lives, but is insecure design or deployment of these devices putting patients at risk? Join us for an in-depth presentation on a three year research project that shows numerous medical devices and healthcare organizations are vulnerable to direct attack vectors that can impact patient safety and human life.

Speakers
avatar for Scott Erven

Scott Erven

Associate Director, Protiviti
Scott Erven is a healthcare security visionary with more than 15 years’ experience in information technology and security. He is currently an Associate Director with Protiviti, where he focuses on medical device and healthcare security. His research on medical device security has been featured in Wired and numerous media outlets worldwide. Mr. Erven has presented his research and expertise in the field internationally. He has been... Read More →


Tuesday January 27, 2015 11:00am - 12:00pm
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

12:00pm

Hacking Management: Why Stop at Domain Admin?
Why won't your company's management just "do the right thing" with security? How can you get necessary changes made when the answer always seems to be "no"? In this turbo talk, learn quick tips and tricks for hacking organizational decision making structures, using empathy to communicate more effectively, and improving tactical execution of your change plan.

Speakers
avatar for Adam Brand

Adam Brand

Adam Brand is a habitual Changer of Things. As an Associate Director with Protiviti's Information Security and Privacy practice, he helps organizations improve their information security programs, find existing attackers within their networks ("hunting"), and respond to security incidents (particularly with malware reverse-engineering). Adam has spoken at a number of information security conferences, including various BSides, Toorcon, LASCON... Read More →


Tuesday January 27, 2015 12:00pm - 12:30pm
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

12:00pm

Malicious MDM: Fun with iOS MobileConfigs
MDM can be great way to put security controls on smart phones, but what happens when an attacker brings your device into their MDM domain. From smartphone manufacturers to cell phone service providers, everyone seems to be developing a solution for managing smart phones. We will be covering the basics of how MDM works and how you can abuse the Apple MDM service to gain control over iOS devices. This attack will demo how to deploy malicious MDM configurations and how to abuse company phones to gain access to a company's internal domain. Additionally, we will be covering the steps you should take to protect your business from malicious MDM profiles.

Speakers
avatar for Karl Fosaaen

Karl Fosaaen

NetSPI, Security Consultant
Karl is a senior security consultant at NetSPI. This role has allowed Karl to work in a variety of industries, including financial services, health care, and hardware manufacturing. Karl specializes in network and web application penetration testing. In his spare time, Karl likes to volunteer at THOTCON and DEF CON. Karl can be found on Twitter at @kfosaaen


Tuesday January 27, 2015 12:00pm - 12:30pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

12:00pm

No Better ROI: HTTP Headers for Security
Eli Goldratt asks us to always keep in mind, "What's the Goal?" If our goal is to help the business succeed, how can I make the biggest impact using web application security with the least effort? This turbo talk will reveal extra powerful, very low cost, and extremely under utilized HTTP headers to help the business win.

Speakers
avatar for Caleb Queern

Caleb Queern

Chief Scientist, Cyveillance
Caleb Queern is the Chief Scientist at Cyveillance, and the creator of securityheaders.com.


Tuesday January 27, 2015 12:00pm - 12:30pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

12:00pm

The Emperor's New Password Manager: Security Analysis of Web-based Password Managers
Joint work with Zhiwei Li, Warren He, Dawn Song

We conduct a security analysis of five popular web-based password managers. Unlike "local" password managers, web-based password managers run in the browser. We identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies. Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user's credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure. To guide future development of password managers, we provide guidance for password managers. Given the diversity of vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers.

Speakers
avatar for Devdatta Akhawe

Devdatta Akhawe

Security Engineer, Dropbox
Dev is a security engineer at Dropbox. Previously, he was a grad student at UC Berkeley interested in web application security. His research focuses on web application security, browser security, and other related topics. He is also an editor of the Sub Resource Integrity spec and is always happy to talk about CSP.


Tuesday January 27, 2015 12:00pm - 12:30pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

12:30pm

Lunch
Tuesday January 27, 2015 12:30pm - 1:45pm
Annenberg Community Beach House: Common Area 415 Pacific Coast Hwy, Santa Monica, CA 90402

1:45pm

Levelling up an application security program
In this talk, David will relay lessons learned from his first year working in the application security program at Riot Games.

David will explain how he assessed the level of the program when he joined, and what gaps he identified. He will give an overview of how Riot approaches application security in a fast paced, agile environment. This will include how Riot implements controls which do not negatively impact product development or player experience. David will explain how Riot provides secure coding guidance to software engineers, works with QA, and maintains an application security community of practice.

There are many options when it comes to understanding and improving an application security program. This talk will address Riot's efforts in this regard.

Speakers
avatar for David Rook

David Rook

Security Engineer, Riot Games
David Rook is a Security Engineer focusing on Application Security at Riot Games in Dublin. He has held various application security roles in the financial services industry since 2006 before moving into the computer games industry in early 2014. He has been a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF... Read More →


Tuesday January 27, 2015 1:45pm - 2:45pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

1:45pm

Modern Malvertising and Malware web-based exploit campaigns
The purpose of this presentation will be to introduce the audience to
new techniques attackers are using to target users of web applications
for exploitation.

The first part of this presentation will be an introduction to the
modern Malware landscape, with a breakdown of the top 5 types of
malware being actively used in campaigns to target end users of web
applications. Of interest, though perhaps unsurprising - the top three
are not what we traditionally think of as "malware" in the sense of
exploitative code or remote backdoors - but aimed at direct
monetization of the user.

The second part of this presentation will be a technical walkthrough a
real-world modern malvertising & malware campaign, and break down each
step of the attack, and each distribution & obfuscation layer. This
walkthrough will be the bulk of the presentation (30 minutes), leaving
time for Q & A at the end.

Time permitting, we may provide more examples of modern campaigns/malware.

Speakers
avatar for Arian Evans

Arian Evans

RiskIQ
Arian Evans is a recognized expert in information and application security, software development, systems architecture and financial services. He previously ran operations and product strategy for WhiteHat Security and built the company’s world-renowned Threat | Research Center. In addition to managing the global application security practice for consulting firm FishNet Security, Arian has worked on global... Read More →
JP

James Pleger

James has been working in the security space for over 10 years, | working in a wide range of environments ranging from small hosting | providers to Fortune 100's. James is currently the Director of | Research at RiskIQ, focusing research efforts in Malvertising and | Mobile as well as creating solutions to categorize, correlate and | locate badness on the web.


Tuesday January 27, 2015 1:45pm - 2:45pm
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

1:45pm

OWASP Top Ten Proactive Controls
The major cause of web insecurity is poor development practices. We cannot “firewall” or “patch” our way to secure websites. Programmers need to learn to build websites differently. No company or industry is immune.
The OWASP Ten Ten Proactive Controls Project is a Top-Ten like document that focuses directly on informing developers of necessary secure coding techniques. This talk describes the bare minimum required of a development team if they wish to have even a small chance of producing secure software.

- Validation
- Whitelist Validation (struggles with internationalization)
- URL validation (as part of redirect features)
- HTML Validation (as part of untrusted content from features like TinyMCE)

Authentication
- Password storage, HMAC's for scale
- Multi-factor AuthN implementation details
- OAuth
- Forgot password workflow

Access Control
- Limits of access control
- Permission-based access control

Encoding
- Output encoding for XSS
- Query Parameterization
- Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection
- Secure number generation
- Certificate pinning
- Proper use of AES (CBC/IV Management)

Secure Requirements
- Core requirements for any project (technical)
- Business logic requirements (project specific)

Secure Architecture and Design
- When to use request, session or database for data flow

Speakers
avatar for Jim Manico

Jim Manico

Troll, The Internet
Jim Manico is an author and educator of developer security awareness trainings and has a 17 year history building software as a developer and architect. He is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects... Read More →


Tuesday January 27, 2015 1:45pm - 2:45pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

1:45pm

Unicodes Gone Wild
Despite solving an important problem for the internation community, for many years Unicode has been the bane of developers. Proper handling of Unicode characters has lead to numerous injection and filter bypass attacks, as well as buffer management problems. This talk will discuss the oddities of proper Unicode handling, as well as revealing some common problems with handling Unicode in various operating systems, applications, and frameworks.

Speakers
avatar for Christien Rioux

Christien Rioux

Christien Rioux, co-founder and chief scientist of Veracode, is responsible for the technical vision and design of Veracode’s advanced security technology. Working with the engineering team, his primary role is the design of new algorithms and security analysis techniques. | | Before founding Veracode, Mr. Rioux founded @stake, a security consultancy, as well as L0pht Heavy Industries, a renowned security think tank. Mr. Rioux was a... Read More →


Tuesday January 27, 2015 1:45pm - 2:45pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:45pm

API = Authentication's Poorly Implemented
Who doesn't love a robust, easy-to-use, well-documented API? The ability to plug right into an application, a service, an infrastructure, especially in a secure way, is a marvelous feeling. But, what about those mild (and not so mild) oversights? Implementation flaws? Security bugs? Legacy APIs being "integrated" with new, flashy RESTful APIs?

In this talk, we'll highlight some real-world examples of web-related API security problems, notably surrounding authentication and authorization issues in targets ranging from a big online payment shop to an embedded device's backend infrastructure (and a slew of things in between).

Speakers
avatar for Zach Lanier

Zach Lanier

Security Researcher, Accuvant Labs
Zach Lanier is a Senior Research Scientist with Accuvant Labs, specializing in various bits of network, mobile, and application security. Prior to joining Accuvant, Zach most recently served as a Senior Security Researcher with Duo Security. He has spoken at a variety of security conferences, such as Black Hat, CanSecWest, INFILTRATE, ShmooCon, and SecTor, and is a co-author of the "Android Hackers' Handbook" (Wiley, April 2014).


Tuesday January 27, 2015 2:45pm - 3:45pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:45pm

Security Issues with Node.js
Speakers
avatar for Ilja van Sprundel

Ilja van Sprundel

Director of Penetration Testing, IOActive
Ilja van Sprundel is experienced in exploit development and network and application testing. As IOActive’s Director of Penetration Testing he performs primarily gray-box penetration testing engagements on mobile (specializing in iOS) and runtime (specializing in Windows kernel) applications that require customized fuzzing and source code review, identifying system vulnerabilities and designing custom security solutions for clients in... Read More →


Tuesday January 27, 2015 2:45pm - 3:45pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:45pm

Threat Modeling for the Gaming Industry
Modern games are complex pieces of software, running on multiple platforms across many different genres, and with a variety of player goals dependent on the game. Despite the complexity of modern games, many common security issues exist that we can identify and expand upon during the planning, development, and testing phases of the development process. Threat modeling is a security activity that maps threats and their respective attack vectors, assets, and controls to a system to help identify vulnerabilities and assist with secure system design.

If you’re working with games then this talk will help you understand how issues around client-side logic, proprietary network protocols, user account management, and playing on an untrusted platform can impact the overall security and user’s experience. By addressing security issues during the design and development stages and then reinforcing them during testing, we can move the industry towards creating a more secure gaming experience.

Speakers
avatar for Robert Wood

Robert Wood

Robert Wood is a Technical Manager and the Red Team Practice Director at Cigital, with over 5 years of experience in a variety of roles including application security consultant, network penetration tester, red teamer, and digital forensics analyst. Robert has worked with organizations across a variety of verticals including gaming and entertainment, financial services, healthcare, ISVs, military, and defense. Specific to the gaming industry... Read More →


Tuesday January 27, 2015 2:45pm - 3:45pm
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:45pm

Wi-Fi Hacking for Web Pentesters
There is an ever-increasing trend with Internet Service Providers of all sizes providing open wireless hotspots nationwide, many of which are bridged off of existing customers personal access points and others are made available through restaurants, hotels, and other businesses. Many of these guest networks have recently spurred discussion within the security community over the insecurity of open access points in general and the ethics of their deployment methods. The talk will cover the many gaping insecurities of wireless hotspots and dive in to how these can be leveraged to attack clients, gain free Internet access, hijack accounts, steal sensitive information, and more. This will progress into how web penetration testers can leverage their existing skill-sets to design, build, and deploy malicious targeted access points. All of the attacks that will be demonstrated live during the talk can be deployed on various platforms, making it easy for the audience to reproduce regardless of hardware available.

Speakers
avatar for Greg Foss

Greg Foss

Senior Security Research Engineer, LogRhythm
Greg Foss is a Senior Security Research Engineer with the LogRhythm Labs Threat Intelligence Team, where he focuses on developing defensive strategies, tools and methodologies to counteract advanced attack scenarios. He has over 7 years of experience in the Information Security industry with an extensive background in Security Operations, focusing on Penetration Testing and Web Application Security. Greg holds multiple industry certifications... Read More →


Tuesday January 27, 2015 2:45pm - 3:45pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

3:45pm

Afternoon Coffee & Snack Break
Tuesday January 27, 2015 3:45pm - 4:15pm
Annenberg Community Beach House: Common Area 415 Pacific Coast Hwy, Santa Monica, CA 90402

4:15pm

Anatomy of memory scraping, credit card stealing POS malware
Credit card payment processing and point-of-sale (POS) systems are like a black box for most people without knowledge of its internal workings. But recent data breaches of thousands of credit cards have shown that determined attackers have not only mastered ways to steal magnetic stripe cards, but also targeted EMV chip cards.

The session will start by explaining the architecture of different type of POS systems along with its components, operation and integration. This includes magnetic stripe track data format, technology behind credit card readers, point-of-sale hardware and software. A common element in POS attacks is the credit card swipe. Swiping refers to the process of reading un-encrypted credit card data from the magnetic strip of the card by a card reader and communication between the POS terminal. I will explain various malware attack techniques used for exploitation and exfiltration of credit card data. This will include RAM scraping, process hooking and injection, keyboard hooks, command and control techniques as well as Luhn algorithm. A live demo of a PoC ram scraping malware and its internal working will be shown along with explanation of key concepts. A live demo of a working POS system compromise based on a malware that I created for research purpose will be shown. This will be followed by Q&A which will conclude the session.

Speakers
avatar for Amol Sarwate

Amol Sarwate

Head of worldwide security engineering team responsible for vulnerability and compliance research, Qualys
Amol heads Qualys' worldwide security engineering team responsible for vulnerability and compliance research. His team tracks emerging threats and develops software which identifies new vulnerabilities and insecure posture for Qualys’ VM, PC, PCI and QBC services. | | Amol is a veteran of the security industry and has devoted his career to protecting, securing and educating the community from security threats. Amol has presented his... Read More →


Tuesday January 27, 2015 4:15pm - 5:15pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

4:15pm

DevOps for the Discouraged
You got DevOpsed! Your sysadmin team got renamed as the DevOps team. Developers got prod access. Code deploys to prod happen multiple times a day now. In the eyes of the business, things are great. Yet, the security team continues to be left out and really nothing seems to be better. In fact it feels worse.

Time to learn how to hack some devops for great good.

This talk will equip you with advice and tools to join in on the devops. You will also leave with a sample continuous delivery pipeline that is armed to dangerous and ready to identify security issues in a typical web application stack.

We'll use a range of open source technology including OWASP ZAP, gauntlt, brakeman, nmap, sqlmap, arachni and more.

Speakers
avatar for James Wickett

James Wickett

Signal Sciences
James is a leader in the DevOps and InfoSec communities--most of his research and work is at the intersection of these two communities. He is a supporter of the Rugged Software movement and he coined the term Rugged DevOps. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of the Hands-on Gauntlt book. | | He got his start in technology when he founded a... Read More →


Tuesday January 27, 2015 4:15pm - 5:15pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

4:15pm

Making SSL Warnings Work
HTTPS is an important tool for protecting the privacy of online communication. However, SSL warnings are a weak point in this system. Often, the browser can't tell whether a certificate validation error is indicative of an attack or a simple server misconfiguration. The user is asked to decide what to do, even though s/he probably isn't equipped to make that decision. My team is trying to make SSL warnings more effective (and helpful) in Chrome. In this talk, I'll describe how we're trying to automatically identify and resolve common sources of false positive warnings. I'll also discuss how we redesigned SSL warnings to be more understandable by end users.

Speakers
avatar for Adrienne Porter Felt

Adrienne Porter Felt

Security and Privacy Researcher, Google
Adrienne Porter Felt is a software engineer on the Google Chrome security team. Her mission is to make it easy to stay safe on the web. Adrienne leads Chrome’s usable security efforts, including: making security warnings understandable, improving warning accuracy, and encouraging developers to use HTTPS correctly. Previously, she was a research scientist on Google’s security research team.


Tuesday January 27, 2015 4:15pm - 5:15pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

4:15pm

When Geo Goes Wrong: a Case Study
Mobile apps are truly ubiquitous and enhance our lives in countless ways. However, many either leak or insecurely handle geolocation data, affording an attacker the ability to locate or track users. Here, we present an intriguing case study of a widespread social dating app that was vulnerably to a surprising number of OWASP mobile risks. Weak server side controls? check! Insufficient Transport Layer Protection? check!
Unintended data leakage? check! ...and on and on.

Our case study will present research performed on Grindr (a common social dating app), and illustrate a myriad of geolocation bugs that placed its users in harms way (see: ‘Grindr vulnerability places men in harm's way’ http://goo.gl/dg4cs6). First, due to the lack of SSL pinning, we present a MitM attack that reveals the user’s exact location. Following this, we demonstrate a far simpler and generic attack. This attack combined several bugs, including the fact that the app reported (to anybody), the precise relative distance of all ‘near-by’ users. With these distances and the ability to spoof one’s location and perform unlimited requests, trilateration could precisely locate and track users world-wide. Unfortunately, (though we responsibly reported the bugs) patches only appeared after it was reported that the Egyptian government was tracking and arresting Grindr users.

Besides illustrating location-specific bugs and providing real-world examples, the talk will provide suggestions best practices to ensure applications are developed in a manner that does not put users at risk. Such suggestions include precision limiting of geolocation data, rate limiting APIs (in order to make large-scale data harvesting difficult), and limiting the speed and magnitude of user location changes (to prevent harvesting of distances from arbitrary points). For companies or anybody developing location-aware apps, these suggestions will be directly applicable.

Speakers
CM

Colby Moore

"Colby Moore is a Security Research Engineer at Synack where he works mainly on special projects. His most recent focus has been on Internet of Things security, mobile device software vulnerabilities, and automation. More specifically, research surrounding location based privacy vulnerabilities and the reverse engineering home automation devices. | | A Mechanical Engineer by trade, he prefers to focus on the realm where physical world and... Read More →


Tuesday January 27, 2015 4:15pm - 5:15pm
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

5:15pm

10 Deadly Sins of SQL Server Configuration
Databases are the backbone of the applications that run our world and store our personal data. Microsoft’s SQL Server one of the primary database platforms used in enterprise environments today. This talk will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.   

Speakers
SS

Scott Sutherland

Principal Security Consultant, NetSPI
Scott Sutherland is a principal security consultant responsible for the development, and execution of penetration test services at NetSPI. His role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests. As an active participant in the information security community Scott performs security research in his free time and contributes technical security blog posts... Read More →


Tuesday January 27, 2015 5:15pm - 6:15pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

5:15pm

Evolution Of Penetration Testing
Penetration testing came about because of real world attacks. The industry quickly realized that we need to behave like the attackers to learn how to defend against them, and thus the penetration testing industry was born. Back then if an exploit was found it was released in raw format, possibly/probably perfected by others, and released. Our methodologies and detections for defense against these attacks were derived from this type of approach. This approach became very paint by numbers! The initial onset of penetration testing was derived from real world attacks, and we evolved the penetration testing concept but then stopped a few years ago. We quit mimicking real attackers. Why did we do this? It isn’t because as an industry we didn’t want to continue to advance it, but it was because it became too difficult. Why so difficult? Because the times have changed, and people don’t just give out things like they used to (Attackers especially). True attackers find a vulnerability/exploit and they treat it very special, they understand it, they research all aspects of it, and then they weaponize it. This approach takes time and money. When money got involved the penetration testing industry went in a different direction than real world attacks. Yes our tools replicate “bad” things on networks, but they don’t replicate everything.
We will cover the not so common tactics, techniques, and procedures (TTP) scenarios from real world attacks and show the differences between true attackers and current penetration testers. This talk will focus on the binary and forensic aspects of these scenarios to show the significant differences of true attacks and penetration testers.   

Speakers
SC

Stephan Chenette

CEO and Founder, AttackIQ, Inc.
Stephan Chenette is the Founder and CTO of AttackIQ, Inc., where he and his team work on adversarial modeling and automated security control validation. Previous to AttackIQ, Stephan held positions as Director of Research for IOActive, Manager of Labs for Websense, and Security Engineer at both SAIC and eEye Digital Security.
avatar for Russ Gideon

Russ Gideon

Director of Malware Research, Attack Research
Russ Gideon has many years of experience in information security, having fulfilled diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as... Read More →


Tuesday January 27, 2015 5:15pm - 6:15pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

5:15pm

The Savage Curtain : Mobile SSL Failures
Organizations are all so anxious to reach their "mobile moment", but are failing miserably at securing the mobile application traffic, in a variety of ways. We will review some of the common pitfalls with mobile application transport layer encryption, how to test for vulnerabilities and a fool-proof method on how to prevent your organization from falling victim to these all too common errors. We will also be presenting a novel SSL/TLS attack, which could be used for a semi-permanent, nearly undetectable MitM attacks.

Speakers
avatar for Tushar Dalvi

Tushar Dalvi

Senior Information Security Engineer, LinkedIn
Loves breaking web applications and ceramic bowls. Tushar Dalvi is a security enthusiast, and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior developer at ACI Worldwide.
avatar for Tony Trummer

Tony Trummer

LInkedIn
Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently an in-house penetration tester for LinkedIn, running point on their mobile security initiatives. When he's not hacking, he enjoys thinking about astrophysics, playing devil's advocate and has been known to dust his skateboard off from time-to-time.


Tuesday January 27, 2015 5:15pm - 6:15pm
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

5:15pm

We All Know What You Did Last Summer: Privacy and the Internet of Things
The devices we carry and systems we interact with on a daily basis generate a lot of information about us. This data includes financial and medical information, location data, personal connections, images and other data. Although you may think this information is private and secure, the data is often accessible to advertisers, hackers and others with malicious intent. One small piece of data is all it takes to unlock a wealth of information about you. Security researcher Ken Westin will be illustrating this point showing tools and techniques he has used in actual cases to track and convict criminals and then how those same tools can be used by criminals to track you. He will also show how personal data compromised in data breaches is sold and used against us as well and the role businesses can play in mitigating these risks to their customers.

Speakers
avatar for Ken Westin

Ken Westin

Tripwire
Ken is a security researcher with 14 years experience building and breaking things through the use/misuse of technology. His technology exploits and endeavors have been featured in Forbes, Good Morning America, Dateline, New York Times, The Economist and has won awards from MIT, CTIA, Oregon Technology Awards, SXSW, Entrepreneur and named in Portland Business Journal’s 2013 “40 Under 40″. He has worked with law enforcement and... Read More →


Tuesday January 27, 2015 5:15pm - 6:15pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

6:15pm

Fix The Damned Software.
We've learned much about application security during its lifetime. We've honed assessment techniques and improved vulnerability discovery tools. This mastery hasn’t resulted in secure software, it’s piled up bugs. The recent push to place better testing tools in the hands of developers will do little more.

It’s time we _Fix_the_damned_software_. It’s time we _build security_in_. It’s time to _design_securely_.

Using experience and BSIMM survey data we look at what this challenge means and how we can meet it today, with today’s dev frameworks and tools, dev cultures, and security memes. 

Speakers
avatar for John Steven

John Steven

CTO, Cigital Technology
John Steven, Internal CTO | | John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a software developer he’s led design and development of security services and business-critical production applications for large organizations in a range of verticals. As a consultant, John has provided strategic... Read More →


Tuesday January 27, 2015 6:15pm - 7:15pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

7:30pm

Reception
Tuesday January 27, 2015 7:30pm - 10:00pm
Annenberg Guest House
 
Wednesday, January 28
 

9:00am

Challenge Room

This even twill consist of a variety of challenges and will test a variety of skills. Some sugjects might include but are not limited to:

  • Physical Security
  • Web application security
  • Reversing
  • Forensics

This is an open event where people can etner at any time throughout the main event.


Wednesday January 28, 2015 9:00am - 5:00pm
Annenberg Guest House

9:20am

Opening Remarks
Speakers
avatar for Neil Matatall

Neil Matatall

Security Engineer, GitHub
Neil Matatall is a security engineer at GitHub based in Irvine, CA that focuses on the GitHub Enterprise product. Neil has bounced back and forth between development and security roles and tries to remember both roots when talking about technology. | | Neil is a co-organizer for the AppSec California conference and a board member of the Orange County chapter of OWASP. Previous employers include... Read More →


Wednesday January 28, 2015 9:20am - 9:30am
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

9:30am

Keynote
Speakers
avatar for Katie Moussouris

Katie Moussouris

Chief Policy Offer, HackerOne
Katie Moussouris is the Chief Policy Officer of HackerOne, where she oversees the company’s philosophy and approach to vulnerability coordination and disclosure, advises customers and researchers, and works toward the public good to legitimize and promote security research to help make the Internet safer for everyone. Katie Moussouris’ Microsoft work encompasses industry-leading initiatives such as Microsoft’s bounty programs... Read More →


Wednesday January 28, 2015 9:30am - 10:30am
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

10:30am

Caspr and Friends (Content-Security-Policy Reporting and Aggregation)
Caspr, a free and open source tool for collecting, aggregating and analyzing Content-Security-Policy (CSP) violation reports was released near the end of summer. This talk will cover the background of CSP and violation reports, give an overview of Caspr and how it can be used, and then talk about some of the other tools surrounding CSP violation reports. The tools include Enforcer, a chrome extension for forcing CSP on websites, and csp-tools, a suite of tools for managing CSP reports from command line.

CSP is a relatively new HTTP header for eliminating potential XSS vulnerabilities from websites. CSP is a white list that specifies where assets are allowed to be loaded from and executed. This includes scripts that come from the same website. If the website tries to load or execute an asset that isn't on the white list, an asset being javascript, css, websockets, images, etc, the asset will be blocked.

A report-uri can be specified so that when a CSP violation occurs, a report will be sent out describing the violation. These reports can be extremely important in gauging the effectiveness and coverage of your policy.

As of the summer (2014), there weren't any popular tools for gathering these reports, or doing analysis and policy generation. And thus Caspr was born.

Caspr handles the collection, aggregation, and analysis of these reports. It runs on Heroku, so it's as simple as a button click to have your own instance of Caspr up and running.

A few tools have been released for dealing with CSP violation reports. This talk will also give a brief intro to those tools.
- Enforcer: Chrome Extension for forcing a policy on a website
- csp-tools: A suite of tools for testing/setting up/analyzing reports from command line

Speakers
avatar for Stuart Larsen

Stuart Larsen

Student, Michigan Tech University
Stuart Larsen is currently a student at Michigan Technological University pursing a degree in Electrical Engineering. He's been programming for about 10 years on things from Quantum Emulators, to cat fact spamming websites, to open source security tools. Previously he worked at the Solar and Heliospheric Research doing data and algorithmic analysis, at Air Force Research Labs doing research on highly assured systems, at Fog Creek Software doing... Read More →


Wednesday January 28, 2015 10:30am - 11:30am
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

10:30am

Chrome Health and the Art of Software Security

Chrome is a browser built for the modern web and driven by three guiding principles: speed, simplicity, and security. This talk will focus on Chrome’s approach to the latter while highlighting parallels between software security and medicine. I’ll review Chrome's vitals and architecture, some of our healthy engineering habits, facets of our immune response, genetic susceptibility to insecurity (and how we manage risk), and more. You'll leave with a better understanding of Chrome and probably a few bits of trivia about human health.


Speakers
avatar for Parisa Tabriz

Parisa Tabriz

Security Princess, Google
Parisa Tabriz is Google's "Security Princess" - that's her real job title! She has worked on information security at Google for more than 8 years, starting as a "hired hacker" software engineer for Google's security team. As an engineer, she found and closed security holes in Google's web applications, and taught other engineers how to do the same. | Today, Parisa manages Google's Chrome security engineering team, whose goal is to make Chrome the... Read More →


Wednesday January 28, 2015 10:30am - 11:30am
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

10:30am

Legacy Java Vulnerabilities – Ignore at Your Own Risk
Java is one of the longest standing and most widely deployed enterprise programming languages in the world. It is also frequently attacked due to its numerous and well documented security vulnerabilities, many of which have a very high CVSS (Common Vulnerability Scoring System).

This problem is amplified by the fact that countless data center applications are still running on older, legacy versions of the platform. Although the original promise of Java was application portability, in reality most core enterprise applications were written for execution on a specific version of Java, and that’s where they’ve stayed.

This session will discuss the two primary reasons that legacy Java security risks persist, namely the cost of mitigation and operational impacts. The obvious way to deal with legacy Java issues is to update the Java runtime. But this process is costly since it requires extensive application modifications, testing and re-qualification. Meanwhile, the risk of downtime is an even bigger problem. No matter how much testing is done, it’s impossible to guarantee that changes to the application will not break it.

Using several documented Java server vulnerabilities, the speaker will explain and evaluate the merits of the current approaches to addressing them, including network based tools, code analysis and run-time application self-protection. Attendees will gain a deeper understanding of legacy Java security risks, the alternatives available to address them and how to choose the right approach for their particular application environment. 

Speakers
avatar for Jonathan Gohstand

Jonathan Gohstand

Waratak, Security Stategist
Jonathan Gohstand is the security strategist for Waratek. A 20-year veteran of the IT industry, he was previously with PacketMotion, driving the creation of the User Activity Management category, until the company’s acquisition by VMware. He has worked in Cisco Systems’ Security Technology Group, where he was responsible for IOS-based security. Mr. Gohstand has held international positions with Chevron Oil and FORE Systems, in... Read More →


Wednesday January 28, 2015 10:30am - 11:30am
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

10:30am

Marshalling Pickles: How Deserializing Objects Will Ruin Your Day
Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.

Speakers
avatar for Chris Frohoff

Chris Frohoff

Cyber Security Engineer, Qualcomm
Chris Frohoff is a Cyber Security Engineer at Qualcomm with a focus on Application Security; he performs Application Security Assessments and Penetration Tests, and sometimes dabbles in Incident Response, Reverse Engineering, and general research mischief. In a former life, Chris developed enterprise web applications and services at Sony Network Entertainment and UC San Diego. His primary areas of geekdom include programming languages... Read More →
avatar for Gabriel Lawrence

Gabriel Lawrence

Application Security Team Lead, Qualcomm
Gabriel Lawrence leads the Application Security team at Qualcomm, doing Application Security Assessments, Penetration Tests, Incident Response, Reverse Engineering, and anything else that comes his way. He's developed enterprise applications, founded three startups, and run Information Security for UC San Diego.


Wednesday January 28, 2015 10:30am - 11:30am
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

11:30am

Hackazon - Stop hacking like its 1999
Applications have changed, but your test apps havent!
Its about time for a test app that’s a little more current than circa 2002. Enter Hackazon.

Hackazon, is a modern vulnerable web application. It looks like an online storefront with a modern AJAX interface, strict workflows and RESTful API's used by a companion mobile app. And, its here to replace the old Web 1.0 test apps (WebGoat, DVWA, Hackme Bank and Hackme Casino) that no longer mirror the applications we see in the wild. Will your application security scanner successfully test this site? Doubt it! Even manual pen testers will have their hands full testing their skills against it.

There are vulnerabilities scattered throughout Hackazon, and each vulnerable area is configurable so that users can change the vulnerability landscape to prevent “known vuln testing” or any other form of cheating. To find all the vulnerabilities in Hackazon it will require proper handling of not only classic web security, but will require testing RESTful interface formats that power AJAX functionality and mobile clients (JSON, XML, GwT, and AMF). It will also require tedious testing of strict workflows common in todays business applications.

Hackazon is an open source application that will ultimately be contributed to OWASP to be included with the other vulnerable test applications.

Join Dan for this talk where he will demonstrate Hackazon and the techniques required to find the vulnerabilities in the different interfaces and formats.

Speakers
avatar for Dan Kuykendall

Dan Kuykendall

co-CEO and CTO, NT OBJECTives
co-CEO and CTO, NT OBJECTives | | Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services. He also works closely with technology partners to make sure our integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most... Read More →


Wednesday January 28, 2015 11:30am - 12:30pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

11:30am

Proactively defending your business against security protocol attacks and implementation flaws
HTTPS/SSL/TLS has been under fire for years. BEAST, CRIME, problems with the weakness of the CA system, problems with various versions of the protocol - and more - have plagued HTTPS to be less than satisfactory, at best, as a transport security protocol. Some of the most popular algorithms used to secure communications are getting close to their end of life. Proper protection of information in the upcoming years will require adoption of new technology and standards.

Recent enhancements in browsers have made encryption in transit over the web viable for the first time in history and it’s imperative that everyone understand them. This presentation will start by reviewing some of the most recent cases related to security protocols flaws and weaknesses of cryptografic standards that should be proactively phased out. This pragmatic presentation will then discuss possible mitigations and their limitations, along with valuable implementation advice.

Speakers
avatar for Cassio Goldschmidt

Cassio Goldschmidt

NCR
Cassio Goldschmidt is a globally recognized information security leader with strong background in both product and program-level security. Outside work, Cassio is known for his contributions to Open Web Application Security Project (OWASP) , Software Assurance Forum for Excellence in Code (SAFECode), the Common Weakness Enumeration (CWE)/SysAdmin, Audit, Network, Security (SANS) Top 25 Most Dangerous Software Errors, along with contributing to... Read More →
avatar for Jim Manico

Jim Manico

Troll, The Internet
Jim Manico is an author and educator of developer security awareness trainings and has a 17 year history building software as a developer and architect. He is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects... Read More →


Wednesday January 28, 2015 11:30am - 12:30pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

11:30am

Uncovering OWASP’s Mobile Risks in iOS Apps
Mobile apps are ever more ubiquitous, but their widespread adoption comes at a cost. Seemingly every week, a new vulnerability is discovered that jeopardizes the security and privacy of mobile users. Examples include the popular dating app Tinder (leaked the exact location of its users), the photo messaging app SnapChat (exposed connections between phone numbers and users’ accounts) and CitiMobile (stored sensitive account information without encryption). These vulnerabilities (and many more) were not found by the developers of the applications, but rather by reverse-engineers who took it upon themselves to dissect said applications. 

Unfortunately, at least for iOS applications, reverse-engineering is still viewed by many as somewhat of a black art. This is due to a myriad of reasons; iOS apps are encrypted, written in a difficult-to-reverse-engineer language (Objective-C), and run on a mostly closed-sourced proprietary OS.  

This talk will detail the process of reverse-engineering iOS apps in order to perform security audits and identify common mobile-specific vulnerabilities (e.g. OWASP Mobile Risks). Specifically, the talk will describe how to extract an application’s unencrypted binary code, analyze the ARM disassembly, and identify vulnerabilities that commonly affect iOS apps. Real-life cases from iOS applications in the App Store will be presented to provide a more 'hands-on' feel to the reversing procedure and to show some actual security vulnerabilities.

Speakers
avatar for Patrick Wardle

Patrick Wardle

Synack
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Currently, his focus is on automated vulnerability discovery and the emerging threats of malware on OS X and mobile devices. | | Patrick previously worked at NASA, the NSA, and Vulnerability Research Labs (VRL). While working at the NSA as a global network exploitation and vulnerability analyst, Patrick received several classified patents and helped lead... Read More →


Wednesday January 28, 2015 11:30am - 12:30pm
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

11:30am

Why Your AppSec Experts Are Killing You
Software development has been transformed by practices like Continuous Integration and Continuous Deilvery, while application security has remained trapped in expert-based waterfall mode. In this talk, Jeff will show you how you can evolve into a “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible.

He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE. Check out “Application Security at DevOps Speed and Portfolio Scale” for some background.

Speakers
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
CTO of Contrast Security. Continuous Application Security. OWASP. DevOps


Wednesday January 28, 2015 11:30am - 12:30pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

12:30pm

Lunch
Wednesday January 28, 2015 12:30pm - 1:45pm
Annenberg Community Beach House: Common Area 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:00pm

Building a Modern Security Engineering Organization
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:

- Practical advice for building and scaling modern AppSec and NetSec programs
- Lessons learned for organizations seeking to launch a bug bounty program
- How to run realistic attack simulations and learn the signals of compromise in your environment 

Speakers
avatar for Zane Lackey

Zane Lackey

Zane Lackey is the Founder/CSO at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners. – See more at: http://www.crunchbase.com/person/zane-lackey#sthash.lgAeIHkY.dpuf


Wednesday January 28, 2015 2:00pm - 3:00pm
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:00pm

How Building a Better Hacker Accidentally Built a Better Defender
In the world of cybersecurity, there are two very important players. There are the builders. The folks who spend their time developing, writing source code for and launching products. And there are the breakers. The folks who spend their time testing for, identifying and fixing vulnerabilities in said code.

For the builder, development deadlines are constantly evolving and security measures tend to be seen as a hindrance, often slowing down the development process. And developers, by nature of their job descriptions, are responsible for contributing to products which make money. Without developers, there are no products, and thus no revenue stream.

For the builder/fixer, the challenge lies in making the builders take their concerns seriously. From the security team’s perspective, security efforts help minimize risk. Without security measures, there are increased chances of security flaws and breaches.

Where the problem lies is in the inability for the builders to not only speak the language of the breakers, but also to accurately understand their motivations; thereby creating a chasm in the way security is managed and executed.

But the real developer problem is that builders don’t believe in “The Bogeyman.” And the real security problem is that the breakers/fixers don’t have the time or resources to spend convincing developers that “The Bogeyman” is real. The Bogeyman, in this case, represents the very real possibility that your company will be hacked. After all, the most security aware a company will ever be is immediately after a breach.

In this presentation, Bugcrowd’s co-founder and CEO, Casey Ellis, will deep-dive into the hacker mentality, and how acknowledging the existence of The Bogeyman gets developers and security folks one step closer to implementing an effective security program. He’ll also discuss several security measures, outside the traditional penetration testing model, that can aid developers and security teams in leveling the playing field against potential threats.

The Bogeyman is real. But through acknowledgement, understanding and proactivity, you can be the hero in this cybersecurity story, not the victim. 

Speakers
avatar for Casey Ellis

Casey Ellis

Founder / CEO, BugCrowd
Casey Ellis is the CEO and co-founder of Bugcrowd, the innovator in crowdsourced security testing for the enterprise. He has been in the information security industry for 14 years, working with clients from the very small to the very large, and has presented at Derbycon, Converge, SOURCE Conference, and the AISA National Summit. Before relocating from Sydney Australia to San Francisco with Bugcrowd, he founded White Label Security, a... Read More →


Wednesday January 28, 2015 2:00pm - 3:00pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:00pm

IoT: Taking PKI Where No PKI Has Gone Before
Traditional PKI focuses on binding a public key to the keyholder’s identity, which is implicitly assumed to be a well-defined, relatively static thing (such as individual’s full name or email address, or the hostname of a public webserver). However, in the envisioned smart grid, for example, the relevant properties of the keyholder are not just the device’s identity (i.e. this is a meter made by ACME or this is a refrigerator made by GE) but its context: This is a refrigerator in the apartment rented by Alice, who buys power from X.

This context information will not necessarily be known until device installation and also may change dynamically. What if Alice sells her fridge on Craigslist or sublets her apartment to Bob? What if repair personnel replace Alice’s meter? This information may also not be particularly simple. What if Alice’s landlord owns many apartment buildings, and changes power vendors to get a better rate?

If our cryptographic infrastructure is going to enable relying parties to make the right judgments about IoT devices (such as the example provided using Smart Grid), this additional contextual information needs to be available. We can try to modify a traditional identity-based PKI to attest to these more dynamic kinds of identities, and we can also try to adapt the largely experimental world of attribute certificates to supplement the identity certificates in the smart-grid PKI. Either of these approaches will break new ground.

Alternatively, we can leave the identity PKI in place and use some other method of maintaining and distributing this additional data; which would require supplementing our scalable PKI with a non-scalable database.

In any of these approaches, we also need to think about who is authorized to make these dynamic updates or who is authoritative for making these types of attestations. Who witnesses that Alice has sold her refrigerator? Thinking about this organizational structure IoT devices also complicates the revocation problem. If we can’t quite figure out who it is that speaks for where a device currently lives, how will we figure out who it is who is authorized to say it has been compromised?

In this presentation, all of these issues and more will be explored and actionable guidelines will be proposed to build a secure and scalable system of IDs and attributes for the complex networked world that awaits us all.

Speakers
avatar for Scott Rea

Scott Rea

Sr PKI Architect, DigiCert
Scott Rea is the Sr. PKI Architect at DigiCert. He and his team provide policy and technology subject matter expertise during the design and architecture of emerging PKI systems and work with DigiCert executive management in strategic planning and forecasting. Rea is an innovative thought leader and sought-after public speaker who participates in, and influences the development of, emerging PKI policies, practices, and applications. Rea... Read More →


Wednesday January 28, 2015 2:00pm - 3:00pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:00pm

Misconceptions in the Cloud
This presentation will discuss common misconceptions and issues that affect companies moving to the cloud. These aren’t the large, obvious issues when moving to the cloud such as, “Do you have a plan for secure, centralized, scalable logging?” Instead, these are more subtle, smaller issues that can affect whether you are conceptualizing your problem statements correctly. As seasoned security professionals, our pre-cloud experiences lead to certain implicit assumptions that do not always hold true when working with cloud-based teams. This talk will highlight a few of those assumptions and their risks.

Speakers
avatar for Peleus Uhley

Peleus Uhley

Platform Security Strategist, Adobe
Peleus Uhley is the Lead Security Strategist within Adobe’s Secure Software Engineering Team (ASSET). His primary focus is advancing Adobe’s Secure Product Lifecycle (SPLC) and assisting with incident response within Adobe platform technologies, including Flash Player and Adobe’s Creative Cloud platform. Prior to joining Adobe, Peleus started in the security industry as a developer for Anonymizer, Inc., and went on to be a... Read More →


Wednesday January 28, 2015 2:00pm - 3:00pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

3:00pm

DevOps, CI, APIs, Oh My!: Security Gone Agile
As the world of system and application deployment continues to change, the sys admins and security community are having to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. After adding in Dev/Ops and cloud, the traditional sys admin and security processes just don’t work anymore. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment.

A new concept of Test Driven Security, which is loosely based on the tenants of Test Driven Development, is beginning to emerge in the application security community. This talk will cover how Matt is putting the practices in place currently at Rackspace and how you can architect your security work to be agile enough to keep up with the pace of change today. The talk will cover agile methods for securing infrastructure, apps & APIs and source code. Even if you are not there today, you will be soon enough. It's time to embrace the change and say "Challenge Accepted".

Speakers
avatar for Matt Tesauro

Matt Tesauro

Pearson
Matt has been involved in the Information Technology and application development for more than 10 years. He is currently working at Pearson and previously worked at Rackspace in the Cloud product’s application security team. Prior to joining Rackspace, Matt spent time as a application security consultant and spent several years as the “appsec guy” at a government agency. Matt's focus has been in application security including... Read More →


Wednesday January 28, 2015 3:00pm - 4:00pm
Annenberg Community Beach House: Track 4 415 Pacific Coast Hwy, Santa Monica, CA 90402

3:00pm

Scaling Security in Agile Scrum
Agile Scrum is here to stay, and security teams are finding themselves under-resourced and unprepared for the pace of modern software development. “Best-practices” models for Agile security make too many simplifying assumptions about how software is built. These models impose impractical requirements without providing the necessary support or expertise.

In the real world, development teams know that software development often includes multiple Scrum teams working on various components of a larger project that will eventually be integrated. They also recognize that only the most well-funded and resourced enterprises and ISVs have the bandwidth to execute on the idealized Agile SDL. Smaller organizations, or development teams without vast resources are forced to adapt and make tradeoffs that often include sacrificing security.

In this session, I’ll discuss how our company has incorporated security into our own Agile development lifecycle for a product that involves about ten Scrum teams working in concert to ship monthly releases. I’ll explain how we’ve optimized the way our security research team interacts with our engineering teams and accommodates their processes. I’ll also share some of the lessons we’ve learned along the way, including things that haven’t worked as well as we thought. I’ll also describe how we’re organically “growing” more security experts within the organization. Security practitioners will be able to leverage our experiences to work more effectively with their own Agile Scrum teams. 

Speakers
avatar for Chris Eng

Chris Eng

Vice President of Research, Veracode
Chris Eng has over 15 years of application security experience. As vice president of research at Veracode, he leads the team responsible for integrating security expertise into Veracode’s technology. Throughout his career, he has led projects breaking, building and defending web applications and commercial software for some of the world’s largest companies. | | Chris is a frequent speaker at premier industry conferences, such as... Read More →


Wednesday January 28, 2015 3:00pm - 4:00pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

3:00pm

Securing Software's Future: Why API Design Matters
Writing secure software is far cheaper for society as a whole than fixing vulnerable software after it is released. Teaching developers how to write secure software can be very effective in the short term, but over time security knowledge becomes less relevant, some security-conscious developers move into management, and additional uninitiated developers join the work force each year. While secure software development training will always play a role in helping secure application development, are there ways we can prevent even the least security-savvy developers from regularly shooting themselves (and their customers) in the foot? Yes. By providing development environments and APIs that subtly guide developers down a secure implementation path, we can prevent whole classes of vulnerabilities with very little effort. This talk will discuss the properties that tend to exist in safe development environments and will propose some guiding principles that API designers should consider.

Speakers
TD

Timothy D. Morgan

Blindspot Security LLC
Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied... Read More →


Wednesday January 28, 2015 3:00pm - 4:00pm
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

3:00pm

SQLViking: Pillaging your Data
On every network there are is a set of highly desired assets which every pentester strives to compromise. One of those assets are databases which house sensitive information. The default settings of most databases are to communicate over unencrypted channels. Because of this, why bother attempting to compromise the database server itself when all the information you could ever want is already flying over the wire? SQLViking is a tool which takes advantage of this in two ways. The first piece, dubbed 'scout,' passively sits on a network segment logging any SQL queries it sees and and the corresponding result set. The active piece, called 'pillage,' leverages TCP injection for executing arbitrary SQL queries without credentials. SQLViking is available as a standalone python tool and can be easily loaded onto a small device with a LAN tap such as a Raspberry Pi for physical pentests. The tool is still very much in the beta testing stages and only supports the MySQL and SQL Server (Tabular Data Stream) network protocols at this time. We're also investigating ways to increase the likelihood of a successful TCP injection attack on very busy networks.

Speakers
JC

Jonn Callahan

CGI Federal
Jonn Callahan has spent the last two years rooting out web application flaws both at the source code level and dynamically. When not actively researching whatever topic has piqued his interest, he's losing money on the cryptocoin market and getting beat up by his two dogs.
avatar for Ken Toler

Ken Toler

Senior Application Security Consultant, nVisium
Ken Toler is a Senior Application Security Consultant at nVisium specializing in web application penetration testing and static analysis in Ruby, Java, and .NET. He also comes with a network security background and has worked closely with growing startups in the DC area.


Wednesday January 28, 2015 3:00pm - 4:00pm
Annenberg Community Beach House: Track 2 415 Pacific Coast Hwy, Santa Monica, CA 90402

4:00pm

Why Do We Suck at Infosec?
I'll begin the talk by contrasting the different kinds of attacks and targets, from typical enterprise to nation/state-level attackers and targets. Next, I'll discuss how difficulty in measuring the security of products leads to the current state of software security woes. Then I'll address how the information security industry has largely failed by permitting zero-day sales and stunt hacking and selling ineffective boxed solutions. Finally, I'll end by showing where I think we need to go and how we'll get there (and show how we're already on our way).

Speakers
avatar for Charlie Miller

Charlie Miller

Security Engineer, Twitter
Charlie Miller is a security engineer at Twitter. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four-time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back... Read More →


Wednesday January 28, 2015 4:00pm - 5:00pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

5:00pm

Closing Comments (with prizes!)
Wednesday January 28, 2015 5:00pm - 5:30pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402