Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, January 23


Registration and Breakfast
Monday January 23, 2017 8:00am - 9:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


OWASP Top 10 - Exploitation and Effective Safeguards


 AppSec California 2017

OWASP Top 10 – Exploitation and Effective Safeguards

Monday, January 23rd, 2017 Presented by David Caissy, Albero Solutions Inc.

About the course

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

The course will cover the following topics

1. OWASP Top 10 web application vulnerabilities:

A1 - Injection Attacks

  •  Command Injection
  •  SQL Injection


A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Known Vulnerable Components

A10 - Unvalidated Redirects and Forwards

2. Proper Password Management

3. Secure Coding Best Practices

4. Effective Safeguards

Hands-on Exercises

1. Session Initialization and Client-Side Validation

 Part 1: Web Proxy and Session Initialization

 Part 2: Client-Side Validation

2. Online Password Guessing Attack

3. Account Harvesting

4. Sniffing Encrypted Traffic

5. Launching Command Injection Attacks

6. Using a Web Application Vulnerability Scanner

7. Optional Exercise: Create SSL certificates


Demos from the instructor

1. SQL Injection Attack

2. Cross-Site Scripting Attack

3. Insecure Direct Object References

4. Sensitive Data Exposure

5. Cross-Site Request Forgery

Who should take this course?

This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.


Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 4 GB of RAM, 20 GB of free disk space and either VMWare Workstation Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox (free) pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the class, participants will receive a USB thumb drive containing a pre-configured virtual machine for the hands-on exercises.

About the trainer

David Caissy, M. Sc., OSCP, GWAPT, GPEN, GSEC, CISSP, CEH is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense of Canada, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last 15 years.


avatar for David Caissy

David Caissy

Penetration Tester, Bank of Canada
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other... Read More →

Monday January 23, 2017 9:00am - 5:00pm
Terrace Lounge


Real World Red Team Attacks

The days of exploiting MS08-067, encoding with Shikata Ga Nai, and blindly scanning are gone. Both Blackhat hackers and pentesters alike have shifted to using more advanced techniques to bypass AV, implement a smaller footprint to evade SIEM detection, and continually stay persistent to devastate enterprise networks. If you are looking to take your craft to the next level, this is the primer course for you.

Written and taught by the author of “The Hacker Playbook” series, Peter Kim will take you through an immensely hands-on experience to replicate real world attacks without even running a single vulnerability scanner. In this hands-on experience, you will take on the role of a malicious Blackhat attacker and infiltrate your way into a corporate network. The onsite lab will emulate a real network using only modern operating systems.

avatar for peter kim

peter kim

ceo, secure planet
Peter Kim has been in the information security industry for the last 12 years and has been running red teams/penetration testing for the past 8 years. He has worked for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and financial organizations.He... Read More →

Monday January 23, 2017 9:00am - 5:00pm
Club Room


Secure Coding Bootcamp for the Web

Secure Coding Bootcamp for the Web

The major cause of web insecurity is the lack of secure software development practices. This one-day bootcamp will help developers and other software professionals build and maintain secure applications. This class contains a combination of lecture, security testing demonstration and code review.

This following modules will be included in this class.

– HTTP Basics (1 hr)

In this module we will cover the various security implications of using the HTTP protocol for web and webservice development. Topics such as the proper use of HTTP verbs and HTTP security response headers will be covered. We will also demonstrate the use of an intercepting proxy tool to demonstrate how attackers modify request data to harm your applications. This module will also introduce several methods needed to properly transmit sensitive data over HTTPS.

– SQL and other Injection (.5 hrs)

Injection is an application weakness that will allow attackers to execute harmful SQL, Operating System, LDAP and other commands against your application. This is one of the most dangerous vulnerabilities possible. This module will review several forms of injection with live demonstrations. We will discuss the limits of input validation, and focus on more robust defenses such as query parameterization and encoding.

– Authentication (2.5 hrs)

Authentication is the “front gate” of any application and is used to establish the identity of your users. This module will discuss the security mechanisms found within a secure authentication layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will also include code review labs.

– OAuth Security (2 hrs)

OAuth is a delegation framework that appears on the radar of security professionals and developers more and more every day. OAuth intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management or an access control in your applications. Even more confusing, OAuth is not a standard and various service providers will likely have different implementations. Let’s say it again, OAuth is not a standard – its a framework for delegation. So this leaves us with questions! What really is delegation? Where does OAuth fit in? How can I use OAuth in a secure fashion? These questions and more will me answered in this module.

– Access Control (1 hr)

Access Control is a necessary security control at almost every layer within a web application. This module will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and “fail open” access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, deny-by-default and other positive design attributes that make up a robust web-based access-control mechanism.

– Angular.JS Security (1 hr)

AngularJS is one of the most popular and exciting JavaScript UI frameworks in use today. This module will discuss what AngularJS is, how it is built and the various security controls contained with in. We’ll discuss the various controls contained within AngularJS including Strict Contextual Escaping, HTML Sanitization, Content Security Policy Integration, Double-submit cookie defense and JSON hijacking protection.

avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, Secure Circle and BitDiscovery. Jim is a frequent speaker on secure software practices... Read More →

Monday January 23, 2017 9:00am - 5:00pm
Garden Terrace Room


The Best TLS Training in the World

Spend a full day to understand both the theory and practice of SSL/TLS.

Designed by the author of the much acclaimed Bulletproof SSL and TLS, this practical course will teach you how to deploy secure servers and encrypted web applications during a day packed with theory and practical work. We’ll focus on what you need in your daily work to deliver best security, availability and performance. And you will learn how to get an A+ on SSL Labs!

Why This Course is for You
  • Understand threats and attacks against encryption
  • Identify real risks that apply to your systems
  • Deploy servers with strong private keys and valid certificates
  • Deploy TLS configurations with strong encryption and forward secrecy
  • Understand higher-level attacks against web applications
  • Use the latest defence technologies, such as HSTS, CSP, and HPKP

Course Outline
  1. Introduction
    1. The need for network encryption
    2. Understanding encrypted communication
    3. The role of public key infrastructure (PKI)
    4. SSL/TLS and Internet PKI threat model
  2. Keys and certificates
    1. RSA and ECDSA: selecting key algorithm and size
    2. Certificate hostnames and lifetime
    3. Practical work:
      1. Private key generation
      2. Certificate Signing Request (CSR) generation
      3. Self-signed certificates
      4. Obtaining valid certificates from Let’s Encrypt
    4. Sidebar: Revocation
  3. Protocols and cipher suites
    1. Protocol security
    2. Key exchange strength
    3. Forward security
    4. Cipher suite configuration
    5. Practical work:
      1. Secure web server configuration
      2. Server testing using SSL Labs
    6. Sidebar: Server Name indication (SNI)
    7. Sidebar: Performance considerations
  4. HTTPS topics
    1. Man in the middle attacks
    2. Mixed content
    3. Cookie security
    4. CRIME: Information leakage via compression
    5. HTTP Strict Transport Security
    6. Content Security Policy
    7. HTTP Public Key Pinning
    8. Practical work:
      1. Deploying HSTS to deploy robust encryption
      2. Deploying CSP to deal with mixed content
  5. Putting it all together: Getting A+ in SSL Labs

We will also provide you with many additional exercises that you can work on in your own time. You'll be able to ask us for help via email. And if you're already familiar with the basics, we'll challenge you with some of the advanced exercises on the day.

avatar for Scott Helme

Scott Helme

Security Researcher, Feisty Duck
Scott Helme is a security researcher, consultant and international speaker. He can often be found talking about web security and performance online and helping organisations better deploy both. Founder of report-uri.io, a free CSP report collection service, and securityheaders... Read More →

Monday January 23, 2017 9:00am - 5:00pm
Marion Davies Guest House


Riot Games Security Meetup
Monday January 23, 2017 6:30pm - 9:00pm
Riot Games 12333 W Olympic Blvd, Los Angeles, CA 90064
Tuesday, January 24



Welcome Address
avatar for Edward Bonver

Edward Bonver

Technical Director, Software Security Group, Symantec
OWASP LA chapter board memberOWASP AppSecCali organizer@edward_bonverhttps://www.linkedin.com/in/bonverEdward Bonver is a technical director and software security architect on the Software Security Group under the Office of the CTO at Symantec Corporation. He is responsible for ensuring... Read More →
avatar for Richard Greenberg

Richard Greenberg

AppSec Cali Co-Chair, OWASP
Richard is and has been the Co-Chair of every AppSec California. He serves on the OWASP Global Board of Directors, and is president of the OWASP Los Angeles Chapter. Richard brings over 25 years of management experience and has been a strategic and thought leader in IT and Information... Read More →

Tuesday January 24, 2017 9:00am - 9:15am
Sand and Sea Room


Diamond Sponsor Greeting

Tuesday January 24, 2017 9:15am - 9:20am
Sand and Sea Room


Oscar Whiskey Alpha September Papa
Organizations are reporting that they have more technical staff on hand then ever before. Interoperability of technologies are working seemlessly and world governments and critical infrastructures are better then ever before. This talk will remove the sugar coated and politically correct answers and provide straight talk, ideas and answers to the community about the road ahead. Bring your OWASP rockets and let's do this!

avatar for Tom Brennan

Tom Brennan

Founder, Security Architect, ProactiveRISK
Tom Brennan is a mage at Proactive Risk with two decades of hands on the keyboard building, breaking and defending data for clients worldwide. He is a an alumni of McAfee, Intel Security, SafeCode, Trustwave, WhiteHat, ADP, Datek Online and the United States Marines. As a volunteer... Read More →

Tuesday January 24, 2017 9:20am - 9:40am
Sand and Sea Room


Opening Keynote: Scaling a Software Security Initiative: Lessons from the BSIMM

This talk highlights important lessons in scaling the software security touchpoints described in the book Software Security and making them work efficiently and effectively in a global software security initiative.  The talk will focus on the top three touchpoints, discussing tools, technology, people and processes for each:

  • Code review with a static analysis tool.  What is better, a centralized factory model or tools on all developer’s desktops?  How do you set things up to fix what you find?  How do you avoid rejection of a complex toolset that requires real expertise to use?  What about frameworks that are in common use but stymie current commercial tools?  Are false positives a real issue?
  • Architectural risk analysis. How do you even begin to scale something requiring so much expertise and experience to the enterprise?  What kinds of knowledge make this process more efficient?  How do you gather intelligence about threats?  What are the top ten security design flaws?
  • Penetration testing.  What role should pen testing play in a software security initiative?  Is it best to develop capability in house or hire outside experts?  What kinds of access to design documents and source code should pen testers get?  Does pen testing scale?  How often should an application be tested?

These questions and others will be addressed head on using examples from the 95+ BSIMM firms and many years of real world experience.  (Firms in the BSIMM include, Adobe, Aetna, ANDA, Autodesk, Axway, Bank of America, Betfair, BMO Financial Group, Black Knight Financial Services, Box, Canadian Imperial Bank of Commerce, Capital One, Cisco, Citigroup, Citizen’s Bank, Comerica Bank, Cryptography Research, Depository Trust & Clearing Corporation, Elavon, Ellucian, EMC, Epsilon, Experian, F-Secure, Fannie Mae, Fidelity, Freddie Mac, General Electric, Highmark Health Solutions, Horizon Healthcare Services, Inc., HP Fortify, HSBC, Independent Health, iPipeline, JPMorgan Chase & Co., Lenovo, LGE, LinkedIn, Marks and Spencer, McKesson, Morningstar, Navient, NetApp, NetSuite, Neustar, Nokia, NVIDIA, NXP Semiconductors N.V., Principal Financial Group, Qualcomm, Royal Bank of Canada, Siemens, Sony Mobile, Splunk, Symantec, Target, The Advisory Board, The Home Depot, The Vanguard Group, Trainline, U.S. Bank, Visa, Wells Fargo, and Zephyr Health.)

avatar for Gary McGraw, Ph.D.

Gary McGraw, Ph.D.

Vice President Security Technology, Synopsys
@cigitalgemGary McGraw is the Vice President Security Technology of Synopsys (SNPS), a silicon valley company headquartered in Mountain View, CA. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include... Read More →

Tuesday January 24, 2017 9:40am - 10:30am
Sand and Sea Room


Break and Vendor Expo
Tuesday January 24, 2017 10:30am - 11:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


CTF / Challenge Room

We are absolutely thrilled to announce that OWASP San Diego will be hosting an amazing AppSec California CTF hacking competition this January 26th-27th for the third year in a row!

Here are the all important details:

Date: January 23th-25th, 2016
Time: 9AM – 5PM PST runs until 4pm PST the second day
Location: Event House (Hacking Village) (Must be there in-person)
Players: 100 Players Maximum
Registration: Register on-site
Required: Bring your laptop (and a ethernet/usb adapter if you do not have an ethernet port on your laptop).
Optional Equipment: Bring lock picks (as there will likely be physical security challenges)
Cost: Free!
Prizes: Yes! =]

No pre-registration necessary! Sign up on-site, get plugged in, and get started. Contest begins on January 24th at 10:00 in the Hacking Village and will run through the end of the day January 25th at 4pm. Winners will be announced and prizes given out at the closing ceremonies.

Contest Rules:
Don’t be a jerk.

No host discovery is required. Everyone scanning a network just makes it break. Scanning a single host as part of a challenge is fine.

Targets are clearly marked, only attack those. No attacking the switches, networks, etc.

No DOS attacks, get the flags.

No physical attacks – cables, switches, hardware services are right out. Don’t break them.

Don’t delete or change the the flags.

VMs will be reverted somewhat regularly.

Don’t mess with splunk and logging, we are just health checking.

Don’t delete our root key from the box or we’ll have to revert it. Don’t do this as a DOS attack for the other participants.

If we ask, you need to show us what/how you did something.

We aren’t lawyers, you probably aren’t a lawyer. Don’t look for loopholes, and don’t get in the way of other people having fun.

Random Thoughts:
If this is your first CTF ever, you will be able to find things if you try, if it is not, we have challenges for you also.

Objectives and flags are fairly clearly marked.

NO STEGO! We hate stego. The tools never work and it’s a pain, so we didn’t do that. Images that have flags are clearly marked and are images for the lulz.

No host discovery is required, but scanning a host may be useful.

Challenges are standalone, but some easier ones may give ideas for harder ones.

We are logging lots of things, if you aren’t happy with that, don’t play.

Tuesday January 24, 2017 10:30am - 5:30pm
Club Room


The Physical Web, interact with anything
Introduction to the Physical Web and how it works hard to protect users privacy. I'll also discuss the trade offs of using https well as new directions (and the security implications) around wifi direct, mDNS, and 'fatBeacons' (BLE beacons that contain the web page)

avatar for Scott Jenson

Scott Jenson

Product Strategy, Google
Scott Jenson has been doing user interface design and strategic planning for over 25 years. He worked at Apple on System 7, Newton, and the Apple Human Interface guidelines. He was the director of Symbian’s DesignLab, VP of product design for Cognita, a manager of mobile UX for... Read More →

Tuesday January 24, 2017 11:00am - 11:50am
Garden Terrace Room


Threat Modeling for Mobile
How do you know how to build your application securely, or what to look for when you’re performing a security assessment of an application? One critical part of figuring this out is the application’s threat model. For many years, development teams and security teams have been dealing primarily with web applications that generally have a common threat model. We have gotten so used to this threat model that we often don’t even think about it.

As we are increasingly dealing with mobile applications, we need to rethink this approach. The mobile ecosystem is complex and there is no one threat model that applies to all mobile applications. Based on over twelve years of experience working in the mobile ecosystem (starting before smartphones were a thing) and testing thousands of mobile applications, we have developed a variety of threat models for different types of mobile applications as well as mobile operating systems.

With mobile applications, we’re no longer running inside a mature client application (browser) that provides many security features to us like secure communication, same origin policy, etc. that cannot be overridden by web applications. This has interesting security implications. There are many more security issues that we need to be aware of when developing and testing mobile applications. Without understanding the security issues in different types of mobile applications, we are inevitably going to produce vulnerable applications and even waste money on unnecessary controls. This talk will demystify the mobile ecosystem and will outline how to develop threat models for your mobile applications. It will dig into technical details such as how security features Android and iOS, as well as in cross-platform development frameworks like Apache Cordova are implemented, and how that impacts mobile applications.

avatar for Amit Sethi

Amit Sethi

Senior Principal Consultant, Cigital
Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Masters degree in Cryptography. He has extensive experience performing... Read More →

Tuesday January 24, 2017 11:00am - 11:50am
Marion Davies Guest House


SPArring with the Security of Single Page Applications
When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful.

In MMA, a fighter needs to be skilled in several martial arts styles, such as boxing, kickboxing, Muay Thai for the stand up portion of the fight. Then, he needs to know wrestling or judo to take the fight to the ground, and once he’s on the ground, he needs to know Jujitsu and Sambo to submit his opponent.

When doing battle with a SPA, a pen-tester must become an MMA hacker…A Mixed Multilayer Application Hacker. As an MMA Hacker, you need to understand the multitude of complex application layers that are only getting more complex and interconnected by the day.

This discussion will include MMA Hacker training on the following application layers:
• Interface layer: Become familiar with SPA frameworks (AngularJS, ReactJS). These SPA frameworks fundamentally change the browser communication that security experts have long understood.
• Backend layer: Dig into different REST API’s and learn how they are used and where to find the weaknesses.
• Network layer: Learn more about WebSockets and how they fundamentally change TCP/HTTP as you have always known it to be.
• Interconnectivity layer: Get to know how SPA’s are often interconnected with 3rd party API’s or presentation elements and how this can create security issues that get inherited from trusting the 3rd party.
• Tools: Understand what tools are available to help you address these challenges, and the potential gaps exist in the tools we all depend on.

Join this talk to start your MMA Hacker training today!

avatar for Dan Kuykendall

Dan Kuykendall

Senior Director, Application Security Products , Rapid7
Dan Kuykendall is the Senior Director of Application Security Products at Rapid7 where he directs the strategic vision, research and product development for the company’s application security solutions. In addition to keeping up with the latest attack patterns, Dan remains focused... Read More →

Tuesday January 24, 2017 11:00am - 11:50am
Sand and Sea Room


Adding PowerShell to your Arsenal with PS>Attack
PowerShell is an incredibly powerful language with a lot of support from the offensive community, but it’s tough to know how to get started. PS>Attack aims to fix that. In this talk we’ll go over how you can use PS>Attack on your engagements to attack Windows environments and how the skills you learn while using it can be applied to any PowerShell console you encounter.

avatar for Jared Haight

Jared Haight

Security Engineer, Gotham Digital Science
Jared Haight is a Security Engineer with Gotham Digital Science in Charlotte, NC. Before making the transition to Information Security he was a Systems Administrator for a decade where he spent most of his time writing scripts to automate everything he did so he could spend more time... Read More →

Tuesday January 24, 2017 11:00am - 11:50am
Terrace Lounge


Protecting container applications with file system whitelisting
Container technologies like Docker are gaining mainstream interest from development organizations. Unlike virtual machines, containers running on the same host share the underlying OS kernel and filesystem. In this talk we describe an approach to harden and isolate containerized applications via file system monitoring. We show that it is possible to automatically build a whitelist of file system resources that are available to containers based on static analysis of the container contents and configuration. In addition containers can be monitored in runtime for storage writes of known exploits. We demonstrate how a mix of static and runtime file system monitoring proves to be an unintrusive and effective layer of security and isolation for containerized Cloud Native applications.

avatar for Chenxi Wang, Ph.D.

Chenxi Wang, Ph.D.

General Partner, Rain Capital
Dr. Chenxi Wang is ,Managing General Partner at Rain Capital.  Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security, and wrote many hard hitting research papers. At Intel Security... Read More →

Tuesday January 24, 2017 12:00pm - 12:50pm
Garden Terrace Room


Twubhubbook: like an appsec program, but for startups
It’s 2025. Many of the problems in appsec in <%= current_year %> have mitigations, maybe even solutions. The value of an appsec program is widely accepted as a requirement for any successful company. Yet XSS and other common vulnerabilities are still occupying the time of many engineering teams. Twubhubbook has the benefit of being a new startup: it's mostly a blank slate situation. This is the story of how Twubhubbook rolled out their program without skipping a beat or breaking the bank. The purpose of this imaginary story is to provide practical advice that you can take to a current or future startup (sorry enterprise people) based on the successes and failures of today's startups. 

avatar for Brent Johnson

Brent Johnson

Application Security Contractor, GitHub
Brent is a working as an Application Security contractor for GitHub as he finishes a B.S in Computer Science with a minor in Applied Computer Security from the University of Southern California. His primary focus is on application security and he has a strong interest in ways to automate... Read More →
avatar for Neil Matatall

Neil Matatall

Product Security Engineer, GitHub
Neil is a product security engineer at GitHub. He has mostly worked on web application security and is frequently involved in AppSec communities. Previously, Neil has been an engineer at Twitter, a W3C-webappsec group member, an OWASP Chapter leader, and has organized multiple conferences... Read More →

Tuesday January 24, 2017 12:00pm - 12:50pm
Marion Davies Guest House


Serverless is teh Hawtness for Defenders and DevOps
Serverless is a design pattern gaining a lot of traction in DevOps shops. The serverless pattern allows scale without managing the servers or processes running the application. This is done across the continuum of cloud--from storage as a service to database as a service but the center of serverless is Functions as a Service (FaaS). FaaS offerings on the market include AWS Lambda, Azure Functions, and Google Cloud Functions. Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.

Security changes under serverless and our traditional modes of firewalling and hardening all the things just won’t cut it. Practices like vulnerability discovery, code scanning and intrusion detection change in a serverless architecture. Other changes for serverless include how applications are built and deployed to how teams are structured.

This session will focus on practical security approaches and the four key areas of serverless security: software supply chain, delivery pipeline, data flow and attack detection. Even if you don’t have any experience with serverless, don’t worry, in this session we will start with the basics. You will learn what serverless is (it’s still being defined) and practical patterns for serverless adoption.  

avatar for James Wickett

James Wickett

Head of Research, Signal Sciences
James is a leader in the DevOps and InfoSec communities–most of his research and work is at the intersection of these two communities. He is a supporter of the Rugged Software movement and he coined the term Rugged DevOps. Seeing the gap in software testing, James founded an open... Read More →

Tuesday January 24, 2017 12:00pm - 12:50pm
Sand and Sea Room


Crowdsourced Security: The Good, The Bad, and The Ugly
Cost, quality, and coverage. These are the three major factors that security professionals must consider when designing a strategy for testing their web applications. There is a major talent shortage in the United States, and tools will only get you so far. How can security professionals leverage the power of the crowd to get fresh, incentivized eyes on their latest and greatest web apps, mobile apps, and APIs? Public and private bug bounties, crowdsourced penetration testing… what are the advantages and risks to engaging in this brave new world of “hire the hacker”? Join Caroline Wong, VP of Security Strategy at Cobalt.io for a frank discussion of the good, bad, and the ugly when it comes to crowdsourcing your web application security.

avatar for Caroline Wong

Caroline Wong

VP Security Strategy, Cobalt
Caroline Wong is the VP of Security Strategy at Cobalt. Cobalt delivers crowdsourced pen tests and private bug bounties to modern organizations.Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager... Read More →

Tuesday January 24, 2017 12:00pm - 12:50pm
Terrace Lounge


Lunch and Vendor Expo
Tuesday January 24, 2017 12:50pm - 2:30pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


Monitoring Application Attack Surface to Integrate Security into DevOps Pipelines
A web application’s attack surface is the combination of URLs it will respond to as well as the
inputs to those URLs that can change the behavior of the application. Understanding an
application’s attack surface is critical to being able to provide sufficient security test coverage,
and by watching an application’s attack surface change over time security and development
teams can help target and optimize testing activities. This presentation looks at methods of
calculating web application attack surface and tracking the evolution of attack surface over
time. In addition, it looks at metrics and thresholds that can be used to craft policies for
integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD)
pipelines for teams integrating security into their DevOps practices.

avatar for Dan Cornell

Dan Cornell

Chief Technology Officer and a Principal, Denim Group, Ltd.
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500... Read More →

Tuesday January 24, 2017 2:30pm - 3:20pm
Garden Terrace Room


Uninvited Guests on the World's Wild Web: Understanding Malicious Web Bots with OWASP Handbook
Day in and day out, web applications are subject to unwanted automated usage. These events often relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Example of these events include click fraud, comment spamming, content scraping, password cracking, and many more. 

Without common language and terminology between architects and developers architects, business owners and engineers, builders and defenders, and security vendors and buyers, misunderstandings do happen, and they can be costly. The OWASP project on Automated Threats to Web Applications has produced an ontology providing a common language to facilitate clear communication and help tackle the issues. The project identifies symptoms of these issues and discusses countermeasures against them. 

One product of the project is the OWASP Automated Threat Handbook, which has recently been updated. As with all OWASP materials, the book is free to download and use. This talk will help you navigate the swampland of malicious web automation using the handbook as guide, along with examples from the real world. It will also offer advice, and discussion, on countermeasure techniques usable by builders and defenders alike of web applications. 

This OWASP project is intended to be an information hub for web application owners, builders and defenders, providing practical resources to help them protect their web properties against unwanted automated processes. The project seeks input from the industry -- and the audience -- to continuously improve its impact on real-world unwanted web automation problems. 

avatar for Tin Zaw

Tin Zaw

Director, Security Solutions, Verizon
The author resides in sunny southern California, where he seeks a Zen state of mind amid the chaotic mix of technology, society and cyber threats. Wanting to make the world safer online, he gave up his beloved programming job to focus on cyber security. He is a former president of... Read More →

Tuesday January 24, 2017 2:30pm - 3:20pm
Marion Davies Guest House


Dissecting Browser Privacy
It's no secret that users are being tracked across the web via cookies, supercookies, and an ever-growing list of browser fingerprinting methods. This talk will go over common privacy attack vectors in the browser and discuss ways to prevent tracking without breaking websites.

avatar for Yan


Security Engineer, Brave
Yan is a Sr. Security Engineer at Brave Software working on most things browser-related. She is also a Technology Fellow at EFF, was formerly a member of the W3C Technical Architecture Group, and has worked on Let's Encrypt, SecureDrop, HTTPS Everywhere, Tor Browser, Privacy Badger... Read More →

Tuesday January 24, 2017 2:30pm - 3:20pm
Sand and Sea Room


InfoSec at Peak Prevention
We're all familiar with Peak Oil--a concept that says there's a limit to how much oil we can produce, after which point production must decline and new energy sources must be found.

This talk explores the concept of Peak Prevention. This is the idea that there is only so much prevention that can be applied when defending systems from attack, after which point other methods of risk reduction must be employed.

We'll explore the question of how close we are to Peak Prevention currently, and what other approaches to risk reduction we may be available to us.

avatar for Daniel Miessler

Daniel Miessler

Director of Advisory Services, IOActive
Security tester and consultant with 17 years of experience. Currently work for IOActive as the head of its Advisory Services group. Also run the OWASP IoT Security Project.http://danielmiessler.com/about/

Tuesday January 24, 2017 2:30pm - 3:20pm
Terrace Lounge


#securityselfie (size up your appsec program with new metrics)
Hacking around to find cool bugs is one thing; securing a codebase is another. How do you measure the overall effectiveness of your application security work? Focus inward to take a security snapshot using data that you may not realize you already have.

This talk proposes several approaches for generating metrics that measure and improve your appsec work, from monitoring bug-bounty operational health to incentivizing long-term secure framework bets. Come hear how data is applied to secure the systems and code that power Facebook, WhatsApp, Instagram, and Oculus. There will be science. There will be code. You will learn new ways to use concrete numbers to assess the beautiful craft that is security engineering.

avatar for Jim O'Leary

Jim O'Leary

Security Engineering Manager, Facebook
Jim O'Leary (@jimio) works on Facebook's product-security team; he delights in short biographies.

Tuesday January 24, 2017 3:30pm - 4:20pm
Garden Terrace Room


A Hybrid Approach for Web App Penetration Testing
According to Symantec Internet Security Threat Report 2016, 78% of scanned websites have vulnerabilities, of which one in seven is deemed critical. After spending years working as a web app penetration tester across both the private and public sector, it quickly became apparent that relying exclusively on automated scanning tools was not sufficient. In order to accurately demonstrate what an adversary would be capable of, we needed to develop a new way of assessing web applications, which combines both automated tools and more importantly, manual testing.

In the Cyber Security world, one may be inclined to believe that automated scanners are superior at vulnerability discovery; however, humans are actually much better at accurately identifying vulnerabilities. It has been our observation that nearly half of the vulnerabilities identified in our security assessments were not detected by vulnerability scanners, but rather identified through manual testing. As many organizations rely heavily on vulnerability scanners to discover vulnerabilities, it’s important to not gain a false sense of security based on scanner results alone as scanners often overlook logical errors.

This presentation will capture a new methodology that aims at taking a hybrid approach to web app penetration testing by integrating both automated and manual testing together. We will cover the use of interception proxies for manual testing as well as IDS/IPS evasion techniques. Lastly, we will close the talk with a live demo which demonstrates the necessity for a hybrid approach to web app penetration testing.

avatar for David Caissy

David Caissy

Penetration Tester, Bank of Canada
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other... Read More →

Tuesday January 24, 2017 3:30pm - 4:20pm
Marion Davies Guest House


The Road to Free Certificates is Paved with Good Intentions
Let's Encrypt has been a success for the open source community and for privacy in today's world. Running a certificate authority has a variety of challenges and maintaining an infrastructure with a goal of openness and security has required dedication and flexibility of a small team to turn techniques that "work in theory" to "work in practice." Now passing it's one year anniversary as a free, automated, and open certificate authority, this talk will cover Let's Encrypt's approach to mitigate security threats including physical separation of duties, network partitioning, and change control procedures.

avatar for Jillian Karner

Jillian Karner

Log Whisperer, Let's Encrypt/Internet Security Research Group
Jillian has worked at black screens with white typewriter text for start-ups in the security field since her early college years. Now graduated from Arizona State University, she is currently working with Let's Encrypt.

Tuesday January 24, 2017 3:30pm - 4:20pm
Sand and Sea Room


Java LangSec: New Security Controls in Java 8 and 9
Secure software requires making a wide variety of security controls available to the developer. These controls range from automatic defenses to APIs that developers simply need to use, to controls that require extensive configuration and understanding to be used effectively. This session reviews several new security controls available in the Java 8 and 9 platforms. It also covers other important Java security work, such as how the server JRE decreases the attack surface by not including applet code—since 2013! The presentation will help raise awareness of the many defenses present and available in the Java ecosystem, something every Java developer and AppSec professional can benefit from.

avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, Secure Circle and BitDiscovery. Jim is a frequent speaker on secure software practices... Read More →

Tuesday January 24, 2017 3:30pm - 4:20pm
Terrace Lounge


Break and Vendor Expo
Tuesday January 24, 2017 4:20pm - 4:50pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


Essential TLS Hardening for Better Web Security
Given the ubiquitous nature of the web, security professionals must do everything they can to hasten the switchover to a TLS-everywhere world. Thankfully, what was previously an expensive and tedious task has become much easier and economical due to automated TLS certificate provisioning. Once certificates are in place, there are a multitude of configuration hardening measures available, each of which perform an important role in providing strong web security.

Attendees of this hands-on talk will walk away with an in-depth understanding of the following topics, along with how they can be put to practical use.

Automated TLS certificate provisioning

* Let’s Encrypt pros and cons
* authenticator comparison: web root, DNS-01, standalone web server
* automatic TLS certificate renewal via Certbot and cron
* overview of third-party provisioning tools

TLS-related configuration

* trade-off between better security and backwards-compatibility with older browsers
* protocol and cipher selection based on above trade-offs
* recommended configuration profiles, along with feeds for automated comparison/notification

Content Security Policy (CSP)

* threat model: cross-site scripting and other code injection attacks
* can have sharp edges, but a useful defensive measure
* tools for drafting, validating, and reporting on content security policies

Public Key Pinning (HPKP)

* threat model: compromised or rogue certificate authorities
* potentially hazardous and should be handled with care

Certificate Transparency (CT)

* threat model: helps detect faked/forged certificates
* Chromium will require certificate transparency in October 2017
* Certbot to include “Signed Certificate Timestamps” (CST) in near future

Other topics that will be covered include:

* forward secrecy
* strict transport security (HSTS)
* OCSP stapling

avatar for Justin  Mayer

Justin Mayer

Founder, Monitorial.com
Justin Mayer is the founder of Monitorial.com, a solution for identifying and addressing potential security vulnerabilities. A serial entrepreneur who has designed and built a variety of mobile/web applications, Justin is also an active open-source contributor and has presented talks... Read More →

Tuesday January 24, 2017 4:50pm - 5:40pm
Garden Terrace Room


Panel: Women in Security
Girls Who Code. Lean In. Grace Hopper. Women in Cybersecurity. Brain Babe. With so many targeted initiatives to increase the number of women in cybersecurity careers, what is really happening on the ground with girls and women entering and staying in the field of cybersecurity. Can we hope to get the balance of women/men to 50/50 or is this goal missing the point? Who is getting this right and how are they doing it? What efforts can each of us make to influence girls and women in our communities and organizations?

avatar for Marian Merritt

Marian Merritt

Lead for Industry Engagement, NICE/NIST
Marian Merritt is the Lead for Industry Engagement for the National Initiative for Cybersecurity Education (NICE) at the National Institute of Standards and Technology (NIST). Marian has over 18 years of experience working in the cybersecurity industry. She previously was with Symantec... Read More →

avatar for Deidre Diamond

Deidre Diamond

CEO, Cyber Security Network
Talent and Technology Veteran, Deidre Diamond, Founder and CEO of CyberSN, created the largest cybersecurity talent acquisition service and technology firm in the U.S. Deidre's vision is to remove the pain from job searching and matching for cybersecurity professionals. This vision... Read More →
avatar for Kelly FitzGerald

Kelly FitzGerald

Senior Principal Information Security Analyst, Veritas Technologies LLC.
Kelly FitzGerald is a Senior Principal Information Security Analyst managing both the Customer and Supplier Trust Offices at Veritas Technologies LLC.  Prior to her work at Veritas, Kelly worked at Symantec and has held positions in the Product Security, Consumer and Enterprise organizations... Read More →
avatar for Julie Medero

Julie Medero

Assistant Professor of Computer Science, Harvey Mudd College
Julie Medero, PhD, researches natural language processing, machine learning and educational applications of language technology. Her research integrates ideas from computer science, linguistics, and electrical engineering to develop new applications of natural language processing... Read More →
avatar for Chenxi Wang, Ph.D.

Chenxi Wang, Ph.D.

General Partner, Rain Capital
Dr. Chenxi Wang is ,Managing General Partner at Rain Capital.  Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security, and wrote many hard hitting research papers. At Intel Security... Read More →

Tuesday January 24, 2017 4:50pm - 5:40pm
Sand and Sea Room


Make me a sandwich: Automating a custom SecDevOps pipeline
The Continuous Integration and Extreme Programming models, coupled with A/B testing make it nearly impossible for security teams to keep up with the pace of development and to test all the possible software configurations exposed to the public.

Many organizations turn to automation for help, but fail to fully integrate it into all phases of their Software Development Lifecycle. Most inordinately rely on dynamic analysis tools, which lack the ability to provide thorough code coverage and run at the end of the development process, increasing the cost of finding and remediating vulnerabilities.

While security teams are aware of the benefits of automation, many lack exposure to the tools used in the development and build processes. Additionally, many security teams face budgetary constraints which prevent access to expensive software suites designed to find vulnerabilities in software, find the commercial tools lacking, or simply are unable to find software which support the development languages or frameworks in use in their organizations.

This talk will cover how and where to integrate automation into common Version Control and Build Server software, such as Git, GitHub and Jenkins, allowing for testing throughout the SDLC and greater code coverage.

In this talk, attendees will also learn how to create custom static code analysis tools to find new vulnerabilities and prevent recurrences of known vulnerabilities. This will include how to create parsers, lexers, define grammars and walk parse trees.

avatar for Patrick Albert

Patrick Albert

Director of Operations, Tinder
Military Veteran and Tech junkie with over a decade of experience in Technical Operations and Security. Long time supporter of the Infosec community, and Defcon Goon.
avatar for Tony  Trummer

Tony Trummer

Director of Security Engineering, Tinder
Tony currently leads the Security team at Tinder in West Hollywood. As a penetration tester, Tony previously helped to start LinkedIn's AppSec program and later led their IR team. Tony has spoken at conferences around the world, including DefCon, BlackHat, AppSec Cali, AppSec USA... Read More →

Tuesday January 24, 2017 4:50pm - 5:40pm
Terrace Lounge


Wednesday, January 25



Opening Remarks
avatar for Richard Greenberg

Richard Greenberg

AppSec Cali Co-Chair, OWASP
Richard is and has been the Co-Chair of every AppSec California. He serves on the OWASP Global Board of Directors, and is president of the OWASP Los Angeles Chapter. Richard brings over 25 years of management experience and has been a strategic and thought leader in IT and Information... Read More →

Wednesday January 25, 2017 9:00am - 9:10am
Sand and Sea Room


Diamond Sponsor Greeting

Wednesday January 25, 2017 9:05am - 9:10am
Sand and Sea Room


Keynote: Machine Learning — Cybersecurity Boon or Boondoggle
Machine Learning has seemingly become the latest shiny new object in cybersecurity. While machine learning holds great promise for improving our ability to detect and respond to threats, it is far from a panacea. This talk will provide a balanced view of the role that machine learning can play in cybersecurity, drawing upon a series of real life implementation and deployment experiences of machine learning techniques. Moreover, we will describe both best practices and pitfalls of applying machine learning in a cybersecurity context.  

avatar for ​Dr. Zulfikar Ramzan

​Dr. Zulfikar Ramzan

​Chief Technology Officer, RSA
  Dr. Zulfikar Ramzan serves as the Chief Technology Officer of RSA. In this role, he is responsible for leading the development of the company's technology strategy and bringing to market the innovations that help protect RSA customers from the growing number of advanced threats... Read More →

Wednesday January 25, 2017 9:10am - 9:55am
Sand and Sea Room


Break and Vendor Expo
Wednesday January 25, 2017 10:00am - 10:30am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


CTF / Challenge Room
Wednesday January 25, 2017 10:00am - 5:10pm
Club Room


AppSec Pipelines and Event-based Security: Moving beyond a traditional security test.
Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.

By changing focus from a point in time security testing and assessments to automation, continual health checks and event-based security, your AppSec program can start to keep pace with the increasing speed of delivery your business is trying to obtain. By embracing the same methodologies, you can turn Docker from a problem to how you horizontally scale your security work. Don't swim against the current of DevOps, Agile software development and Continuous Delivery. Instead use those movements to speed your AppSec program to new levels.

avatar for Matt Tesauro

Matt Tesauro

Matt Tesauro is currently establishing a SDLC at a large healthcare software provider. Prior to his current role, he was a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Previously, he was a founder and CTO of 10Security, a Senior... Read More →

Wednesday January 25, 2017 10:30am - 11:20am
Garden Terrace Room


Serverless! The holy grail of security operations (?)
Let's face it, security operations is time consuming, more often than not new paradigms surface that requires investing time addressing it's risks, like Cloud and Containers, the new paradigm that's coming is serverless, which brings some interesting features and limitations.

A paradigm where every request is served by ephemeral "servers", each running its own code, isolated from each other. In this talk will address this questions:

What are the Security benefits? Does traditional security apply to them? Who keeps them patched? Are they really ephemeral? What about compliance? Are current solutions mature enough? Do vulnerabilities like Dirty Cow affect them? Will DevOps/Architects receive it open arms? How does developing and deploying work? Does it "fix" DevOps engineers accessing production?

You will get to see real examples and specially what uses cases is best to first implement serverless.

avatar for David Cuadrado

David Cuadrado

Tech Lead at Twilio, Twilio
David is a tech lead at Twilio. He got hired as Authy’s first engineer during YC in 2012 and joined Twilio after the Authy acquisition in 2015. While in college he started working as a developer for a company dedicated to graphic design and animation, coding primarily in C++. After... Read More →
avatar for Santiago  Kantorowicz

Santiago Kantorowicz

Security Engineer, Twilio
Santiago started working as a pen tester 8 years ago, after finding customers making same mistakes over and over again, 4 years later switched to defensive security, leading AppSec efforts at South America's largest e-commerce. Now he is Authy's Security Officer, working on the Company's... Read More →

Wednesday January 25, 2017 10:30am - 11:20am
Marion Davies Guest House


AWS Survival Guide
An increasing number of organizations are using AWS or are migrating to AWS. Security teams with traditional datacenter security knowledge are trying to catch-up and grasp the new attack surface, security concerns, and develop defensive techniques. Developers are often given the power to deploy infrastructure in ways that were previously restricted without the traditional insight and controls security would normally implement. At the same time, AWS customers are being exploited in ways that are easily preventable but highly damaging to the customer's organization; this fact is well documented.

Fortunately, AWS does provide the technology to harden, monitor, and even recover should an incident occur. Unfortunately, these defensive practices are not widely discussed or well-known amongst both security professionals as well as developers.

In this talk, we discuss harnessing existing AWS functionality to strengthen your organization's AWS infrastructure against practical attacks. Ken will show you what attackers are looking for, how they are finding you, and how to secure your environment. Additionally, attendees will be given code that assists those using AWS in better understanding how their environment's IAM policies are configured and automate tasks like S3 bucket policy review, volume encryption statuses, and security group configurations.

Finally, this talk will delve deep into practical alerting/monitoring and demonstrate implementing notifications that are descriptive and pinpoint active attacks.

AWS Technologies discussed:

- Config
- CloudWatch
- CloudTrail
- *(Other) Security features of other services

avatar for Ken Johnson

Ken Johnson

CTO, nVisium
Ken Johnson, CTO of nVisium, has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at DerbyCon, AppSec USA, RSA, AppSec DC, AppSec California, DevOpsDays DC, LASCON... Read More →

Wednesday January 25, 2017 10:30am - 11:20am
Sand and Sea Room


DASTProxy: Don’t let your automated security testing program stall on crawl. Instead focus on business context.
Many automated security programs look at crawling through a website before testing as a measure to build security automation. However, such an approach has limited success when you are dealing with huge applications that have numerous teams working on modular components or subsections. At eBay, it was instantly clear that such an approach was doomed to fail. Instead the Secure Development Life Cycle Team leveraged the knowledge and business context that our product development teams had built into functional testing, to enhance our dynamic security testing automation. This let us further our goal to make security a responsibility of every product development team at eBay. This talk is about our journey and the open sourced automation framework (https://github.com/eBay/DASTProxy) that we built to make our dreams and goals a reality.

avatar for Srinivasa Rao Chirathanagandla

Srinivasa Rao Chirathanagandla

Senior Software Engineer, eBay
Srinivasa Rao is an Information Security Engineer in AppSec at eBay, responsible for developing applications and tools for Secure Product Life Cycle (SPLC) and SecDevOps. He is a full-stack developer who enjoys coding using java, grails/groovy, angularJS and interacting with relational... Read More →
avatar for Kiran Sharadkumar Shirali

Kiran Sharadkumar Shirali

Senior Security Engineer, Red Team, eBay
Kiran Shirali is a Senior Security Engineer in eBay’s Red Team. During the day, he is scouring eBay’s networks and applications for flaws that could lead hackers get access to critical assets. He is also involved in various other initiatives that help on the defensive side of... Read More →

Wednesday January 25, 2017 10:30am - 11:20am
Terrace Lounge


On Strategic Defense
There is no such thing as perfect security, but most of the attacks in the news were not that difficult, and would have been prevented with practical security fundamentals, yet, we continue to see all of these large companies failing at the fundamentals of defense? Why?

In this presentation I will discuss the importance for developing robust ingress and egress filtering to mitigate the threat of sophisticated malware. I will discuss the steps you need to take to defend from the majority of the known attacks. The concepts of how to segment and isolate an architecture will be covered as well as endpoint protections you can deploy to make your network a harder target.

avatar for KEVIN Cardwell

KEVIN Cardwell

President, CESI
Kevin Cardwell served as the leader of a 5 person DoD Red Team that achieved a 100% success rate atcompromising systems and networks for six straight years. He has conducted over 500 security assessments across the globe. His expertise is in finding weaknesses and determining ways... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm
Garden Terrace Room


Scaling Security Testing at the Speed of DevOps
Recent software development trends, namely DevOps, Continuous Integration, Continuous Delivery, and Continuous Deployment, have empowered developers and drastically reduced the DevTest window forcing teams to adopt highly automated test infrastructures.  While the adoption of these trends and automated test frameworks have improved feature delivery and time to market, they have complicated security assessment, producing substantial gaps between the current release and the last security audited code.  Consumers are now being forced to adopt new code releases daily or hourly without substantive security review, especially in the Software as a Service (SaaS) sector.  As engineering teams rapidly embrace these development methodologies, the community must evolve security testing strategies so as to enhance the security posture of products, services, and solutions.

This evolution must address three primary problems elucidated by the aforementioned development trends:

1. Testability: Security requirements should be testable and verifiable.
2. Scalability: Security requirements should be capable of being automated in a best-effort fashion so as to scale effectively.
3. Accessibility: Security tools and results should be easily digestible by software engineers and testers, and new security tools should be accessible to all development and test engineers.

Therefore, we have developed and are preparing to open source a new distributed security testing framework called Norad which facilitates security assessment at scale.  This framework automates multiple open-source and vendor security tools and aggregates their results for review.  It also provides an SDK which promotes the development of community developed security test content. This talk will explain Norad's design philosophy, architecture, and demonstrate its usage.

avatar for Roger Seagle

Roger Seagle

Principal Engineer, Cisco
Roger Seagle Jr. is a Principal Engineer in the STO TIP team at Cisco. Previously, he worked in Cisco's Advanced Security Initiatives Group (ASIG) where he assessed the security posture of Cisco products and advised product teams on patching and mitigating vulnerabilities. Roger regularly... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm
Marion Davies Guest House


Want to be secure? Eliminate passwords. If you don't have a password, it can't be stolen!
User IDs and passwords not only allow us to authenticate our accounts and online payments but also allow access to hackers and criminal elements. 76% of data breaches are from stolen login information. By eliminating passwords and using instant, automatic 2-Factor authentication, we can stop fraudulent activities and payments.

A pie in the sky idea? Not really. See how the latest technologies make it possible.

avatar for Jack  Bicer

Jack Bicer

CEO, Sekur Me
Jack Bicer is the founder and CEO of SEKUR.me, a mobile security and payments company, that eliminates passwords securely. His two previous inventions “Uninstall” and “Automatic Software Updates”, run on every computer and every smartphone today.A 35 year software industry... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm
Sand and Sea Room


HSTS, TLS, HPKP, CSP: putting them all together to move to HTTPS
Moving a large website with many user customizations to HTTPS is not easy as it sounds. Migrating to a secure HTTPS platform is even harder. Browser vendors have added many HTTP headers to make HTTPS website safer to use: HSTS, HPKP (Public Key Pinning), CSP (Content Security Policy), etc. In this talk, I will share my experience at Zscaler and Salesforce in moving large and complex websites to HTTPS. I will explain how these headers need to be thoroughly thought out, from the TLS versions and ciphers to support to which certificate to pin. The talk will show how to plan the migration to HTTPS, how to leverage CSP to measure the impact of the update before it happens, and how HSTS, HPKP and CSP can work together to ensure a safer experience for the users.
Participants will learn a methodology to move a complex website to HTTPS, including the role of the different HTTP headers in the planning and execution phases.

avatar for Sun Hwan Kim

Sun Hwan Kim

Senior Member of Technical Staff, Development, Salesforce
Received Bachelor of Science in Computer Science from Carnegie Mellon University in 2013. Previously Interned at Neowiz internet and Ahnlab in South Korea. Now working as a software engineer in Product Defense Team at Salesforce, mainly focusing on building security framework for... Read More →
avatar for Julien Sobrier

Julien Sobrier

Lead Security Product Owner, Salesforce
Julien Sobrier has spent 10+ years in the Security industry, as a Security Researcher at Netscreen/Juniper and Zscaler, then Product Manager at Zscaler and now Product Security Owner at Salesforce. He as co-author Power Security Tools (O'Reilly) and released many browser security... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm
Terrace Lounge


Lunch and Vendor Expo
Wednesday January 25, 2017 12:20pm - 2:00pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


A Case for Integrity: JavaScript Apps Should Have it Too
JavaScript Web Applications are being used by virtually all tech companies in the world today, from startups to Fortune 500 organizations. Increasing amounts of logic are being shipped to the browser because of this. There is a need to interact with critical data such as user credentials, personally identifiable information, credit card numbers, etc - in other words, very sensitive information. Because JavaScript is highly dynamic, it's very easy to interfere with the apps behavior and its execution environment, thus there are risks that need to be addressed. In this talk we will discuss what is the current state of the art regarding the integrity of Web Applications on the client-side, show some attack scenarios. and how to avoid them.

avatar for Pedro  Fortuna

Pedro Fortuna

CTO and Co-Founder, Jscrambler
Pedro is the CTO and co-founder of Jscrambler where he co-leads business development. Holds a degree in Computing Engineering and a MSc in Computer Networks and Services. Has extensive knowledge and professional experience in R&D projects, cybersecurity and software development, both... Read More →

Wednesday January 25, 2017 2:00pm - 2:50pm
Garden Terrace Room


When Bandit(s) Strike - Defend your Python Code
Bandit is an open-source tool designed to discover common security flaws in Python code. Although Bandit was originally developed to find issues in OpenStack (a large open-source cloud platform) it has since been adopted by many Python developers outside of OpenStack. It has found dozens of critical security issues including: command injection, SQLi, insecure temporary file usage, and usage of insecure libraries.

Join Travis McPeak, one of the core developers on the Bandit project to find out: how Bandit works, how to customize it for different workflows, how to create a Security CI pipeline with Bandit, and even how to extend it.

avatar for Travis McPeak

Travis McPeak

Sr. Security Engineer, Netflix
Travis McPeak is a Sr. Security Engineer at Netflix. He is a core developer of the Bandit, Repokid, and Aardvark projects. In his spare time he loves travel, snowboarding, and quality food/beer.
avatar for Will


Leader, Netflix
William Bengtson is an information security professional with years of experience in a variety of roles including red teaming, network security, architecture risk analysis lead, software security, exploit development, security architect lead, application developer and certification... Read More →

Wednesday January 25, 2017 2:00pm - 2:50pm
Marion Davies Guest House


An SDLC for the DevSecOps Era
The standard approaches for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today’s world of agile, DevOps, and CI/CD.

This talk will share practical lessons learned on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to:

1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices

2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly

3) Measure maturity of your organizations security efforts in a non-theoretical way

avatar for Zane Lackey

Zane Lackey

Chief Security Officer, Signal Sciences
 Zane Lackey is the Founder/Chief Security Officer at Signal Sciences and serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane... Read More →

Wednesday January 25, 2017 2:00pm - 2:50pm
Sand and Sea Room


CSP: The Good, the Bad and the Ugly
W3C Web Application Security workgroup worked really hard to establish new standards to improve security of web applications: CORS, SRI, HSTS, HPKP just few of them and most complicated in that family is Content Security Policy (CSP) which became so complex, so web application developers, DevOps teams could easily lost on where to start and what to do if they need to integrate CSP.

In this presentation I’ll help you to figure out where to start, what to do and which issues you might will be facing with if you want to add CSP to your web application.

Attendees will learn about key differences between CSP level 1, 2 and 3, what is secure CSP and how to build one. We’ll also talk about creating production ready, backward compatible policy.

I’ll also present how Alexa top million websites adopts CSP and show interesting patterns I discovered among their policies, typical mistakes and strategies to fix them.

At the final part I’ll talk about tools and frameworks we have and also about tools and frameworks we need to build to efficiently deploy CSP.

avatar for Ilya Nesterov

Ilya Nesterov

Engineering Manager, Shape Security
Ilya Nesterov is currently an engineering manager at Shape Security, where he is responsible for product quality. Prior to Shape, Ilya led QA teams at F5 and earned his master’s degree from Tomsk Polytechnic University. His area of interest is web application security, in particular... Read More →

Wednesday January 25, 2017 2:00pm - 2:50pm
Terrace Lounge


Life of a Password
Imagine an attacker who can update records on your website’s user password database. Is it possible for the attacker to get into a user’s account without cracking the user’s password? As a security professional at a large internet company with mutli-tiered architecture, do you worry about the possibility of passwords being improperly handled by one or more systems before it is stored securely? Attend THIS talk if you want to learn more about attacks on password and password history tables and techniques to mitigate password handling risk. You will leave with recipes for handling and storing passwords that are different from techniques used to resist password cracking.

avatar for Arvind Mani

Arvind Mani

Engineering Director, Security, Anti-Abuse & Privacy, LinkedIn
Arvind is the head of Trust Engineering at LinkedIn where he leads a team of 60+ engineers who solve security, privacy, and anti-abuse problems. He has over 16 years of experience in security and has spent the past decade securing several Alexa Top 50 websites. He graduated from the... Read More →

Wednesday January 25, 2017 3:00pm - 3:50pm
Garden Terrace Room


Continuous security: Bringing agility to the secure development lifecycle
The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.

Through a combination of workflows and real code examples, you'll learn about:
- Building a comprehensive compliance plan
- Integrating security testing into the SDLC
- Remediating real-world code vulnerabilities

avatar for Rod Cope

Rod Cope

CTO, Rogue Wave Software
Rod Cope is the CTO of Rogue Wave Software, which he joined through the acquisition of OpenLogic. He was the CTO and Founder of OpenLogic where he helped enterprises adopt and manage open source software. Previously in his 25+ year software career, he worked at IBM, IBM Global Services... Read More →

Wednesday January 25, 2017 3:00pm - 3:50pm
Marion Davies Guest House


OCSP Stapling in the Wild
Certificate revocation is a messy problem; certificate revocation lists and mid-handshake OCSP checks have proven unworkable in practice. The dream of TLS certificate revocation is Must-Staple: an extension in a certificate indicating that it can only be used alongside a stapled OCSP (Online Certificate Status Protocol) response indicating that the certificate hasn’t been revoked. If a Must-Staple certificate is compromised, the attacker can only use it for the short time window until the current OCSP response expires. But is the world ready for Must-Staple yet? Unreliable OCSP servers, buggy stapling implementations, and client and network misconfigurations (from mismatched clocks to MITM proxies) all present challenges. This talk examines the state of the world of OCSP stapling and describes Dropbox’s implementation of OCSP Stapling. To gather real data on the feasibility of deploying OCSP stapling, we will discuss the data we gathered from a Chrome feature called Expect-Staple, which is a report-only version of OCSP Must-Staple that lets us evaluate how well OCSP Must-Staple might work in the real world.

avatar for Devdatta Akhawe

Devdatta Akhawe

Engineering Manager, Dropbox
Devdatta leads the Product Security team at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams.  He is a co-author... Read More →
avatar for Emily Stark

Emily Stark

Software Engineer, Google Inc.
Emily Stark leads the Google Chrome usable security team, which is responsible for helping users and developers make safe decisions on the web. Her work includes promoting HTTPS adoption, making HTTPS more usable and secure, and improving many of Chrome's user-facing security and... Read More →

Wednesday January 25, 2017 3:00pm - 3:50pm
Sand and Sea Room


"Stealth" Authentication - how to not leak information to hackers in web application authentication
Web application authentication systems often unnecessarily leak valuable information to hackers and thus enable user enumeration, denial of service and attacks on authentication factors.

The talk shows where information is leaked and how this can be prevented. Further, a simple and effective way of preventing denial of service attacks based on account locking is shown.

Giving real-world examples, the term "side-channel-safe" second factor is introduced and it is shown how this property influences the security of the overall authentication scheme.

The talk closes with usability considerations and what features a well designed "stealth authentication system" should provide.

avatar for Marc Bütikofer

Marc Bütikofer

Director Innovation, Ergon Informatik AG
Marc Buetikofer serves as Director Innovation and CTO for Airlock, a leading Swiss web application security suite provided by the company Ergon Informatik AG in Zurich.After joining Ergon Informatik in 2000 he provided numerous security engineering projects with his expertise before... Read More →

Wednesday January 25, 2017 3:00pm - 3:50pm
Terrace Lounge


Break and Vendor Expo
Wednesday January 25, 2017 3:50pm - 4:20pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


Closing Keynote: Hide and Seek just got harder, the anatomy of modern deceptive technologies
The new world is fluid, it’s not static honeypots that are easily identified, it’s not virtual systems that are ignored, the defenders have taken a leaf out of Mother Nature and put an every changing deceptive environment in front of us. We have to somehow navigate through it without falling into the dynamic traps that learn from their surroundings and morph based on our behavior.

avatar for Chris Roberts

Chris Roberts

Chief Security Architect, Acalvio Technologies
Roberts is considered one of the world’s foremost experts on counter threat intelligence within the Information security industry. At Acalvio, Roberts helps drive Technology Innovation and Product Leadership. In addition, Roberts directs a portfolio of services within Acalvio designed... Read More →

Wednesday January 25, 2017 4:20pm - 5:10pm
Sand and Sea Room