This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, January 23


Registration and Breakfast
Monday January 23, 2017 8:00am - 9:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


OWASP Top 10 - Exploitation and Effective Safeguards


 AppSec California 2017

OWASP Top 10 – Exploitation and Effective Safeguards

Monday, January 23rd, 2017 Presented by David Caissy, Albero Solutions Inc.

About the course

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

The course will cover the following topics

1. OWASP Top 10 web application vulnerabilities:

A1 - Injection Attacks

  •  Command Injection
  •  SQL Injection


A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Known Vulnerable Components

A10 - Unvalidated Redirects and Forwards

2. Proper Password Management

3. Secure Coding Best Practices

4. Effective Safeguards

Hands-on Exercises

1. Session Initialization and Client-Side Validation

 Part 1: Web Proxy and Session Initialization

 Part 2: Client-Side Validation

2. Online Password Guessing Attack

3. Account Harvesting

4. Sniffing Encrypted Traffic

5. Launching Command Injection Attacks

6. Using a Web Application Vulnerability Scanner

7. Optional Exercise: Create SSL certificates


Demos from the instructor

1. SQL Injection Attack

2. Cross-Site Scripting Attack

3. Insecure Direct Object References

4. Sensitive Data Exposure

5. Cross-Site Request Forgery

Who should take this course?

This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.


Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 4 GB of RAM, 20 GB of free disk space and either VMWare Workstation Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox (free) pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the class, participants will receive a USB thumb drive containing a pre-configured virtual machine for the hands-on exercises.

About the trainer

David Caissy, M. Sc., OSCP, GWAPT, GPEN, GSEC, CISSP, CEH is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense of Canada, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last 15 years.


avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →

Monday January 23, 2017 9:00am - 5:00pm
Terrace Lounge


Real World Red Team Attacks

The days of exploiting MS08-067, encoding with Shikata Ga Nai, and blindly scanning are gone. Both Blackhat hackers and pentesters alike have shifted to using more advanced techniques to bypass AV, implement a smaller footprint to evade SIEM detection, and continually stay persistent to devastate enterprise networks. If you are looking to take your craft to the next level, this is the primer course for you.

Written and taught by the author of “The Hacker Playbook” series, Peter Kim will take you through an immensely hands-on experience to replicate real world attacks without even running a single vulnerability scanner. In this hands-on experience, you will take on the role of a malicious Blackhat attacker and infiltrate your way into a corporate network. The onsite lab will emulate a real network using only modern operating systems.

avatar for Peter Kim

Peter Kim

Director of Vulnerability Research, Blizzard Entertainment
Peter Kim has been in the information security industry for the last 12 years and has been running red teams/penetration testing for the past 8 years. He has worked for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and financial organizations. | He is the author of the best-selling computer hacking book, ‘The Hacker Playbook: Practical Guide to Penetration Testing Series.’   Peter... Read More →

Monday January 23, 2017 9:00am - 5:00pm
Club Room


Secure Coding Bootcamp for the Web

Secure Coding Bootcamp for the Web

The major cause of web insecurity is the lack of secure software development practices. This one-day bootcamp will help developers and other software professionals build and maintain secure applications. This class contains a combination of lecture, security testing demonstration and code review.

This following modules will be included in this class.

– HTTP Basics (1 hr)

In this module we will cover the various security implications of using the HTTP protocol for web and webservice development. Topics such as the proper use of HTTP verbs and HTTP security response headers will be covered. We will also demonstrate the use of an intercepting proxy tool to demonstrate how attackers modify request data to harm your applications. This module will also introduce several methods needed to properly transmit sensitive data over HTTPS.

– SQL and other Injection (.5 hrs)

Injection is an application weakness that will allow attackers to execute harmful SQL, Operating System, LDAP and other commands against your application. This is one of the most dangerous vulnerabilities possible. This module will review several forms of injection with live demonstrations. We will discuss the limits of input validation, and focus on more robust defenses such as query parameterization and encoding.

– Authentication (2.5 hrs)

Authentication is the “front gate” of any application and is used to establish the identity of your users. This module will discuss the security mechanisms found within a secure authentication layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will also include code review labs.

– OAuth Security (2 hrs)

OAuth is a delegation framework that appears on the radar of security professionals and developers more and more every day. OAuth intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management or an access control in your applications. Even more confusing, OAuth is not a standard and various service providers will likely have different implementations. Let’s say it again, OAuth is not a standard – its a framework for delegation. So this leaves us with questions! What really is delegation? Where does OAuth fit in? How can I use OAuth in a secure fashion? These questions and more will me answered in this module.

– Access Control (1 hr)

Access Control is a necessary security control at almost every layer within a web application. This module will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and “fail open” access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, deny-by-default and other positive design attributes that make up a robust web-based access-control mechanism.

– Angular.JS Security (1 hr)

AngularJS is one of the most popular and exciting JavaScript UI frameworks in use today. This module will discuss what AngularJS is, how it is built and the various security controls contained with in. We’ll discuss the various controls contained within AngularJS including Strict Contextual Escaping, HTML Sanitization, Content Security Policy Integration, Double-submit cookie defense and JSON hijacking protection.

avatar for Jim Manico

Jim Manico

Founder, Secure Coding Instructor, Manicode Security
Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →

Monday January 23, 2017 9:00am - 5:00pm
Garden Terrace Room


The Best TLS Training in the World

Spend a full day to understand both the theory and practice of SSL/TLS.

Designed by the author of the much acclaimed Bulletproof SSL and TLS, this practical course will teach you how to deploy secure servers and encrypted web applications during a day packed with theory and practical work. We’ll focus on what you need in your daily work to deliver best security, availability and performance. And you will learn how to get an A+ on SSL Labs!

Why This Course is for You
  • Understand threats and attacks against encryption
  • Identify real risks that apply to your systems
  • Deploy servers with strong private keys and valid certificates
  • Deploy TLS configurations with strong encryption and forward secrecy
  • Understand higher-level attacks against web applications
  • Use the latest defence technologies, such as HSTS, CSP, and HPKP

Course Outline
  1. Introduction
    1. The need for network encryption
    2. Understanding encrypted communication
    3. The role of public key infrastructure (PKI)
    4. SSL/TLS and Internet PKI threat model
  2. Keys and certificates
    1. RSA and ECDSA: selecting key algorithm and size
    2. Certificate hostnames and lifetime
    3. Practical work:
      1. Private key generation
      2. Certificate Signing Request (CSR) generation
      3. Self-signed certificates
      4. Obtaining valid certificates from Let’s Encrypt
    4. Sidebar: Revocation
  3. Protocols and cipher suites
    1. Protocol security
    2. Key exchange strength
    3. Forward security
    4. Cipher suite configuration
    5. Practical work:
      1. Secure web server configuration
      2. Server testing using SSL Labs
    6. Sidebar: Server Name indication (SNI)
    7. Sidebar: Performance considerations
  4. HTTPS topics
    1. Man in the middle attacks
    2. Mixed content
    3. Cookie security
    4. CRIME: Information leakage via compression
    5. HTTP Strict Transport Security
    6. Content Security Policy
    7. HTTP Public Key Pinning
    8. Practical work:
      1. Deploying HSTS to deploy robust encryption
      2. Deploying CSP to deal with mixed content
  5. Putting it all together: Getting A+ in SSL Labs

We will also provide you with many additional exercises that you can work on in your own time. You'll be able to ask us for help via email. And if you're already familiar with the basics, we'll challenge you with some of the advanced exercises on the day.

avatar for Scott Helme

Scott Helme

Security Researcher, Feisty Duck
Scott Helme is a security researcher, consultant and international speaker. He can often be found talking about web security and performance online and helping organisations better deploy both. Founder of report-uri.io, a free CSP report collection service, and securityheaders.io, a free security analyser, Scott has a tendency to always be involved in building something new and exciting. As a result, he is currently working with Ivan... Read More →

Monday January 23, 2017 9:00am - 5:00pm
Marion Davies Guest House


Riot Games Security Meetup
Monday January 23, 2017 6:30pm - 9:00pm
Riot Games 12333 W Olympic Blvd, Los Angeles, CA 90064
Tuesday, January 24



Welcome Address
avatar for Edward Bonver

Edward Bonver

Technical Director, Software Security Group, Symantec
OWASP LA chapter board member | OWASP AppSecCali organizer | @edward_bonver | https://www.linkedin.com/in/bonver | | Edward Bonver is a technical director and software security architect on the Software Security Group under the Office of the CTO at Symantec Corporation. He is responsible for ensuring that software developers and quality assurance (QA) professionals across Symantec continuously enhance the company’s software security... Read More →
avatar for richard.greenberg


Chapter Leader, OWASP Los Angeles
Hi everyone! I am the Chair for AppSec California, the Chapter Leader for OWASP Los Angeles, on the ISSA Int'l Honor Roll, am an ISSA Fellow, and the President of ISSA Los Angeles. I love our community.

Tuesday January 24, 2017 9:00am - 9:15am
Sand and Sea Room


Diamond Sponsor Greeting

Tuesday January 24, 2017 9:15am - 9:20am
Sand and Sea Room


Oscar Whiskey Alpha September Papa
Organizations are reporting that they have more technical staff on hand then ever before. Interoperability of technologies are working seemlessly and world governments and critical infrastructures are better then ever before. This talk will remove the sugar coated and politically correct answers and provide straight talk, ideas and answers to the community about the road ahead. Bring your OWASP rockets and let's do this!

avatar for Tom Brennan

Tom Brennan

Global Board of Directors, OWASP Foundation
Tom is an elected member of the Global Board of Directors for OWASP Foundation. He has served the OWASP community since 2004 as starting as a project leader, chapter leader. He also contributes as an advisory member to the New Jersey Institute of Technology, County College of Morris and other organizations including International Legal and Technology Association (ILTA), Center for Internet Security (CIS). Tom is just as comfortable ripping... Read More →

Tuesday January 24, 2017 9:20am - 9:40am
Sand and Sea Room


Opening Keynote: Scaling a Software Security Initiative: Lessons from the BSIMM

This talk highlights important lessons in scaling the software security touchpoints described in the book Software Security and making them work efficiently and effectively in a global software security initiative.  The talk will focus on the top three touchpoints, discussing tools, technology, people and processes for each:

  • Code review with a static analysis tool.  What is better, a centralized factory model or tools on all developer’s desktops?  How do you set things up to fix what you find?  How do you avoid rejection of a complex toolset that requires real expertise to use?  What about frameworks that are in common use but stymie current commercial tools?  Are false positives a real issue?
  • Architectural risk analysis. How do you even begin to scale something requiring so much expertise and experience to the enterprise?  What kinds of knowledge make this process more efficient?  How do you gather intelligence about threats?  What are the top ten security design flaws?
  • Penetration testing.  What role should pen testing play in a software security initiative?  Is it best to develop capability in house or hire outside experts?  What kinds of access to design documents and source code should pen testers get?  Does pen testing scale?  How often should an application be tested?

These questions and others will be addressed head on using examples from the 95+ BSIMM firms and many years of real world experience.  (Firms in the BSIMM include, Adobe, Aetna, ANDA, Autodesk, Axway, Bank of America, Betfair, BMO Financial Group, Black Knight Financial Services, Box, Canadian Imperial Bank of Commerce, Capital One, Cisco, Citigroup, Citizen’s Bank, Comerica Bank, Cryptography Research, Depository Trust & Clearing Corporation, Elavon, Ellucian, EMC, Epsilon, Experian, F-Secure, Fannie Mae, Fidelity, Freddie Mac, General Electric, Highmark Health Solutions, Horizon Healthcare Services, Inc., HP Fortify, HSBC, Independent Health, iPipeline, JPMorgan Chase & Co., Lenovo, LGE, LinkedIn, Marks and Spencer, McKesson, Morningstar, Navient, NetApp, NetSuite, Neustar, Nokia, NVIDIA, NXP Semiconductors N.V., Principal Financial Group, Qualcomm, Royal Bank of Canada, Siemens, Sony Mobile, Splunk, Symantec, Target, The Advisory Board, The Home Depot, The Vanguard Group, Trainline, U.S. Bank, Visa, Wells Fargo, and Zephyr Health.)

avatar for Gary McGraw, Ph.D.

Gary McGraw, Ph.D.

Vice President Security Technology, Synopsys
@cigitalgem | | Gary McGraw is the Vice President Security Technology of Synopsys (SNPS), a silicon valley company headquartered in Mountain View, CA. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the... Read More →

Tuesday January 24, 2017 9:40am - 10:30am
Sand and Sea Room


Break and Vendor Expo
Tuesday January 24, 2017 10:30am - 11:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


CTF / Challenge Room

We are absolutely thrilled to announce that OWASP San Diego will be hosting an amazing AppSec California CTF hacking competition this January 26th-27th for the third year in a row!

Here are the all important details:

Date: January 23th-25th, 2016
Time: 9AM – 5PM PST runs until 4pm PST the second day
Location: Event House (Hacking Village) (Must be there in-person)
Players: 100 Players Maximum
Registration: Register on-site
Required: Bring your laptop (and a ethernet/usb adapter if you do not have an ethernet port on your laptop).
Optional Equipment: Bring lock picks (as there will likely be physical security challenges)
Cost: Free!
Prizes: Yes! =]

No pre-registration necessary! Sign up on-site, get plugged in, and get started. Contest begins on January 24th at 10:00 in the Hacking Village and will run through the end of the day January 25th at 4pm. Winners will be announced and prizes given out at the closing ceremonies.

Contest Rules:
Don’t be a jerk.

No host discovery is required. Everyone scanning a network just makes it break. Scanning a single host as part of a challenge is fine.

Targets are clearly marked, only attack those. No attacking the switches, networks, etc.

No DOS attacks, get the flags.

No physical attacks – cables, switches, hardware services are right out. Don’t break them.

Don’t delete or change the the flags.

VMs will be reverted somewhat regularly.

Don’t mess with splunk and logging, we are just health checking.

Don’t delete our root key from the box or we’ll have to revert it. Don’t do this as a DOS attack for the other participants.

If we ask, you need to show us what/how you did something.

We aren’t lawyers, you probably aren’t a lawyer. Don’t look for loopholes, and don’t get in the way of other people having fun.

Random Thoughts:
If this is your first CTF ever, you will be able to find things if you try, if it is not, we have challenges for you also.

Objectives and flags are fairly clearly marked.

NO STEGO! We hate stego. The tools never work and it’s a pain, so we didn’t do that. Images that have flags are clearly marked and are images for the lulz.

No host discovery is required, but scanning a host may be useful.

Challenges are standalone, but some easier ones may give ideas for harder ones.

We are logging lots of things, if you aren’t happy with that, don’t play.

Tuesday January 24, 2017 10:30am - 5:30pm
Club Room


The Physical Web, interact with anything
Introduction to the Physical Web and how it works hard to protect users privacy. I'll also discuss the trade offs of using https well as new directions (and the security implications) around wifi direct, mDNS, and 'fatBeacons' (BLE beacons that contain the web page)

avatar for Scott Jenson

Scott Jenson

Product Strategy, Google
Scott Jenson has been doing user interface design and strategic planning for over 25 years. He worked at Apple on System 7, Newton, and the Apple Human Interface guidelines. He was the director of Symbian’s DesignLab, VP of product design for Cognita, a manager of mobile UX for Google for 5 years, and a creative director at frog design in San Francisco. Scott returned to Google working on the Chrome team in 2013 to work on the Physical... Read More →

Tuesday January 24, 2017 11:00am - 11:50am
Garden Terrace Room


Threat Modeling for Mobile
How do you know how to build your application securely, or what to look for when you’re performing a security assessment of an application? One critical part of figuring this out is the application’s threat model. For many years, development teams and security teams have been dealing primarily with web applications that generally have a common threat model. We have gotten so used to this threat model that we often don’t even think about it.

As we are increasingly dealing with mobile applications, we need to rethink this approach. The mobile ecosystem is complex and there is no one threat model that applies to all mobile applications. Based on over twelve years of experience working in the mobile ecosystem (starting before smartphones were a thing) and testing thousands of mobile applications, we have developed a variety of threat models for different types of mobile applications as well as mobile operating systems.

With mobile applications, we’re no longer running inside a mature client application (browser) that provides many security features to us like secure communication, same origin policy, etc. that cannot be overridden by web applications. This has interesting security implications. There are many more security issues that we need to be aware of when developing and testing mobile applications. Without understanding the security issues in different types of mobile applications, we are inevitably going to produce vulnerable applications and even waste money on unnecessary controls. This talk will demystify the mobile ecosystem and will outline how to develop threat models for your mobile applications. It will dig into technical details such as how security features Android and iOS, as well as in cross-platform development frameworks like Apache Cordova are implemented, and how that impacts mobile applications.

avatar for Amit Sethi

Amit Sethi

Senior Principal Consultant, Cigital
Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Masters degree in Cryptography. He has extensive experience performing penetration testing, source code reviews and architectural risk analysis of a wide variety of systems as well as helping organizations solve complex security... Read More →

Tuesday January 24, 2017 11:00am - 11:50am
Marion Davies Guest House


SPArring with the Security of Single Page Applications
When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful.

In MMA, a fighter needs to be skilled in several martial arts styles, such as boxing, kickboxing, Muay Thai for the stand up portion of the fight. Then, he needs to know wrestling or judo to take the fight to the ground, and once he’s on the ground, he needs to know Jujitsu and Sambo to submit his opponent.

When doing battle with a SPA, a pen-tester must become an MMA hacker…A Mixed Multilayer Application Hacker. As an MMA Hacker, you need to understand the multitude of complex application layers that are only getting more complex and interconnected by the day.

This discussion will include MMA Hacker training on the following application layers:
• Interface layer: Become familiar with SPA frameworks (AngularJS, ReactJS). These SPA frameworks fundamentally change the browser communication that security experts have long understood.
• Backend layer: Dig into different REST API’s and learn how they are used and where to find the weaknesses.
• Network layer: Learn more about WebSockets and how they fundamentally change TCP/HTTP as you have always known it to be.
• Interconnectivity layer: Get to know how SPA’s are often interconnected with 3rd party API’s or presentation elements and how this can create security issues that get inherited from trusting the 3rd party.
• Tools: Understand what tools are available to help you address these challenges, and the potential gaps exist in the tools we all depend on.

Join this talk to start your MMA Hacker training today!

avatar for Dan Kuykendall

Dan Kuykendall

Senior Director, Application Security Products , Rapid7
Dan Kuykendall is the Senior Director of Application Security Products at Rapid7 where he directs the strategic vision, research and product development for the company’s application security solutions. In addition to keeping up with the latest attack patterns, Dan remains focused on one of the toughest aspects of application security - the rapidly evolving web and mobile application development trends. He does this with the philosophy that... Read More →

Tuesday January 24, 2017 11:00am - 11:50am
Sand and Sea Room


Adding PowerShell to your Arsenal with PS>Attack
PowerShell is an incredibly powerful language with a lot of support from the offensive community, but it’s tough to know how to get started. PS>Attack aims to fix that. In this talk we’ll go over how you can use PS>Attack on your engagements to attack Windows environments and how the skills you learn while using it can be applied to any PowerShell console you encounter.

avatar for Jared Haight

Jared Haight

Security Engineer, Gotham Digital Science
Jared Haight is a Security Engineer with Gotham Digital Science in Charlotte, NC. Before making the transition to Information Security he was a Systems Administrator for a decade where he spent most of his time writing scripts to automate everything he did so he could spend more time looking at pictures of corgis on the Internet.

Tuesday January 24, 2017 11:00am - 11:50am
Terrace Lounge


Protecting container applications with file system whitelisting
Container technologies like Docker are gaining mainstream interest from development organizations. Unlike virtual machines, containers running on the same host share the underlying OS kernel and filesystem. In this talk we describe an approach to harden and isolate containerized applications via file system monitoring. We show that it is possible to automatically build a whitelist of file system resources that are available to containers based on static analysis of the container contents and configuration. In addition containers can be monitored in runtime for storage writes of known exploits. We demonstrate how a mix of static and runtime file system monitoring proves to be an unintrusive and effective layer of security and isolation for containerized Cloud Native applications.

avatar for Chenxi Wang

Chenxi Wang

Chief Strategy Officer, Twistlock
Dr. Chenxi Wang is Chief Strategy Officer of Twistlock. She is responsible for corporate strategy and thought leadership. Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security, and wrote many hard hitting research papers. At Intel Security, she led the ubiquity strategy that spans both hardware and software platforms. Chenxi is the founder... Read More →

Tuesday January 24, 2017 12:00pm - 12:50pm
Garden Terrace Room


Twubhubbook: like an appsec program, but for startups
It’s 2025. Many of the problems in appsec in <%= current_year %> have mitigations, maybe even solutions. The value of an appsec program is widely accepted as a requirement for any successful company. Yet XSS and other common vulnerabilities are still occupying the time of many engineering teams. Twubhubbook has the benefit of being a new startup: it's mostly a blank slate situation. This is the story of how Twubhubbook rolled out their program without skipping a beat or breaking the bank. The purpose of this imaginary story is to provide practical advice that you can take to a current or future startup (sorry enterprise people) based on the successes and failures of today's startups. 

avatar for Brent Johnson

Brent Johnson

Application Security Contractor, GitHub
Brent is a working as an Application Security contractor for GitHub as he finishes a B.S in Computer Science with a minor in Applied Computer Security from the University of Southern California. His primary focus is on application security and he has a strong interest in ways to automate finding vulnerable code during software development. His interest in security was sparked growing up after discovering memory scanners/debuggers and the ways... Read More →
avatar for Neil Matatall

Neil Matatall

Software Developer, GitHub
Neil is a product security engineer at GitHub and a co-founder of Brakeman Pro. He has spent the last 12 years doing mostly AppSec work and is heavily involved in AppSec communities. Previously, Neil has been an engineer at Twitter, a W3C-webappsec group member, an OWASP Chapter leader, and has organized multiple conferences. If you've come across his name before, it's probably been in a content security policy or security automation context.

Tuesday January 24, 2017 12:00pm - 12:50pm
Marion Davies Guest House


Serverless is teh Hawtness for Defenders and DevOps
Serverless is a design pattern gaining a lot of traction in DevOps shops. The serverless pattern allows scale without managing the servers or processes running the application. This is done across the continuum of cloud--from storage as a service to database as a service but the center of serverless is Functions as a Service (FaaS). FaaS offerings on the market include AWS Lambda, Azure Functions, and Google Cloud Functions. Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.

Security changes under serverless and our traditional modes of firewalling and hardening all the things just won’t cut it. Practices like vulnerability discovery, code scanning and intrusion detection change in a serverless architecture. Other changes for serverless include how applications are built and deployed to how teams are structured.

This session will focus on practical security approaches and the four key areas of serverless security: software supply chain, delivery pipeline, data flow and attack detection. Even if you don’t have any experience with serverless, don’t worry, in this session we will start with the basics. You will learn what serverless is (it’s still being defined) and practical patterns for serverless adoption.  

avatar for James  Wickett

James Wickett

Head of Research, Signal Sciences
James does research at the intersection of the DevOps and Security. He is a core developer of Gauntlt (a security and devops friendly testing framework). Currently he is spending way too much time on serverless and microservices. He works as Head of Research at Signal Sciences, blogs at theagileadmin.com and has run DevOps Days Austin for the last 5 years. He is the a lynda.com author of the DevOps Fundamentals course. | | In his spare time he... Read More →

Tuesday January 24, 2017 12:00pm - 12:50pm
Sand and Sea Room


Crowdsourced Security: The Good, The Bad, and The Ugly
Cost, quality, and coverage. These are the three major factors that security professionals must consider when designing a strategy for testing their web applications. There is a major talent shortage in the United States, and tools will only get you so far. How can security professionals leverage the power of the crowd to get fresh, incentivized eyes on their latest and greatest web apps, mobile apps, and APIs? Public and private bug bounties, crowdsourced penetration testing… what are the advantages and risks to engaging in this brave new world of “hire the hacker”? Join Caroline Wong, VP of Security Strategy at Cobalt.io for a frank discussion of the good, bad, and the ugly when it comes to crowdsourcing your web application security.

avatar for Caroline Wong

Caroline Wong

VP Security Strategy, Cobalt
Caroline Wong is the VP of Security Strategy at Cobalt. Cobalt delivers crowdsourced pen tests and private bug bounties to modern organizations. | | Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and diversity in tech... Read More →

Tuesday January 24, 2017 12:00pm - 12:50pm
Terrace Lounge


Lunch and Vendor Expo
Tuesday January 24, 2017 12:50pm - 2:30pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


Monitoring Application Attack Surface to Integrate Security into DevOps Pipelines
A web application’s attack surface is the combination of URLs it will respond to as well as the
inputs to those URLs that can change the behavior of the application. Understanding an
application’s attack surface is critical to being able to provide sufficient security test coverage,
and by watching an application’s attack surface change over time security and development
teams can help target and optimize testing activities. This presentation looks at methods of
calculating web application attack surface and tracking the evolution of attack surface over
time. In addition, it looks at metrics and thresholds that can be used to craft policies for
integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD)
pipelines for teams integrating security into their DevOps practices.

avatar for Dan Cornell

Dan Cornell

Chief Technology Officer and a Principal, Denim Group, Ltd.
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry... Read More →

Tuesday January 24, 2017 2:30pm - 3:20pm
Garden Terrace Room


Uninvited Guests on the World's Wild Web: Understanding Malicious Web Bots with OWASP Handbook
Day in and day out, web applications are subject to unwanted automated usage. These events often relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Example of these events include click fraud, comment spamming, content scraping, password cracking, and many more. 

Without common language and terminology between architects and developers architects, business owners and engineers, builders and defenders, and security vendors and buyers, misunderstandings do happen, and they can be costly. The OWASP project on Automated Threats to Web Applications has produced an ontology providing a common language to facilitate clear communication and help tackle the issues. The project identifies symptoms of these issues and discusses countermeasures against them. 

One product of the project is the OWASP Automated Threat Handbook, which has recently been updated. As with all OWASP materials, the book is free to download and use. This talk will help you navigate the swampland of malicious web automation using the handbook as guide, along with examples from the real world. It will also offer advice, and discussion, on countermeasure techniques usable by builders and defenders alike of web applications. 

This OWASP project is intended to be an information hub for web application owners, builders and defenders, providing practical resources to help them protect their web properties against unwanted automated processes. The project seeks input from the industry -- and the audience -- to continuously improve its impact on real-world unwanted web automation problems. 

avatar for Tin Zaw

Tin Zaw

Volunteer, OWASP
Tin Zaw currently co-leads the OWASP project on Automated Threats to Web Applications, along with Colin Watson. At his day day job, he leads a global practice to help Verizon customers secure web properties at Verizon Digital Media. | | He started his career programming network protocols at QUALCOMM, participated in early days of the web infrastructure at Inktomi, made security products for 100+ million users at Symantec, and led web and... Read More →

Tuesday January 24, 2017 2:30pm - 3:20pm
Marion Davies Guest House


Dissecting Browser Privacy
It's no secret that users are being tracked across the web via cookies, supercookies, and an ever-growing list of browser fingerprinting methods. This talk will go over common privacy attack vectors in the browser and discuss ways to prevent tracking without breaking websites.

avatar for Yan


Security Engineer, Brave
Yan is a Sr. Security Engineer at Brave Software working on most things browser-related. She is also a Technology Fellow at EFF, was formerly a member of the W3C Technical Architecture Group, and has worked on Let's Encrypt, SecureDrop, HTTPS Everywhere, Tor Browser, Privacy Badger, and Yahoo Mail's End-to-End encryption project. She has a B.S. from MIT and dropped out of the PhD program at Stanford.

Tuesday January 24, 2017 2:30pm - 3:20pm
Sand and Sea Room


InfoSec at Peak Prevention
We're all familiar with Peak Oil--a concept that says there's a limit to how much oil we can produce, after which point production must decline and new energy sources must be found.

This talk explores the concept of Peak Prevention. This is the idea that there is only so much prevention that can be applied when defending systems from attack, after which point other methods of risk reduction must be employed.

We'll explore the question of how close we are to Peak Prevention currently, and what other approaches to risk reduction we may be available to us.

avatar for Daniel Miessler

Daniel Miessler

Director of Advisory Services, IOActive
Security tester and consultant with 17 years of experience. Currently work for IOActive as the head of its Advisory Services group. Also run the OWASP IoT Security Project. | | http://danielmiessler.com/about/

Tuesday January 24, 2017 2:30pm - 3:20pm
Terrace Lounge


#securityselfie (size up your appsec program with new metrics)
Hacking around to find cool bugs is one thing; securing a codebase is another. How do you measure the overall effectiveness of your application security work? Focus inward to take a security snapshot using data that you may not realize you already have.

This talk proposes several approaches for generating metrics that measure and improve your appsec work, from monitoring bug-bounty operational health to incentivizing long-term secure framework bets. Come hear how data is applied to secure the systems and code that power Facebook, WhatsApp, Instagram, and Oculus. There will be science. There will be code. You will learn new ways to use concrete numbers to assess the beautiful craft that is security engineering.

avatar for Jim O'Leary

Jim O'Leary

Security Engineering Manager, Facebook
Jim O'Leary (@jimio) works on Facebook's product-security team; he delights in short biographies.

Tuesday January 24, 2017 3:30pm - 4:20pm
Garden Terrace Room


A Hybrid Approach for Web App Penetration Testing
According to Symantec Internet Security Threat Report 2016, 78% of scanned websites have vulnerabilities, of which one in seven is deemed critical. After spending years working as a web app penetration tester across both the private and public sector, it quickly became apparent that relying exclusively on automated scanning tools was not sufficient. In order to accurately demonstrate what an adversary would be capable of, we needed to develop a new way of assessing web applications, which combines both automated tools and more importantly, manual testing.

In the Cyber Security world, one may be inclined to believe that automated scanners are superior at vulnerability discovery; however, humans are actually much better at accurately identifying vulnerabilities. It has been our observation that nearly half of the vulnerabilities identified in our security assessments were not detected by vulnerability scanners, but rather identified through manual testing. As many organizations rely heavily on vulnerability scanners to discover vulnerabilities, it’s important to not gain a false sense of security based on scanner results alone as scanners often overlook logical errors.

This presentation will capture a new methodology that aims at taking a hybrid approach to web app penetration testing by integrating both automated and manual testing together. We will cover the use of interception proxies for manual testing as well as IDS/IPS evasion techniques. Lastly, we will close the talk with a live demo which demonstrates the necessity for a hybrid approach to web app penetration testing.

avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →

Tuesday January 24, 2017 3:30pm - 4:20pm
Marion Davies Guest House


The Road to Free Certificates is Paved with Good Intentions
Let's Encrypt has been a success for the open source community and for privacy in today's world. Running a certificate authority has a variety of challenges and maintaining an infrastructure with a goal of openness and security has required dedication and flexibility of a small team to turn techniques that "work in theory" to "work in practice." Now passing it's one year anniversary as a free, automated, and open certificate authority, this talk will cover Let's Encrypt's approach to mitigate security threats including physical separation of duties, network partitioning, and change control procedures.

avatar for Jillian Karner

Jillian Karner

Log Whisperer, Let's Encrypt/Internet Security Research Group
Jillian has worked at black screens with white typewriter text for start-ups in the security field since her early college years. Now graduated from Arizona State University, she is currently working with Let's Encrypt.

Tuesday January 24, 2017 3:30pm - 4:20pm
Sand and Sea Room


Java LangSec: New Security Controls in Java 8 and 9
Secure software requires making a wide variety of security controls available to the developer. These controls range from automatic defenses to APIs that developers simply need to use, to controls that require extensive configuration and understanding to be used effectively. This session reviews several new security controls available in the Java 8 and 9 platforms. It also covers other important Java security work, such as how the server JRE decreases the attack surface by not including applet code—since 2013! The presentation will help raise awareness of the many defenses present and available in the Java ecosystem, something every Java developer and AppSec professional can benefit from.

avatar for Jim Manico

Jim Manico

Founder, Secure Coding Instructor, Manicode Security
Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →

Tuesday January 24, 2017 3:30pm - 4:20pm
Terrace Lounge


Break and Vendor Expo
Tuesday January 24, 2017 4:20pm - 4:50pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


Essential TLS Hardening for Better Web Security
Given the ubiquitous nature of the web, security professionals must do everything they can to hasten the switchover to a TLS-everywhere world. Thankfully, what was previously an expensive and tedious task has become much easier and economical due to automated TLS certificate provisioning. Once certificates are in place, there are a multitude of configuration hardening measures available, each of which perform an important role in providing strong web security.

Attendees of this hands-on talk will walk away with an in-depth understanding of the following topics, along with how they can be put to practical use.

Automated TLS certificate provisioning

* Let’s Encrypt pros and cons
* authenticator comparison: web root, DNS-01, standalone web server
* automatic TLS certificate renewal via Certbot and cron
* overview of third-party provisioning tools

TLS-related configuration

* trade-off between better security and backwards-compatibility with older browsers
* protocol and cipher selection based on above trade-offs
* recommended configuration profiles, along with feeds for automated comparison/notification

Content Security Policy (CSP)

* threat model: cross-site scripting and other code injection attacks
* can have sharp edges, but a useful defensive measure
* tools for drafting, validating, and reporting on content security policies

Public Key Pinning (HPKP)

* threat model: compromised or rogue certificate authorities
* potentially hazardous and should be handled with care

Certificate Transparency (CT)

* threat model: helps detect faked/forged certificates
* Chromium will require certificate transparency in October 2017
* Certbot to include “Signed Certificate Timestamps” (CST) in near future

Other topics that will be covered include:

* forward secrecy
* strict transport security (HSTS)
* OCSP stapling

avatar for Justin  Mayer

Justin Mayer

Founder, Monitorial.com
Justin Mayer is the founder of Monitorial.com, a solution for identifying and addressing potential security vulnerabilities. A serial entrepreneur who has designed and built a variety of mobile/web applications, Justin is also an active open-source contributor and has presented talks at PyCon, DjangoCon, and SCaLE. In his spare time, he is the primary maintainer of Pelican, a popular Python-based static site generator, as well as the author of... Read More →

Tuesday January 24, 2017 4:50pm - 5:40pm
Garden Terrace Room


Panel: Women in Security
Girls Who Code. Lean In. Grace Hopper. Women in Cybersecurity. Brain Babe. With so many targeted initiatives to increase the number of women in cybersecurity careers, what is really happening on the ground with girls and women entering and staying in the field of cybersecurity. Can we hope to get the balance of women/men to 50/50 or is this goal missing the point? Who is getting this right and how are they doing it? What efforts can each of us make to influence girls and women in our communities and organizations?

avatar for Marian Merritt

Marian Merritt

Lead for Industry Engagement, National Initiative for Cybersecurity Education (NICE), National Institute of Standards and Technology
Marian Merritt is the Lead for Industry Engagement for the National Initiative for Cybersecurity Education (NICE) at the National Institute of Standards and Technology (NIST). Marian has over 18 years of experience working in the cybersecurity industry. She previously was with Symantec Corporation as their Director of Cyber Education and Online Safety Programs. In that role, she created a cybersecurity career program for underserved young... Read More →

avatar for Deidre Diamond

Deidre Diamond

Founder and CEO, CyberSN
Deidre Diamond is the Founder and CEO of the national cyber security staffing company CyberSN, the Founder of not-for-profit organization #brainbabe, and a Strategic Board Member of ICMCP. Prior to founding CyberSN.com and #brainbabe, she was the CEO of Percussion Software, the first VP of Sales at Rapid7 (NYSE:RPD) and the VP of Sales for the national technical staffing company Motion Recruitment. Because Diamond herself was hired as... Read More →
avatar for Kelly FitzGerald

Kelly FitzGerald

Senior Principal Information Security Analyst, Veritas Technologies LLC.
Kelly FitzGerald is a Senior Principal Information Security Analyst managing both the Customer and Supplier Trust Offices at Veritas Technologies LLC.  Prior to her work at Veritas, Kelly worked at Symantec and has held positions in the Product Security, Consumer and Enterprise organizations. Kelly’s focus is examining and investigating information security risk and fraud.
avatar for Julie Medero

Julie Medero

Assistant Professor of Computer Science, Harvey Mudd College
Julie Medero, PhD, researches natural language processing, machine learning and educational applications of language technology. Her research integrates ideas from computer science, linguistics, and electrical engineering to develop new applications of natural language processing to the area of literacy education. In particular, she is interested in how we can use signal processing and machine learning to understand which words and sentences... Read More →
avatar for Chenxi Wang

Chenxi Wang

Chief Strategy Officer, Twistlock
Dr. Chenxi Wang is Chief Strategy Officer of Twistlock. She is responsible for corporate strategy and thought leadership. Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security, and wrote many hard hitting research papers. At Intel Security, she led the ubiquity strategy that spans both hardware and software platforms. Chenxi is the founder... Read More →

Tuesday January 24, 2017 4:50pm - 5:40pm
Sand and Sea Room


Make me a sandwich: Automating a custom SecDevOps pipeline
The Continuous Integration and Extreme Programming models, coupled with A/B testing make it nearly impossible for security teams to keep up with the pace of development and to test all the possible software configurations exposed to the public.

Many organizations turn to automation for help, but fail to fully integrate it into all phases of their Software Development Lifecycle. Most inordinately rely on dynamic analysis tools, which lack the ability to provide thorough code coverage and run at the end of the development process, increasing the cost of finding and remediating vulnerabilities.

While security teams are aware of the benefits of automation, many lack exposure to the tools used in the development and build processes. Additionally, many security teams face budgetary constraints which prevent access to expensive software suites designed to find vulnerabilities in software, find the commercial tools lacking, or simply are unable to find software which support the development languages or frameworks in use in their organizations.

This talk will cover how and where to integrate automation into common Version Control and Build Server software, such as Git, GitHub and Jenkins, allowing for testing throughout the SDLC and greater code coverage.

In this talk, attendees will also learn how to create custom static code analysis tools to find new vulnerabilities and prevent recurrences of known vulnerabilities. This will include how to create parsers, lexers, define grammars and walk parse trees.

avatar for Patrick Albert

Patrick Albert

Director of Operations, Tinder
Military Veteran and Tech junkie with over a decade of experience in Technical Operations and Security. Long time supporter of the Infosec community, and Defcon Goon.
avatar for Tony  Trummer

Tony Trummer

Director of Security Engineering, Tinder
Tony currently leads the Security team at Tinder in West Hollywood. As a penetration tester, Tony previously helped to start LinkedIn's AppSec program and later led their IR team. Tony has spoken at conferences around the world, including DefCon, BlackHat, AppSec Cali, AppSec USA and Hack In the Box.

Tuesday January 24, 2017 4:50pm - 5:40pm
Terrace Lounge


Wednesday, January 25



Opening Remarks
avatar for richard.greenberg


Chapter Leader, OWASP Los Angeles
Hi everyone! I am the Chair for AppSec California, the Chapter Leader for OWASP Los Angeles, on the ISSA Int'l Honor Roll, am an ISSA Fellow, and the President of ISSA Los Angeles. I love our community.

Wednesday January 25, 2017 9:00am - 9:10am
Sand and Sea Room


Diamond Sponsor Greeting

Wednesday January 25, 2017 9:05am - 9:10am
Sand and Sea Room


Keynote: Machine Learning — Cybersecurity Boon or Boondoggle
Machine Learning has seemingly become the latest shiny new object in cybersecurity. While machine learning holds great promise for improving our ability to detect and respond to threats, it is far from a panacea. This talk will provide a balanced view of the role that machine learning can play in cybersecurity, drawing upon a series of real life implementation and deployment experiences of machine learning techniques. Moreover, we will describe both best practices and pitfalls of applying machine learning in a cybersecurity context.  

avatar for ​Dr. Zulfikar Ramzan

​Dr. Zulfikar Ramzan

​Chief Technology Officer, RSA
  Dr. Zulfikar Ramzan serves as the Chief Technology Officer of RSA. In this role, he is responsible for leading the development of the company's technology strategy and bringing to market the innovations that help protect RSA customers from the growing number of advanced threats. Prior to joining RSA, Dr. Ramzan served as Chief Technology Officer of Elastica and, preceding that, as Chief Scientist of Sourcefire (acquired by Cisco in... Read More →

Wednesday January 25, 2017 9:10am - 9:55am
Sand and Sea Room


Break and Vendor Expo
Wednesday January 25, 2017 10:00am - 10:30am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


CTF / Challenge Room
Wednesday January 25, 2017 10:00am - 5:10pm
Club Room


AppSec Pipelines and Event-based Security: Moving beyond a traditional security test.
Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.

By changing focus from a point in time security testing and assessments to automation, continual health checks and event-based security, your AppSec program can start to keep pace with the increasing speed of delivery your business is trying to obtain. By embracing the same methodologies, you can turn Docker from a problem to how you horizontally scale your security work. Don't swim against the current of DevOps, Agile software development and Continuous Delivery. Instead use those movements to speed your AppSec program to new levels.

avatar for Matt Tesauro

Matt Tesauro

Senior Technical Project Engineer, OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →

Wednesday January 25, 2017 10:30am - 11:20am
Garden Terrace Room


Serverless! The holy grail of security operations (?)
Let's face it, security operations is time consuming, more often than not new paradigms surface that requires investing time addressing it's risks, like Cloud and Containers, the new paradigm that's coming is serverless, which brings some interesting features and limitations.

A paradigm where every request is served by ephemeral "servers", each running its own code, isolated from each other. In this talk will address this questions:

What are the Security benefits? Does traditional security apply to them? Who keeps them patched? Are they really ephemeral? What about compliance? Are current solutions mature enough? Do vulnerabilities like Dirty Cow affect them? Will DevOps/Architects receive it open arms? How does developing and deploying work? Does it "fix" DevOps engineers accessing production?

You will get to see real examples and specially what uses cases is best to first implement serverless.

avatar for David Cuadrado

David Cuadrado

Tech Lead at Twilio, Twilio
David is a tech lead at Twilio. He got hired as Authy’s first engineer during YC in 2012 and joined Twilio after the Authy acquisition in 2015. While in college he started working as a developer for a company dedicated to graphic design and animation, coding primarily in C++. After graduating from college, thanks to several open source contributions he started his professional career by joining a startup from Boston as a software... Read More →
avatar for Santiago  Kantorowicz

Santiago Kantorowicz

Security Engineer, Twilio
Santiago started working as a pen tester 8 years ago, after finding customers making same mistakes over and over again, 4 years later switched to defensive security, leading AppSec efforts at South America's largest e-commerce. Now he is Authy's Security Officer, working on the Company's security and helping design new product features.

Wednesday January 25, 2017 10:30am - 11:20am
Marion Davies Guest House


AWS Survival Guide
An increasing number of organizations are using AWS or are migrating to AWS. Security teams with traditional datacenter security knowledge are trying to catch-up and grasp the new attack surface, security concerns, and develop defensive techniques. Developers are often given the power to deploy infrastructure in ways that were previously restricted without the traditional insight and controls security would normally implement. At the same time, AWS customers are being exploited in ways that are easily preventable but highly damaging to the customer's organization; this fact is well documented.

Fortunately, AWS does provide the technology to harden, monitor, and even recover should an incident occur. Unfortunately, these defensive practices are not widely discussed or well-known amongst both security professionals as well as developers.

In this talk, we discuss harnessing existing AWS functionality to strengthen your organization's AWS infrastructure against practical attacks. Ken will show you what attackers are looking for, how they are finding you, and how to secure your environment. Additionally, attendees will be given code that assists those using AWS in better understanding how their environment's IAM policies are configured and automate tasks like S3 bucket policy review, volume encryption statuses, and security group configurations.

Finally, this talk will delve deep into practical alerting/monitoring and demonstrate implementing notifications that are descriptive and pinpoint active attacks.

AWS Technologies discussed:

- Config
- CloudWatch
- CloudTrail
- *(Other) Security features of other services

avatar for Ken Johnson

Ken Johnson

CTO, nVisium
Ken Johnson - CTO, nVisiumKen Johnson has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at AppSec DC, AppSec California, DevOpsDaysDC, LasCon, numerous Ruby and OWASP events, and AWS NYC. Ken is currently investing his time between OWASP’s Railsgoat, Elxir and Go, as well as all aspects of AWS offerings. | | Ken is also... Read More →

Wednesday January 25, 2017 10:30am - 11:20am
Sand and Sea Room


DASTProxy: Don’t let your automated security testing program stall on crawl. Instead focus on business context.
Many automated security programs look at crawling through a website before testing as a measure to build security automation. However, such an approach has limited success when you are dealing with huge applications that have numerous teams working on modular components or subsections. At eBay, it was instantly clear that such an approach was doomed to fail. Instead the Secure Development Life Cycle Team leveraged the knowledge and business context that our product development teams had built into functional testing, to enhance our dynamic security testing automation. This let us further our goal to make security a responsibility of every product development team at eBay. This talk is about our journey and the open sourced automation framework (https://github.com/eBay/DASTProxy) that we built to make our dreams and goals a reality.

avatar for Srinivasa Rao

Srinivasa Rao

Information Security Engineer, eBay
Srinivasa Rao is an Information Security Engineer in AppSec at eBay, responsible for developing applications and tools for Secure Product Life Cycle (SPLC) and SecDevOps. He is a full-stack developer who enjoys coding using java, grails/groovy, angularJS and interacting with relational databases. He is a Computer Science Engineer with experience in Finance, IT, SCM and Identity Management domains.
avatar for Kiran  Shirali

Kiran Shirali

Senior Security Engineer, Red Team, eBay
Kiran Shirali is a Senior Security Engineer in eBay’s Red Team. During the day, he is scouring eBay’s networks and applications for flaws that could lead hackers get access to critical assets. He is also involved in various other initiatives that help on the defensive side of security and is a supporter of automation and baking security into all processes and development activities within eBay. When he is not at work he loves to spend... Read More →

Wednesday January 25, 2017 10:30am - 11:20am
Terrace Lounge


On Strategic Defense
There is no such thing as perfect security, but most of the attacks in the news were not that difficult, and would have been prevented with practical security fundamentals, yet, we continue to see all of these large companies failing at the fundamentals of defense? Why?

In this presentation I will discuss the importance for developing robust ingress and egress filtering to mitigate the threat of sophisticated malware. I will discuss the steps you need to take to defend from the majority of the known attacks. The concepts of how to segment and isolate an architecture will be covered as well as endpoint protections you can deploy to make your network a harder target.

avatar for Kevin Cardwell

Kevin Cardwell

Consultant, Cyber Security Internationa
Kevin has worked extensively with banks and financial institutions throughout the Middle East, Europe and the UK. He served as leader of a DoD Red Team with 100% success rate of compromise. Some of his recent consulting projects include the Muscat Securities Market (MSM), Petroleum Development Oman and the Central Bank of Oman. He designed and implemented the custom security baseline for the existing Oman Airport Management Company (OAMC... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm
Garden Terrace Room


Scaling Security Testing at the Speed of DevOps
Recent software development trends, namely DevOps, Continuous Integration, Continuous Delivery, and Continuous Deployment, have empowered developers and drastically reduced the DevTest window forcing teams to adopt highly automated test infrastructures.  While the adoption of these trends and automated test frameworks have improved feature delivery and time to market, they have complicated security assessment, producing substantial gaps between the current release and the last security audited code.  Consumers are now being forced to adopt new code releases daily or hourly without substantive security review, especially in the Software as a Service (SaaS) sector.  As engineering teams rapidly embrace these development methodologies, the community must evolve security testing strategies so as to enhance the security posture of products, services, and solutions.

This evolution must address three primary problems elucidated by the aforementioned development trends:

1. Testability: Security requirements should be testable and verifiable.
2. Scalability: Security requirements should be capable of being automated in a best-effort fashion so as to scale effectively.
3. Accessibility: Security tools and results should be easily digestible by software engineers and testers, and new security tools should be accessible to all development and test engineers.

Therefore, we have developed and are preparing to open source a new distributed security testing framework called Norad which facilitates security assessment at scale.  This framework automates multiple open-source and vendor security tools and aggregates their results for review.  It also provides an SDK which promotes the development of community developed security test content. This talk will explain Norad's design philosophy, architecture, and demonstrate its usage.

avatar for Roger Seagle

Roger Seagle

Principal Engineer, Cisco
Roger Seagle Jr. is a Principal Engineer in the STO TIP team at Cisco. Previously, he worked in Cisco's Advanced Security Initiatives Group (ASIG) where he assessed the security posture of Cisco products and advised product teams on patching and mitigating vulnerabilities. Roger regularly audits embedded systems and web applications, configures and monitors internal production servers, and serves as a technical advisor. Roger holds a PhD and MS... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm
Marion Davies Guest House


Want to be secure? Eliminate passwords. If you don't have a password, it can't be stolen!
User IDs and passwords not only allow us to authenticate our accounts and online payments but also allow access to hackers and criminal elements. 76% of data breaches are from stolen login information. By eliminating passwords and using instant, automatic 2-Factor authentication, we can stop fraudulent activities and payments.

A pie in the sky idea? Not really. See how the latest technologies make it possible.

avatar for Jack  Bicer

Jack Bicer

CEO, Sekur Me
Jack Bicer is the founder and CEO of SEKUR.me, a mobile security and payments company, that eliminates passwords securely. His two previous inventions “Uninstall” and “Automatic Software Updates”, run on every computer and every smartphone today. | | A 35 year software industry veteran, Jack is an industry expert on mobile applications, authentication, SaaS and payment processing. He has been a speaker in various mobile... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm
Sand and Sea Room


HSTS, TLS, HPKP, CSP: putting them all together to move to HTTPS
Moving a large website with many user customizations to HTTPS is not easy as it sounds. Migrating to a secure HTTPS platform is even harder. Browser vendors have added many HTTP headers to make HTTPS website safer to use: HSTS, HPKP (Public Key Pinning), CSP (Content Security Policy), etc. In this talk, I will share my experience at Zscaler and Salesforce in moving large and complex websites to HTTPS. I will explain how these headers need to be thoroughly thought out, from the TLS versions and ciphers to support to which certificate to pin. The talk will show how to plan the migration to HTTPS, how to leverage CSP to measure the impact of the update before it happens, and how HSTS, HPKP and CSP can work together to ensure a safer experience for the users.
Participants will learn a methodology to move a complex website to HTTPS, including the role of the different HTTP headers in the planning and execution phases.

avatar for Sun Hwan Kim

Sun Hwan Kim

Senior Member of Technical Staff, Development, Salesforce
Received Bachelor of Science in Computer Science from Carnegie Mellon University in 2013. Previously Interned at Neowiz internet and Ahnlab in South Korea. Now working as a software engineer in Product Defense Team at Salesforce, mainly focusing on building security framework for Salesforce application.
avatar for Julien  Sobrier

Julien Sobrier

Lead Security Product Owner, Salesforce
Julien Sobrier has spent 10+ years in the Security industry, as a Security Researcher at Netscreen/Juniper and Zscaler, then Product Manager at Zscaler and now Product Security Owner at Salesforce. He as co-author Power Security Tools (O'Reilly) and released many browser security add-ons (BlackSheep, Zscaler Safe Shopping, Balckhat SEO prevention) including HTTPS Everywhere for Internet Explorer. Julien spoke at OWASP, SOURCE, Les Assises de la... Read More →

Wednesday January 25, 2017 11:30am - 12:20pm
Terrace Lounge


Lunch and Vendor Expo
Wednesday January 25, 2017 12:20pm - 2:00pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


A Case for Integrity: JavaScript Apps Should Have it Too
JavaScript Web Applications are being used by virtually all tech companies in the world today, from startups to Fortune 500 organizations. Increasing amounts of logic are being shipped to the browser because of this. There is a need to interact with critical data such as user credentials, personally identifiable information, credit card numbers, etc - in other words, very sensitive information. Because JavaScript is highly dynamic, it's very easy to interfere with the apps behavior and its execution environment, thus there are risks that need to be addressed. In this talk we will discuss what is the current state of the art regarding the integrity of Web Applications on the client-side, show some attack scenarios. and how to avoid them.

avatar for Pedro  Fortuna

Pedro Fortuna

CTO and Co-Founder, Jscrambler
Pedro is the CTO and co-founder of Jscrambler where he co-leads business development. Holds a degree in Computing Engineering and a MSc in Computer Networks and Services. Has extensive knowledge and professional experience in R&D projects, cybersecurity and software development, both in academia and industry. Integrated several R&D groups linked to the University of Porto and to the Polytechnic Institute of Porto. Formerly, he was an... Read More →

Wednesday January 25, 2017 2:00pm - 2:50pm
Garden Terrace Room


When Bandit(s) Strike - Defend your Python Code
Bandit is an open-source tool designed to discover common security flaws in Python code. Although Bandit was originally developed to find issues in OpenStack (a large open-source cloud platform) it has since been adopted by many Python developers outside of OpenStack. It has found dozens of critical security issues including: command injection, SQLi, insecure temporary file usage, and usage of insecure libraries.

Join Travis McPeak, one of the core developers on the Bandit project to find out: how Bandit works, how to customize it for different workflows, how to create a Security CI pipeline with Bandit, and even how to extend it.

avatar for Will Bengtson

Will Bengtson

Senior Security Program Manager, Nuna, Inc
William Bengtson is an information security professional with years of experience in a variety of roles including red teaming, network security, architecture risk analysis lead, software security, exploit development, security architect lead, application developer and certification lead. Bengtson comes to Nuna as the Senior Security Program Manager from Lockheed Martin as a Core Cyber Security Lead, Cigital as a Senior Security Consultant, and... Read More →
avatar for Travis McPeak

Travis McPeak

Sr. Security Architect, IBM
Travis McPeak is a Sr. Security Architect for IBM Cloud. He is a core developer of the Bandit project and is actively involved with OpenStack and Cloud Foundry project security. In his spare time he loves travel, snowboarding, and quality food/beer.

Wednesday January 25, 2017 2:00pm - 2:50pm
Marion Davies Guest House


An SDLC for the DevSecOps Era
The standard approaches for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today’s world of agile, DevOps, and CI/CD.

This talk will share practical lessons learned on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to:

1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices

2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly

3) Measure maturity of your organizations security efforts in a non-theoretical way

avatar for Zane Lackey

Zane Lackey

Founder/Chief Security Officer, Signal Sciences
Zane Lackey is the Founder/Chief Security Officer at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners. He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC... Read More →

Wednesday January 25, 2017 2:00pm - 2:50pm
Sand and Sea Room


CSP: The Good, the Bad and the Ugly
W3C Web Application Security workgroup worked really hard to establish new standards to improve security of web applications: CORS, SRI, HSTS, HPKP just few of them and most complicated in that family is Content Security Policy (CSP) which became so complex, so web application developers, DevOps teams could easily lost on where to start and what to do if they need to integrate CSP.

In this presentation I’ll help you to figure out where to start, what to do and which issues you might will be facing with if you want to add CSP to your web application.

Attendees will learn about key differences between CSP level 1, 2 and 3, what is secure CSP and how to build one. We’ll also talk about creating production ready, backward compatible policy.

I’ll also present how Alexa top million websites adopts CSP and show interesting patterns I discovered among their policies, typical mistakes and strategies to fix them.

At the final part I’ll talk about tools and frameworks we have and also about tools and frameworks we need to build to efficiently deploy CSP.

avatar for Ilya Nesterov

Ilya Nesterov

Engineering Manager, Shape Security
Ilya Nesterov is currently an engineering manager at Shape Security, where he is responsible for product quality. Prior to Shape, Ilya led QA teams at F5 and earned his master’s degree from Tomsk Polytechnic University. His area of interest is web application security, in particular identifying vulnerabilities using automation techniques. Ilya also works as independent security researcher and spoke at AppSec USA 2016 conference.

Wednesday January 25, 2017 2:00pm - 2:50pm
Terrace Lounge


Life of a Password
Imagine an attacker who can update records on your website’s user password database. Is it possible for the attacker to get into a user’s account without cracking the user’s password? As a security professional at a large internet company with mutli-tiered architecture, do you worry about the possibility of passwords being improperly handled by one or more systems before it is stored securely? Attend THIS talk if you want to learn more about attacks on password and password history tables and techniques to mitigate password handling risk. You will leave with recipes for handling and storing passwords that are different from techniques used to resist password cracking.

avatar for Arvind Mani

Arvind Mani

Engineering Director, Security, Anti-Abuse & Privacy, LinkedIn
Arvind is the head of Trust Engineering at LinkedIn where he leads a team of 60+ engineers who solve security, privacy, and anti-abuse problems. He has over 16 years of experience in security and has spent the past decade securing several Alexa Top 50 websites. He graduated from the University of Maryland with a Masters thesis on authenticated key agreement in dynamic groups. On weekends Arvind enjoys coaching his son’s FIRST Lego League... Read More →

Wednesday January 25, 2017 3:00pm - 3:50pm
Garden Terrace Room


Continuous security: Bringing agility to the secure development lifecycle
The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.

Through a combination of workflows and real code examples, you'll learn about:
- Building a comprehensive compliance plan
- Integrating security testing into the SDLC
- Remediating real-world code vulnerabilities

avatar for Rod Cope

Rod Cope

CTO, Rogue Wave Software
Rod Cope, CTO, drives the technology vision for Rogue Wave Software. Rod was the founder and CTO of OpenLogic, a profitable venture-backed company and has over 20 years of experience in software development spanning telecommunications, aerospace, healthcare, and manufacturing. Working at IBM, IBM Global Services, General Electric, and for the CTO of Anthem, Rod has led key technical teams working on mission-critical applications including the... Read More →

Wednesday January 25, 2017 3:00pm - 3:50pm
Marion Davies Guest House


OCSP Stapling in the Wild
Certificate revocation is a messy problem; certificate revocation lists and mid-handshake OCSP checks have proven unworkable in practice. The dream of TLS certificate revocation is Must-Staple: an extension in a certificate indicating that it can only be used alongside a stapled OCSP (Online Certificate Status Protocol) response indicating that the certificate hasn’t been revoked. If a Must-Staple certificate is compromised, the attacker can only use it for the short time window until the current OCSP response expires. But is the world ready for Must-Staple yet? Unreliable OCSP servers, buggy stapling implementations, and client and network misconfigurations (from mismatched clocks to MITM proxies) all present challenges. This talk examines the state of the world of OCSP stapling and describes Dropbox’s implementation of OCSP Stapling. To gather real data on the feasibility of deploying OCSP stapling, we will discuss the data we gathered from a Chrome feature called Expect-Staple, which is a report-only version of OCSP Must-Staple that lets us evaluate how well OCSP Must-Staple might work in the real world.

avatar for Devdatta Akhawe

Devdatta Akhawe

Engineering Manager, Dropbox
Devdatta leads the Product Security team at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams.  He is a co-author of award-winning papers on security at top academic conferences and has also spoken at Blackhat, AppSec Cali, etc. He is also a co-editor on the... Read More →
avatar for Emily  Stark

Emily Stark

Software Engineer, Google
Emily Stark is a software engineer on the Google Chrome security team, where she focuses on making TLS more usable and secure. She spends lots of time analyzing field data about the HTTPS ecosystem and improving web platform features like Referrer Policy and Content Security Policy that help developers migrate their sites to HTTPS. She has also worked on the DevTools security panel and the browser plumbing that supports other security UI surfaces... Read More →

Wednesday January 25, 2017 3:00pm - 3:50pm
Sand and Sea Room


"Stealth" Authentication - how to not leak information to hackers in web application authentication
Web application authentication systems often unnecessarily leak valuable information to hackers and thus enable user enumeration, denial of service and attacks on authentication factors.

The talk shows where information is leaked and how this can be prevented. Further, a simple and effective way of preventing denial of service attacks based on account locking is shown.

Giving real-world examples, the term "side-channel-safe" second factor is introduced and it is shown how this property influences the security of the overall authentication scheme.

The talk closes with usability considerations and what features a well designed "stealth authentication system" should provide.

avatar for Marc Bütikofer

Marc Bütikofer

Director Innovation, Ergon Informatik AG
Marc Buetikofer serves as Director Innovation and CTO for Airlock, a leading Swiss web application security suite provided by the company Ergon Informatik AG in Zurich. | | After joining Ergon Informatik in 2000 he provided numerous security engineering projects with his expertise before leading the development of Airlock IAM - one of the most used security solutions in Switzerland. | | Marc holds a M.Sc. in Computer Science from ETH Zurich.

Wednesday January 25, 2017 3:00pm - 3:50pm
Terrace Lounge


Break and Vendor Expo
Wednesday January 25, 2017 3:50pm - 4:20pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402


Closing Keynote: Hide and Seek just got harder, the anatomy of modern deceptive technologies
The new world is fluid, it’s not static honeypots that are easily identified, it’s not virtual systems that are ignored, the defenders have taken a leaf out of Mother Nature and put an every changing deceptive environment in front of us. We have to somehow navigate through it without falling into the dynamic traps that learn from their surroundings and morph based on our behavior.

avatar for Chris Roberts

Chris Roberts

Chief Security Architect, Acalvio Technologies
Roberts is considered one of the world’s foremost experts on counter threat intelligence within the Information security industry. At Acalvio, Roberts helps drive Technology Innovation and Product Leadership. In addition, Roberts directs a portfolio of services within Acalvio designed to improve the physical and digital security posture of both enterprise, industrial and government clients. | | With increasingly sophisticated attack... Read More →

Wednesday January 25, 2017 4:20pm - 5:10pm
Sand and Sea Room