Loading…
This event has ended. Visit the official site or create your own event on Sched.
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 20
 

9:00am

Creating and automating your own AppSec Pipeline (Day 1)
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs. The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation. Who Should Take This Course? AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline. What Should Students Bring? A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.


Tuesday October 20, 2015 9:00am - 5:00pm
Under Armour Room Norris Conference Center, Austin

9:00am

Defensive Programing for JavaScript and HTML5 (Day 1)
Understand JavaScript and HTML5 Features to Secure Your Client-side Code

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), XSS, CSRF, DOM manipulation, Sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and JSON.

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications (CORS, web messaging)
• Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)
• Implementing Secure Dataflow
• Securing AJAX Requests and JSON Data

Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.

Labs and Demonstrations
If students bring their own laptops with internet connectivity will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course.

Note, the training has been recently updated with the latest information on CORS, CSP, and new lab exercises.

Speakers
avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Her current concentration is on researching HTML5 technologies and new JavaScript frameworks, their security... Read More →


Tuesday October 20, 2015 9:00am - 5:00pm
Gemalto Room Norris Conference Center, Austin
 
Wednesday, October 21
 

9:00am

OWASP TOP 10: Intro to Application Security for Developers
In this training, application security experts Dan Cornell and Josh Sokol will walk developers through some of the most common application security risks that are encountered. You will learn how to detect and prevent common vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF). No prior experience is assumed and content will be generically applicable to most programming languages.

To attend this training, you must register here > http://lascon.org/free-owasp-training/ 

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability... Read More →


Wednesday October 21, 2015 9:00am - 4:00pm
Contrast Security Ballroom Norris Conference Center, Austin

9:00am

Creating and automating your own AppSec Pipeline (Day 2)
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs. The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation. Who Should Take This Course? AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline. What Should Students Bring? A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.


Wednesday October 21, 2015 9:00am - 5:00pm
Under Armour Room Norris Conference Center, Austin

9:00am

Defensive Programming for JavaScript and HTML5 (Day 2)
Understand JavaScript and HTML5 Features to Secure Your Client-side Code

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), XSS, CSRF, DOM manipulation, Sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and JSON.

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications (CORS, web messaging)
• Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)
• Implementing Secure Dataflow
• Securing AJAX Requests and JSON Data

Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.

Labs and Demonstrations
If students bring their own laptops with internet connectivity will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course.

Note, the training has been recently updated with the latest information on CORS, CSP, and new lab exercises.

Speakers
avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Her current concentration is on researching HTML5 technologies and new JavaScript frameworks, their security... Read More →


Wednesday October 21, 2015 9:00am - 5:00pm
Gemalto Room Norris Conference Center, Austin
 
Thursday, October 22
 

7:30am

Registration Opens
Moderators
avatar for Philip Beyer

Philip Beyer

Senior Director, Information Security, The Advisory Board Company

Thursday October 22, 2015 7:30am - 9:00am
Contrast Security Ballroom Norris Conference Center, Austin

9:00am

Keynote: Pete Cheslock

Speakers
avatar for Pete Cheslock

Pete Cheslock

Sr Director, Ops and Support, Threat Stack


Thursday October 22, 2015 9:00am - 10:00am
Contrast Security Ballroom Norris Conference Center, Austin
  • Host Organization

10:00am

Fast Adversaries - Fast Countermeasures
As our adversaries continue to gain speed and surpass the technologies
that protect our assets, we must change our mindset to think like the
bad guys.

In this talk, Robert Hansen and Matt Johansen will cover:
- Ways to counteract new rapid-paced hacking techniques
- How adversaries are gaining pace with new tools and tactics
- Why the old mantra of quarterly scanning to detect and patch will not work in the future

Link to the Video 

Speakers
avatar for Robert Hansen

Robert Hansen

Director of Product Management & Technical Evangelist, WhiteHat Security
Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the... Read More →
avatar for Matt Johansen

Matt Johansen

Director of Security, Honest Dollar
Matt Johansen is the Director of Security at Honest Dollar, an Austin financial tech startup, where he is charged with building an information security program from the ground up. Previously, he was the Director of Services and Research at WhiteHat Security, where he oversaw product development, and a Senior Manager for WhiteHat’s Threat Research Center, where he built and managed a team working to prevent website security attacks. In an... Read More →


Thursday October 22, 2015 10:00am - 11:00am
Under Armour Room Norris Conference Center, Austin
  • Host Organization

10:00am

Why Some Multi-Factor Authentication Technology is Irresponsible
Unlike most analyst or vendor-related reports, this is an independent, critical assessment of authentication technologies and methods.

This talk covers multi-factor authentication, and what to look for if you are planning a product refresh, or implementing a solution for the first time. Since there are over 200 authentication vendors, it is not easy to select the best solution for your needs. This talk will arm you with questions to ask, plus identify some suboptimal technologies to avoid. Your feedback to vendors will help them provide better, more secure products and services.

Just say, “No,” or request alternatives for the following suboptimal choices in some multi-factor authentication products:
• 2D fingerprints, other already-hacked or easily hacked biometrics
• Quick Response (QR) codes
• Short Message Service One-Time Password (SMS OTP)
• JavaScript requirements
• Weak account recovery methods
• Overreliance on GPS
• Lack of mobile device risk analysis
• Lack of checks for OWASP Mobile Top 10 Risks for mobile apps
• Encryption with backdoors, or mysterious constants or “magic numbers” of unknown provenance.”
• Elastic definition of multi-factor authentication: there is a growing chasm between NIST’s definition and newer definitions from some vendors.

Video to the talk 

Speakers
avatar for Clare Nelson

Clare Nelson

Founder, CEO, ClearMark Consulting
Carnivorous, competitive yogi. | | Passionate about multi-factor authentication, IoT, mobile security. Over 30 years in industry. Worked on encrypted TCP/IP variants for NSA. System administration was the best schooling ever, beside a degree in math. Have done product management, sales, and alliances (so I can help you avoid bad sales experiences-- if a sales person is too pesky, just ask for the product's threat model). Was VP Business... Read More →


Thursday October 22, 2015 10:00am - 11:00am
Gemalto Room Norris Conference Center, Austin
  • Host Organization

10:00am

Rugged Software Engineering
As "software eats the world", being in software engineering has never been more exciting. The promise of software-as-manufacturing is here and it's complex supply chains, virtual containers, and infrastructure-as-service have lead to huge advances in delivery, capability and availability. However it has also blurred the line of what a "developer" (and others) are responsible for. In addition, engineering organizations are faced with demands of "going faster" while at the same time improving quality and security. Rugged Software Engineering is a start of dialog on resolving this conflict. Proposed are practical additions to ensure your software lifecycle is both rapid and rugged.

Video to the Talk 

Speakers
NG

Nick Galbreath

Signal Sciences
Nick has scaled the engineering infrastructure and teams of over a half dozen startups and has published extensively on Development, Security and DevOps. He is current the Founder and CTO of Signal Sciences in Los Angeles.


Thursday October 22, 2015 10:00am - 11:00am
Contrast Security Ballroom Norris Conference Center, Austin
  • Host Organization

10:00am

Doing AppSec at Scale: DevOps + Agile + CI/CD == AppSec Pipelines
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.

The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs as well as practical examples of these practices put into use. Example results? How about under a minute to provision recurring static scanning of an application? How about 24/7 remediation advice available to any developer - even while you sleep. Report generation - in minutes. Automation, Orchestration, ChatOps, its all in our AppSec Pipeline. Start early and begin to buy down the technical security dept which feels inevitable using traditional AppSec program thinking.

Watch the talk here

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Thursday October 22, 2015 10:00am - 11:00am
Cypress Room Norris Conference Center, Austin
  • Host Organization

11:00am

PHP WAF: Intercept and Monitor Application Attacks
As security breaches increasingly move from operating system originated attacks to application-level attacks, a web application firewall (WAF) is becoming an increasingly indispensable tool in the arsenal of security-conscious website operators and hosts. Tools like ModSecurity provide knowledgeable website and network admins with useful WAF-like capabilities, but what if you are writing an application for large-scale deployment where the install environment is unknown? Integrating WAF-like capabilities directly into your PHP application can provide an additional layer of security that can be difficult for skilled admins to replicate using other methods. With a simple include and a few lines of code, your application can stop a variety of attacks before any potentially sensitive code is executed or a database connection is even made. This presentation will provide you with a skeleton security framework and introduce you to a way to give website owners insights into potential attacks as well as their authorized users' experience.

Watch the Talk Video here

Speakers
avatar for Matthew Hellinger

Matthew Hellinger

Co-Founder, Buzz Tools, LLC
PHP Application Security, E-commerce, Web Automation, Business Consulting


Thursday October 22, 2015 11:00am - 12:00pm
Under Armour Room Norris Conference Center, Austin
  • Host Organization

11:00am

Authz is the new Authn: Trust Elevation with UMA and OpenID Connect
Increased trust in an online identity = increased mitigation of the risk of fraud. As an enterprise interacts with a person via the Internet, it may be prudent, for certain transactions, to have more evidence of that person’s identity. Web Access Management systems include some proprietary features to force “stepped-up authentication.” But luckily, new OAuth2 profiles like UMA and OpenID Connect offer a standards based approach to achieve inter-domain trust elevation. This session will include a high level overview of the Enterprise UMA use case and some of the useful OpenID Connect features that can be leveraged to create centralized authentication policies.

Watch the Talk Video

Speakers
WL

William Lowe

Director of Marketing & Business Development, Gluu, Inc.
avatar for Michael Schwartz

Michael Schwartz

CEO, Gluu
Mike is the founder of Gluu, an access management software company serving companies, governments, and universities around the world. An advocate of FOSS--free open source-he has participated in the development of standards like the User Managed Access profile of OAuth2, and currently leads the Open Trust Taxonomy for Oauth2. He resides with his family (and his pigeons) in Austin TX.


Thursday October 22, 2015 11:00am - 12:00pm
Gemalto Room Norris Conference Center, Austin
  • Host Organization

11:00am

Docker Docker Docker Security Docker
What is Docker? Why is it such a big deal? How does it enable DevOps thinking and practice? What are some of the security concerns and solutions around this amazingly popular new form of system virtualization? The first third of the talk will describe Docker, the history of containers and the differences between containers and VMs (Hint, VMs are much more secure) The second third will talk about the potential benefits of Docker in particular and why it is so popular. The emphasis will be on why security minded folks might consider it time well spent for their company to see if Docker makes sense. The third part will highlight the notion of identity management as something completely missing from the Docker paradigm today and what is happening in Docker's larger ecosystem to address it. Additionally it will demonstrate Docker's first nod toward security with Notary (https://github.com/docker/notary)

Watch the Talk Video

Speakers
avatar for Boyd Hemphill

Boyd Hemphill

Director of Infrastructure Services, Kasasa
Boyd Hemphill is a DevOps raconteur and thought leader in the silicon hills of Austin Texas. Boyd founded Austin DevOps when he learned the thing he was doing had a name. Boyd organized the first ever Container Days in Austin Texas. In his professional life, Boyd has been a developer (PL/SQL, PHP), DBA (Oracle and MySQL), and system administrator. Today he is the Director of Infrastructure Services at Kasasa LTD.


Thursday October 22, 2015 11:00am - 12:00pm
Cypress Room Norris Conference Center, Austin
  • Host Organization

11:30am

Lunch
Thursday October 22, 2015 11:30am - 1:30pm
Contrast Security Ballroom Norris Conference Center, Austin

12:00pm

Testing Modern Applications with Hackazon
In this session, we'll discuss how to test some of the latest application functions found in online store fronts, shopping carts, logic constrained workflows powered by AJAX and RESTful API's. We'll use a new open source test application, Hackazon.
We'll be sure to fill your shopping cart full of information about testing modern applications and we'll go deep in the DOM to do it. While we're there, we'll be sure to exercise those pesky and oft-overlooked RESTful API's where some of the sneakiest vulnerabilities (and bounties!) hide.
Join us to learn the following:
· Why are these modern application functions going untested?
· What vulnerabilities are hiding in those functions?
· How to begin systematically finding and validating those vulnerabilities

Watch the Talk Video

Speakers
avatar for Dan Kuykendall

Dan Kuykendall

Senior Director, Application Security Products , Rapid7
Dan Kuykendall is the Senior Director of Application Security Products at Rapid7 where he directs the strategic vision, research and product development for the company’s application security solutions. In addition to keeping up with the latest attack patterns, Dan remains focused on one of the toughest aspects of application security - the rapidly evolving web and mobile application development trends. He does this with the philosophy that... Read More →


Thursday October 22, 2015 12:00pm - 1:00pm
Under Armour Room Norris Conference Center, Austin
  • Host Organization

12:00pm

Managing Certificates and TLS Endpoints
TLS/SSL is ubiquitous nowadays and is widely used to protect traffic on the Internet. Although TLS/SSL originated to protect web sites, it is now also being used for email, web services and VPNs among others. Yet, despite its widespread adoption, it is still difficult to keep track of the constantly emerging vulnerabilities that affect it. If not monitored, certificates can expire and new attacks are discovered even for mainstream ciphers and hashing algorithms. Add to that accidental server misconfigurations, unpatched systems, and flawed implementations, and the task of keeping systems current can become daunting. To make matters worse, commonly-used server configurations can be deprecated in major browsers/clients, breaking backwards-compatibility, providing a worse user experience for some, and leaving product maintainers scrambling to update certificates and settings quickly. For all these reasons, systems need constant vigilance to keep them up to date. This session will examine some steps which can be taken to keep up with the constantly changing landscape and demonstrate a few tools which can help manage and automate necessary updates to TLS/SSL endpoints.

Watch the Talk Video


Thursday October 22, 2015 12:00pm - 1:00pm
Gemalto Room Norris Conference Center, Austin
  • Host Organization

12:00pm

Designing Flexibility in Software to Increase Security
Structural engineering analyzes various types of load stresses on materials as a means of improving building strength. One important requirement in the proper design of a structure is the flexibility of the applied material. Materials that are too rigid will likely crack over time due to stress which may compromise the integrity of the structure.

Proper software architecture also requires a certain amount of flexibility in order to maintain proper security during the software's lifecycle. Factors such as software errors, modified encryption algorithms, physical architectures, data requirements or even modified regulatory compliance requirements will likely require changes in the software. Like its physical counterparts, software that is initially designed as "inflexible" will be difficult to change which will increase the probability of introducing new vulnerabilities. Unfortunately, software is sometimes "quick and dirty" in the rush to production which poses serious risks to sensitive data. Higher level languages like Java are not immune to this issue.

A personal example in how "inflexible" software development added a considerable amount of problems that impacted the product's bottom line will be given and tips will be provided to help improve developers' skills in writing better code.

Watch the Talk Video

Speakers
avatar for Larry Moore

Larry Moore

Larry Moore has over sixteen years of Information Security experience as part of his thirty year IT career. Larry has worded on diverse areas of Information Security including architecture, secure software development, penetration testing, server administration, project manager and executive manager. Larry has served at the State of Texas in their critical infrastructure protection and in the technical and financial sector. | | Larry... Read More →



Thursday October 22, 2015 12:00pm - 1:00pm
Cypress Room Norris Conference Center, Austin
  • Host Organization

1:00pm

PHP Security Redefined
Let’s be honest, PHP has had a rocky history with security. Over the years the language has been highly criticized for it’s lack of a focus on security and secure development practices. In more recent years, however, a resurgence has happened in the language and community, bringing secure development back into focus. With PHP 7 on the horizon, the language is making even more strides to improve some of its wayward ways of the past and reinvent itself. I’ll share practical code examples, tools, libraries and best practices that are making it easier than ever to keep PHP applications safe.

Come along with me as I guide you through both the language improvements and community encouragement making PHP a more secure place.

Watch the Talk Video

Speakers
avatar for Chris Cornutt

Chris Cornutt

Application Security Engineer, Pardot
For the last 10+ years, Chris has been involved in the PHP community in one way or another. These days he's the Senior Editor of PHPDeveloper.org, lead author for Websec.io, a site dedicated to teaching developers about security and the Securing PHP ebook series. He's also written for several PHP publications and has spoken at conferences in both the U.S. and Europe on security-related topics. He's also an organizer of the DallasPHP User Group... Read More →


Thursday October 22, 2015 1:00pm - 2:00pm
Under Armour Room Norris Conference Center, Austin
  • Host Organization

1:00pm

Mobile Connect – A better and secure user experience for online authentication.
The pervasive use of mobile devices and their integral role in accessing online services has created new opportunities for online authentication. At the same time this trendit poses significant challenges to provide a secure and usable mechanism for protecting sensitive data. There are several existing authentication methods with varying degrees of security and ease of use. For example, on one end of the spectrum we have systems that rely exclusively on passwords. These systems are easy to use but very insecure. Other the other end we can think of systems relying on traditional PKI based hardware tokens. These are hard to setup, and often equally hard to use., Between these two extremes we have a range of solutions such as one-time-code (OTC), one-time-password (OTP), SMS text, out-of-band (OOB) delivery of credentials. Each of these approaches has its own pros and cons in terms of user experience and security. In general, existing authentication solutions that are easy to use often lack in security and solutions that are very secure are invariably not so easy to use.

There is a need to have a secure authentication method with good user experience that leverages the existing available standards and technologies which make it easy to deploy. Mobile Connect is designed to address this need. Mobile Connect relies on existing standards, including OpenID Connect, and ETSI Mobile Signature Service, and is backed by GSMA, an international alliance of more than 800 mobile network operators worldwide. It enables mobile authentication with different levels of assurance. The technology behind Mobile Connect makes it possible for seamless rollout with minimal effort from Service Providers. For end users, the solution works on most if not all mobile phones, regardless of whether these are smart phones or feature phones.

In this talk we will introduce Mobile Connect, talk about deployment architecture and discuss various application use cases that address the security and usability needs of a world that is becoming increasingly mobile. We will also discuss how Mobile Connect and FIDO can complement each other and deliver solutions that break the traditional silos of authentication methods. In particular, we will cover the following topics:
1. Online authentication background, existing solutions and their limitations
2. Overview of Mobile Connect and the existing standards and technologies it relies on.
3. Example of how Mobile Connect can complement existing solutions
4. End user experience with respect to the use of Mobile Connect.
5. Technical as well as business related challenges that influence adoption of Mobile Connect.

Watch the Talk Video

Speakers
AA

Asad Ali

Principal Engineer, Gemalto
Asad Ali is a member of the senior technical community at Gemalto and heads the Research & Innovation group based in Austin, TX. His research interests have included smart card operating systems, web application frameworks, network security protocols, embedded file systems, secure portable tokens, cloud data encryption, adaptive authentication, and user-centric design methodologies. He holds numerous patents in the field digital security, and has... Read More →
avatar for Benoit Famechon

Benoit Famechon

Program Manager & Architect, Gemalto
Benoit Famechon is a senior program manager and architect at the Identity and Security Labs of Gemalto (Austin). | He is currently heading a team to develop Mobile Identity based products using GSMA specification. | He has worked in embedded development for Telecommmunication smartcards, Strong Authentication Server validation and certification and more recently for Trusted Service Management server as program manager for major US customers... Read More →
avatar for Najam Siddiqui

Najam Siddiqui

Software Architect, Gemalto
Najam Siddiqui is a member of the technical community at Gemalto and works in Research & Innovation group based in Austin, TX. His research interests include evolving authentication solutions, web application firewalls (WAF), one time password (OTP), cloud technologies (IaaS and PaaS) and optimizing DevOps.


Thursday October 22, 2015 1:00pm - 2:00pm
Gemalto Room Norris Conference Center, Austin
  • Host Organization

1:00pm

The Illusion of Control: Secrets Within Your Software Supply Chain
Every software development organization on the planet relies on a software supply chain that is consuming a massive volume of open source and third-party components at extremely high velocity. To provide a much clearer perspective to this volume and velocity, we can see that a global population more than 11 million developers consumed over 20 billion components in 2014.

Those leading AppSec and DevOps practices who have pursued improved visibility, supplier choices, and control mechanisms across their software supply chains have boosted developer productivity by 15% - 40%, crumbled mountains of security debt, and shifted millions of dollars from sustaining operations to accelerating innovation.

Yet the vast majority of organizations developing software are blind to their free-for-all consumption volume, patterns, and velocity. Their software supply chain practices are silently sabotaging efforts to accelerate development, improve efficiency and maintain the integrity of their applications.

In June, I authored the 2015 State of the Software Supply Chain Report. It is a quantitative analysis of more than 106,000 "manufacturers" (software development organizations) consuming billions of open source and third-party software components from over 100,000 “suppliers” (open source projects).

While the average large organization in the study consumed 240,000 open source and third party software components in 2014, the study revealed:

- An average of 15,337 (7.5%) components consumed included known security flaws, impacting the integrity of operations

- 75% of organizations lack policies that control the use of open source and third-party components that are making their way through their software supply chains and into production

- An average application has 24 known critical or severe open source security flaws, electively built in by the development team

But this discussion is not intended to simply shed light on bad practices, it is about learning. Attendees will gain new visibility as to what’s happening in their own software supply chains, how to avoid these elective risks, and how leading technology, banking, and government organizations are applying proven supply chain principles from other industries toward improving their AppSec and DevOps practices.

Watch the Talk Video

Speakers
avatar for Derek E. Weeks

Derek E. Weeks

VP and DevSecOps Advocate, Sonatype
After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus... Read More →


Thursday October 22, 2015 1:00pm - 2:00pm
Cypress Room Norris Conference Center, Austin
  • Host Organization

2:00pm

Keynote: Jack Daniel

Speakers
avatar for Jack Daniel

Jack Daniel

Tenable Network Security
Jack likes long walks on the beach with craft cocktails and tiki drinks- while talking about vulnerability management, continuous monitoring, and community building.


Thursday October 22, 2015 2:00pm - 3:00pm
Contrast Security Ballroom Norris Conference Center, Austin
  • Host Organization

3:00pm

The 13 best golang security tips you'll evar hear!
Yesterday the developer community was all about Javascript and node, and today everyone's talking about "Go", and perhaps writing applications and services in your enterprise using Go. In this talk, I'll cover practical advice to build more secure applications written in Golang, and cover best practices that all developers should be adhering to when building go apps.

Unlike ALL the other talks, you don't have to wait till LASCON 2015 to listen to this talk. As a part of the abstract, the 1st tip is free!

Best Golang security tip evar #1: use crypto/rand to generate secure random numbers
Remember when all your developers kept using java.util.Random and didn't realize it wasn't a secure random number? Well, golang makes this mistake a lot harder to make. A quick google search on "secure random number in golang" only gives you 1 result- use crypto/rand. The creators of Go realized that developers kept making this mistake, and added 1 solid way to generate random numbers. This lessened the need for other developers to create their own homebaked secure random number generators, and avoid vunerabilities.

Hear the rest of the content at the conference!

Watch the Talk Video

Speakers
avatar for Karthik Gaekwad

Karthik Gaekwad

Senior member of technical staff, Oracle
Karthik is a developer who lives in Austin who loves 3 things- BBQ, containers, and the Austin tech scene! | | While he's not working on the Container Cloud team at Oracle, he runs the local Devopsdays and Container Days conferences as well as the Docker meetup and CloudAustin. He's been in technology over 10 years working on building products, at both large enterprises and startups.


Thursday October 22, 2015 3:00pm - 4:00pm
Under Armour Room Norris Conference Center, Austin
  • Host Organization

3:00pm

Security for Non-Unicorns
Security is becoming quite the thing now days, everyone wants to have one of them. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, if you're based in Silicon Valley and are about to write "teh new hotness", but what happens if your company is older than say, 6 months. You already have some legacy systems and code. I'll be talking about how it's possible to unearth some of these things. What happens when you do uncover these things. How to stop them happening. And coping strategies for dealing with them.

Watch the Talk Video

Speakers
avatar for Ben Hughes

Ben Hughes

Lead Security Guard, Etsy


Thursday October 22, 2015 3:00pm - 4:00pm
Contrast Security Ballroom Norris Conference Center, Austin
  • Host Organization

3:00pm

Getting Security up to Speed (with CI/CD)
Continuous Integration and Continuous Deployment (CI/CD) has become a must for many progressive organizations, and SAMI’s OpenCloud team is not an exception. While we are a part of a very big global company called Samsung, OpenCloud Dev and Security teams are rather small; the tasks and mission that we're trying to accomplish are anything but.

Come to our presentation to learn about our way of automating security that we dubbed as Threadfix-Centric Application Security Architecture. You will learn in this session:

1. Why and how the traditional approach to AppSec needs to be changed.
2. Why security testing is not the same as QA testing.
3. What requirements we considered when choosing tools and building security automation framework.
4. Why Threadfix is not just yet another security dashboard.
5. What is the making of security.

Finally, as a bonus we'll tell you how to use QA regression tests for even better coverage in AppSec testing.

Watch the Talk Video

Speakers
avatar for Oleg Gryb

Oleg Gryb

Sr. Manager, Security Engineering, Samsung Strategy and Innovation Center
Oleg Gryb is Sr. Manager working in application security domain at Samsung Strategy and Innovation Center. He was previously Security Architect at Intuit , where he was creating application and security architecture for financial and business applications processing highly sensitive data. Oleg participates actively in creating open source software in a security, identity management and other domains. He has a lot of passion around embedding... Read More →
avatar for Sanjay Tambe

Sanjay Tambe

Security Architect, Samsung Strategy & Innovation Center
Sanjay Tambe is working as Security Architect at Samsung Strategy & Innovation Center. He is working on security of cloud based SAMI Internet of Things (IoT) platform. Previously he worked as Core Security Champion at Intuit, where he ensured security of applications such as Mint running in AWS cloud. Prior to that he worked for Wells Fargo Bank as Security Specialist VP where he ensured security of high volume customer facing web & mobile... Read More →


Thursday October 22, 2015 3:00pm - 4:00pm
Cypress Room Norris Conference Center, Austin
  • Host Organization

4:00pm

The Node.js Highway: Attacks Are At Full Throttle
Node.js is the drive-and-go language and its popularity is soaring. Five years after its debut, and the language’s framework boasts more 2M downloads a month.

Before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.

In this talk, we demonstrate new attack techniques against applications built on top of the Node.js language.

Attacks include:

· Application-layer DDoS attacks. Bringing a server to its knees with just 4(!) requests.

· Password exposure attacks. Leveraging the “Forgot My Password” feature of applications in order to reveal the passwords of all the application’s users

· Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature

Watch the Talk Video

Speakers
avatar for Igor Matlin

Igor Matlin

Senior Solutions Architect, Checkmarx
Developer, traveler, mobile technology junkie...and over 20 years of technical experience in high-tech companies as a software engineer and technical lead. Prior to joining Checkmarx as a Senior Solutions Architect, I worked on mobile technologies at Myriad Group, a leading mobile software company, and mobile browser developer Novarra, acquired by Nokia in 2010.


Thursday October 22, 2015 4:00pm - 5:00pm
Under Armour Room Norris Conference Center, Austin
  • Host Organization

4:00pm

Speed Debates
The speed debates are back, this time with a Back to the Future theme.

Watch the Debates Video

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Thursday October 22, 2015 4:00pm - 5:00pm
Contrast Security Ballroom Norris Conference Center, Austin
  • Host Organization

4:00pm

Agile Security: The fails that nobody told you about
Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a 'high level' talk or sometimes as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This lecture will bring the all the undocumented failures during such process, and best ways of avoiding them prior to experiencing them.

Watch the Talk Video

Speakers
avatar for Daniel Liber

Daniel Liber

R&D Security Leader, CyberArk
Daniel Liber is the R&D security leader in CyberArk, a leader in securing enterprises against cyber attacks that take cover behind insider privileges and attack critical enterprise assets. Previously he has worked as an application security consultant for Comsec Consulting, working with customers from industries such as banking, finance, telecom and governmental offices. Daniel also served as a principle security team leader at Bank Leumi... Read More →


Thursday October 22, 2015 4:00pm - 5:00pm
Cypress Room Norris Conference Center, Austin

5:00pm

Happy Hour!
Thursday October 22, 2015 5:00pm - 7:00pm
Contrast Security Ballroom Norris Conference Center, Austin

5:00pm

Ride the Bull!
Thursday October 22, 2015 5:00pm - 7:00pm
Gemalto Room Norris Conference Center, Austin
 
Friday, October 23
 

8:30am

Registration Opens
Moderators
avatar for Philip Beyer

Philip Beyer

Senior Director, Information Security, The Advisory Board Company

Friday October 23, 2015 8:30am - 9:00am
Contrast Security Ballroom Norris Conference Center, Austin

9:00am

Keynote: Kelly Lum

Speakers
avatar for Kelly Lum

Kelly Lum

Security Engineer, Tumblr


Friday October 23, 2015 9:00am - 10:00am
Contrast Security Ballroom Norris Conference Center, Austin
  • Host Organization

10:00am

What Do You Mean My Security Tools Don’t Work on APIs?!!
How do you verify and protect your APIs, REST and SOAP services, and custom interfaces? They’re everywhere in modern webapps, mobile, IoT, and more. And they're just as susceptible to injection, unauthorized access, account hijacking, and other attacks as traditional web applications. But traditional static (SAST) and dynamic (DAST) scanners simply don’t work on APIs. In this talk, Jeff will discuss techniques and challenges testing and protecting modern service-based web applications, like ones running Spring Security, Spring Boot, and Angular JS. Jeff will discuss the use of security instrumentation to identify vulnerabilities in APIs during development, and protecting those APIs in production. Instrumentation has revolutionized the field of performance management, which (like application security) used to be dominated by experts using expert tools to generate PDF reports. We'll explore how instrumentation can allow application security to work on APIs, work in conjunction with Waterfall/Agile/Devops, scale to entire application portfolios, and change the way we practice application security.

Watch the Talk Video

Speakers
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and... Read More →


Friday October 23, 2015 10:00am - 11:00am
Cypress Room Norris Conference Center, Austin
  • Host Organization

10:00am

Bits & Bytes Meet Flesh & Blood: Rugged DevOps for IoT

Speakers
avatar for Joshua Corman

Joshua Corman

CTO | Founder | Founder, Sonatype | I am The Cavalry | Rugged
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing... Read More →


Friday October 23, 2015 10:00am - 11:00am
Contrast Security Ballroom Norris Conference Center, Austin
  • Host Organization

10:00am

Problems you'll face when building a software security program
I've been building software security programs for nearly a decade, and continue to observe the same challenges. Adding security into the dev process relies heavily on dev's own processes which can make implementing a software security program difficult. This talk will communicate common challenges when building a software security program, tips and tricks for addressing them, and expectations you'll need to improve the security of your company's software.

Watch  the Talk Video

Speakers
RA

Robert Auger

Manager - Application Security, Box Inc


Friday October 23, 2015 10:00am - 11:00am
Gemalto Room Norris Conference Center, Austin
  • Host Organization

10:00am

Mobile Landscape: The Security of Wearables
By 2019, there will be half a billion wearable devices in use every single day. These wearable devices track everything from your heart rate, number of steps taken, distance you have traveled, GPS locations, insulin levels, etc. Wearable security encompasses many facets of security, and includes the security of other devices and communication protocols. Device security, application security, and network security all play an important role in the overall security posture of said wearables. Part of being a security researcher is understanding how each of the security controls work, understanding potential threats to the wearables, and how the wearable devices interact with other connected devices. This talk will help listeners understand the threat landscape of wearable devices and what to think about when developing applications for wearables.

Watch the Talk Video

Speakers
avatar for David Lindner

David Lindner

Vice President of Solutions, nVisium
David Lindner is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field, from application development, network architecture design and support, IT security and consulting, and application security. David has specialized in all things related to mobile applications and securing them. David has supported... Read More →


Friday October 23, 2015 10:00am - 11:00am
Under Armour Room Norris Conference Center, Austin
  • Host Organization

11:00am

Automate Security Tests for APIs with Syntribos, an Open Source Security Scanner
RESTful APIs are an increasingly common attack vector for applications. Despite this ever-present threat, open source and commercial vendor support for automatic API security scanners remains limited. With the rate at which APIs are developed, enhanced and deployed, this lack of security test automation creates a gap that at its best limits adoption, and at its worst may leave an application open to attack. To fill the gap in security testing efficiency, members of the Rackspace Quality Engineering and Security Engineering teams worked together to create an Open Source, automated API security scanner
.
Syntribos is a flexible, automated scanner that provides configurable test coverage for any RESTful API, and has significantly improved the security test workflow at Rackspace. In this talk, you’ll understand the potential for Syntribos automation in your security program as we

• Discuss the design and architecture details
• Illustrate the simple configuration requirements
• Lay out the painless steps for adding new test types
• Describe the plugin support

Learn how Syntribos enables you to test RESTful APIs in an automated way, helping to detect and eliminate common security vulnerabilities such as SQL injection, command injection, denial of service attacks, and more.

Watch the Talk Video 

Speakers
NB

Nathan Buckner

Software Developer in Test III, Rackspace
Nathan Buckner is Currently a Senior Software Developer at Rackspace. He has had a passion for computers and technology since before he learned about them in the army while serving as a Signal Support System Specialist. Following his Army Career, he moved on to pursue his passion for Computer Science and enrolled in UTSA and got bachelors in Computer Science with Concentration in Security. Upon completing this he work as a software developer... Read More →
avatar for Matthew Valdes

Matthew Valdes

Security Developer, Rackspace


Friday October 23, 2015 11:00am - 12:00pm
Cypress Room Norris Conference Center, Austin
  • Host Organization

11:00am

It Takes a Village: Effective Collaboration in Security
All security professionals commit preventable workplace mistakes: We trust our intuition when impaired by cognitive bias, and we interpret the words and actions of others incorrectly, leading to ineffective communication. These mistakes lead to poor, inconsistent relationships with everyone involved in the development lifecycle. We can address them by understanding the behavior of others and by learning to architect objective decisions.

Speakers
avatar for Philip Beyer

Philip Beyer

Senior Director, Information Security, The Advisory Board Company



Friday October 23, 2015 11:00am - 12:00pm
Gemalto Room Norris Conference Center, Austin

11:00am

MQTT and CoAP: A Story about IoT Protocol Security
As we started to connect more devices and use Machine-to-Machine (M2M) communications in the IoT world, protocols better suited than HTTP were needed to make it possible. These protocols were designed for constrained devices with less processing power, less power consumption, and frequent communications. Like many protocols that have come before them, there is always a little bit of security gray area and the potential to introduce interesting security flaws into concrete implementations. Implementing these protocols across many different programming languages, frameworks, and device platforms adds to the complexity of developing secure real-world systems.

In this presentation we will explore two of the most commonly used IoT protocols, MQTT and CoAP. We will explore how they work, protocols they’re designed to work with, and common architectures. Attacks against the protocols and specific implementations will be demonstrated that can be used to impersonate other devices, knock systems offline, and potentially execute remote code. We will demonstrate how to mitigate these issues within your own code as well as library and framework issues to watch out for.

Speakers
avatar for Jack Mannino

Jack Mannino

CEO, nVisium


Friday October 23, 2015 11:00am - 12:00pm
Under Armour Room Norris Conference Center, Austin

11:30am

Lunch
Friday October 23, 2015 11:30am - 1:30pm
Contrast Security Ballroom Norris Conference Center, Austin

12:00pm

Static Analysis Security Testing for Dummies… and You
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.

In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues

Speakers
avatar for Kevin Fealey

Kevin Fealey

Principal Consultant, ASPECT SECURITY INC
Kevin Fealey is a Principal Consultant and lead of Aspect Security's Automation and Integration Services Division. He specializes in automating commercial, open source, and custom tools to provide faster security feedback to developers and real-time security dashboards to executives. Kevin strives to minimize disruptions to existing developer processes by integrating security transparently into the development process. Kevin has spoken about... Read More →


Friday October 23, 2015 12:00pm - 1:00pm
Cypress Room Norris Conference Center, Austin

12:00pm

Big Data, What's the Big Deal?
In the rush to reap the benefits from Big Data projects, organizations frequent forget the importance of securing and protecting their "Crown Jewels". From a security and privacy perspective, Big Data differs from traditional data and requires a different approach. At the same time, it shares many commonalities. Existing methodologies and preferred practices can easily be extended to support Big Data. This talk will describe how and why Big Data is different, the data security and privacy challenges, and a set of best practices and recommended technical controls that will help you to secure and protect your organization's Crown Jewels.

Speakers

Friday October 23, 2015 12:00pm - 1:00pm
Gemalto Room Norris Conference Center, Austin

12:00pm

Connected Vehicle Security
Connected cars top the list on consumer Internet of Things (IoT) wish lists, and automakers are already delivering the first wave of products. As quickly as the automakers are adding features, security researchers are finding and exploiting flaws, largely for notoriety and attention from the press. But it won’t be long before cyber criminals find a financial motive for hacking vehicles, the surveillance value of installing malware is identified, and hacktivists realize the potential, as well.

We’ll look at some of the flaws already presenting themselves in connected vehicles, what automakers can do to get ahead of the threat before the threat actors cause damage, and how everyone can influence the safety and privacy of not just connected vehicles, but the Internet of Things.


Friday October 23, 2015 12:00pm - 1:00pm
Under Armour Room Norris Conference Center, Austin

1:00pm

The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
ThreadFix is an open source application vulnerability management system that helps automate many common application security tasks and integrate security and development tools. This presentation looks at the components of the platform and how they work together to help developers and application security analysts build more secure software. In addition to being a platform, ThreadFix is also an ecosystem of users and volunteers and the presentation will look at several case studies of how these groups have worked together to extend and improve the ThreadFix platform.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.


Friday October 23, 2015 1:00pm - 2:00pm
Under Armour Room Norris Conference Center, Austin

1:00pm

Your Last Manual Assessment
This is not a talk about integrating ZAP with Jenkins ;). Security has fallen behind the automation used by the rest of the software industry, and I’ll show you how we can catch up. There are plenty of automated tools used in our profession. For mission critical applications, none of them provide the coverage we need to sleep easy. Manual testing can also be extremely time consuming. This talk will show you how to turn any manual assessment into an automated script. I’ll demonstrate how to solve the more difficult aspects of security automation like XSS validation by utilizing browser hooks. Finally, I’ll cover how to build robust automated security tests that are ready to be plugged into a continuous delivery system.

Speakers
avatar for Greg Anderson

Greg Anderson

Senior Security Engineer, Pearson
Greg Anderson is a security professional with diverse experience ranging from vulnerability assessments to intrusion detection and root cause analysis. Though he primarily focuses on cloud security, Greg’s recent endeavors have been centered around incorporating vulnerability assessments into continuous delivery systems. | | Greg’s previous work focused on unconventional attack vectors and how to maximize their impact while avoiding... Read More →


Friday October 23, 2015 1:00pm - 2:00pm
Cypress Room Norris Conference Center, Austin

1:00pm

The Culture of Security
Security is comprised of people, process and technology. As security professionals we are naturally drawn to the new shiny thing. Yet, how important is the culture of security to the overall security posture of an organization. Is your industry a bigger target than others? Lets brainstorm together with a hot cup of java and share nuggets of security stories from our lives to see what works and what does not.

Speakers
avatar for Sammy Boss

Sammy Boss

Information Security, EA
Humbly considered a security thought leader across different industries like Entertainment, Finance, Healthcare and Insurance. Like to look at security from the business perspective. How can we adapt ourselves to the culture of the company to make security more effective? Preaching to the disbelievers and not to the choir, to improve development and system administration practices. Love working with people to resolve conflicting priorities and... Read More →


Friday October 23, 2015 1:00pm - 2:00pm
Gemalto Room Norris Conference Center, Austin

2:00pm

New Farming Methods for the Epistemological Wasteland of Application Security
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.

We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.

Friday October 23, 2015 2:00pm - 3:00pm
Under Armour Room Norris Conference Center, Austin

2:00pm

Hack Wars - A New Hope
In this talk, you will join forces with Jedi RAPst4r (Reuben Paul), some cool pilots (parents & mentors), wookies (supporters), and possibly droids to show how the CyberUniverse can be saved from evil Dark inVaders (Cyber criminals, Cyberbullies ...). Come for a fun-filled, light-weight talk and learn about “what” and “who” is the … NEW HOPE and “why?”  

Speakers
avatar for Reuben Paul

Reuben Paul

Reuben who goes by the name RAPst4r is a 9 years old kid attending the Harmony School of Science in Austin, TX. He is an invited speaker, delivering awareness talks on the importance of teaching CyberSecurity to kids and parents. He has been featured at several industry leading Information Security conferences, delivering talks and keynotes at RSA, DerbyCon, (ISC)2 Security Congress, Houston Security Conference, Ground Zero InfoSec... Read More →


Friday October 23, 2015 2:00pm - 3:00pm
Cypress Room Norris Conference Center, Austin

2:00pm

Technology, Privacy and the Law: New Challenges for Non-Profits
With a continued rise in the number of victims of violence in the United States, there has been a rise in organizations being formed to help the victims. According to a report published in January 2015, 20 people per minute fall victim to physical violence by an intimate partner. Today, victims of violence and the organizations chartered to help them are facing greater challenges with the emergence of powerful technologies and accessibility to the Internet 24 hours a day. This talk will explore how crisis organizations are now facing greater risks in the digital domain, but not just from attack but also in striking a clear and appropriate balance between information security, privacy and the law; an example that many non-profit organizations are facing.

Speakers
avatar for Kelley Misata

Kelley Misata

Executive Director, The Open Information Security Foundation
Kelley Misata, Ph.D Candidate and Executive Director of the Open Information Security Foundation, combines her experience in business leadership with a passion for facilitating critical conversations around responsible digital citizenship, cyber security, and free of speech online. Her current work with The Open Information Security Foundation and recent work at The Tor Project spans across fundraising, advocacy, policy discussions, marketing... Read More →


Friday October 23, 2015 2:00pm - 3:00pm
Contrast Security Ballroom Norris Conference Center, Austin

2:00pm

Hack the Cloud Hack the Company: the Cloud Impact on Enterprise Security
iSEC Partners routinely carry out Attacker Modeled Penetration Tests that use any and all means possible to gain entry to a company. The goal is to test organizations against true-to-life attack and penetration activities that real attackers use in the breaches that make headline News (and the breaches that don't).
Organizations that use Cloud Services to provision an operating environment to support a product, or use Cloud Service Providers to outsource elements of traditional enterprise IT into the Cloud, can find those very aspects used against them in an attack. While the potential attack surface for a breach changes, in many ways the use of Cloud infrastructure can make it easier for an attacker to gain access to critical systems and data. In this session the speaker will describe methods of penetration used during recent tests, illustrating how Cloud Services are viable entry points that lead to significant compromises. The following areas will be discussed:
- Common mistakes in deploying Internet-facing Cloud infrastructure
- Replication and communication paths between Cloud and on-premises infrastructure
- Effective ways for attackers to gain access to the Cloud Service administration console
- How the use of Cloud Services is weakening enterprise IT security
- Methods for securing Cloud Services, closing vulnerabilities and protecting the company

Speakers
avatar for Kevin Dunn

Kevin Dunn

Technical VP, NCC Group
Kevin Dunn is Technical Vice President for NCC Group in Austin, TX. Kevin has been a professional security consultant for over 14 years, working on diverse projects and challenging technologies for the world’s largest and most demanding companies. He has delivered technical training and spoken at security conferences all over the USA and Europe across the majority of his career. His current responsibilities include active delivery of security... Read More →


Friday October 23, 2015 2:00pm - 3:00pm
Gemalto Room Norris Conference Center, Austin

3:00pm

Httpillage: Calling all nodes
Limiting application security tests to a single attacking host has left the industry using phrases such as “an attacker could” or “an attacker may be able to,” when referencing common attacks such as online attacks against user credentials, application-level denial of service and username enumeration. Attacks from a single host are not practical, and do not model real-world threats. The aforementioned tasks would benefit greatly from the ability to distribute across different hosts to properly demonstrate impact.

Httpillage is a tool designed to distribute HTTP(s) based attacks across multiple nodes, in similar fashion to a traditional botnet C&C server. Common attacks such as online password brute-force, denial of service, and application enumeration are entirely possible to distribute, increasing speed and effectiveness.

This talk will demonstrate the use of httpillage to launch common attacks across multiple nodes, including the ability to brute-force time-based password reset tokens. We’ll walk through scenarios that demonstrate how to provide proper impact demonstration, launching attacks that would not be successful during a traditional pentest.

Speakers

Friday October 23, 2015 3:00pm - 4:00pm
Cypress Room Norris Conference Center, Austin

3:00pm

How Google Turned Me Into My Mother: The Proxy Paradox In Security
Security has been trying to catch up with technology all this time, but the gap may well be increasing, particularly with the growth of consumer devices and the Internet of Things. The reason has to do with delegation and proxy activities online. Current IAM models are no match for the real world of legal, fiduciary and minor representation. In this session, we’ll talk about what needs to change so that both security and privacy are truly available to all members of society.

Speakers

Friday October 23, 2015 3:00pm - 4:00pm
Contrast Security Ballroom Norris Conference Center, Austin

3:00pm

Security Automation in the Agile SDLC - Real World Cases
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.

Speakers

. .

Director of Security Strategy, Synopsys


Friday October 23, 2015 3:00pm - 4:00pm
Gemalto Room Norris Conference Center, Austin

4:00pm

Closing Remark, Contest Results
Moderators
Friday October 23, 2015 4:00pm - 5:00pm
Contrast Security Ballroom Norris Conference Center, Austin