Loading…
LASCON 2018 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 23
 

9:00am CDT

Two-Day Training: AppSec Automation: DevSecOps, Pipelines, APIs and Getting Things Done Faster w/Matt Tesauro (Day 1)
Limited Capacity seats available

Note: This is a two day, hands-on course

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, setting up continuous testing, ChatOps integration (Slack), automating security scanning with Docker, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with a firm understanding of how to apply DevOps and Agile concepts to optimize their security programs using local and cloud infrastructure.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline specifically geared towards continuous testing. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation. The class utilizes OWASP’s AppSec Pipeline and Defect Dojo projects allowing the students to take lessons and tools from this class with them to solve security automation challenges.

Course Outline
Introduction 
* Application Security Programs
* AppSec – Current State of Affairs
* AppSec Pipelines – Why?
* Lab #1 – Getting to know the Lab Dockers
Docker Overview 
* Docker Fundamentals
* Dockerfiles, volumes, layers and more
* Being productive with Docker
DevOps and AppSec (Quick Overview) 
* The Three Ways of DevOps
* The First Way
* The Second Way
* The Third Way
Setting up your AppSec Pipelines 
* Intake
* Lab #2 - Defect Dojo’s take on Intake
* Orchestration * Engagements
* Lab #3 - Defect Dojo’s take on Engagements
* Tools
* Data Management
* Lab #4 - Dojo to Manage Data
* Output of the AppSec Pipelines
* Lab #5 – Getting Results to Dev teams
Continuous Testing with OWASP AppSec Pipeline 
* AppSec Pipeline Overview
* Adding Security Tests to the AppSec Pipeline
* Optimizing tool profiles in the AppSec Pipeline
* Adding Infrastructure testing to the AppSec Pipeline
* Taking things full circle: Find, Report, Remediation and Re-Test
* Lab #6 Demo/Lab of the AppSec Pipeline running security tests
Conclusion

Required Materials
What Should Students Bring? A 64 bit laptop capable of running Docker. Custom Dockers will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

Security Engineer, Citizen of the World
Matt Tesauro is currently rolling out AppSec automation at a major financial institution and is a founder of 10Security.  Prior work included the Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer building an AppSec Pipeline and continuous security... Read More →


Tuesday October 23, 2018 9:00am - 5:00pm CDT
Magnolia A Room

9:00am CDT

Two-Day Training: Attacking Windows w/Powershell & Enterprise Active Directory Attack Playbook w/Aelon Porat (Day 1)
Limited Capacity seats available

Attacking Windows Environments with Powershell: Intro

This condensed, hands-on workshop will introduce students to Powershell’s offensive and defensive capabilities, showcasing its attractiveness to sysadmins, defenders, and attackers alike. We’ll perform different attacks using popular frameworks, as well as creating out unique attack scripts. We’ll bypass antivirus and whitelisting applications, connecting to our PoC command-and-control centers as we remotely take over a computer: we’ll steal documents, grab screen and email content, turn on the mic and webcam, control the mouse and keyboard, modify settings, defeat two-factor authentication, execute programs at will.. anything that a real attacker may do. From a defender perspective, we’ll understand how such attacks work, review the artifacts that they leave behind, and review some of the holes that allow them to take place. Time permitting, we’ll also write scripts that monitor and alert on some of the more common attacks.

Students are expected to understand Windows operations and network infrastructure, but no prior Powershell experience is required.

Students will need to bring their own computer, capable of simultaneously running at least two guest Windows 10 VMs.

Speakers
AP

Aelon Porat

Aelon Porat is an information security manager at Cision and a content provider at vali.training. He has extensive experience attacking and defending corporate environments. Aelon likes to jump inside networks and out of planes, and in his spare time, he enjoys demoing, speaking... Read More →


Tuesday October 23, 2018 9:00am - 5:00pm CDT
Magnolia B Room

9:00am CDT

Two-Day Training: Container Security, Serverless and Orchestration Training w/Nithin R Jois (Day 1)
Limited Capacity seats available

Containers have changed the way we do deployments. Organizations have openly embraced containerization, to supplement traditional deployment paradigms like Virtual Machines and Hypervisors. Docker, has emerged as the leading container technology that is used by organizations, large and small for packaging and deploying consistent-state applications with help of Container Orchestrators like compose, kubernetes, etc.. .

Serverless on the other hand seems to be taking over at a rapid rate with increased usage of micro-services across organizations which allows them the flexibility to have multiple tech-stacks.

However, as always, security remains to be a challenge that organizations face with containerized and serverless deployments. While containers may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, the shared kernel and other shared resources like the network and the filesystem. Serverless deployments face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage.

This training has been created with the singular objective of achieving optimal security for containerized and serverless deployments. This training will be a 2 day program that will detail, through specific theory elements and extensive hands-on exercises, ways in which containerized and serverless deployments can be made secure, yet scalable, efficient and effective.

The training consists of, but not limited to the following focus areas in Container Security and Serverless Deployment:
* Introduction to Containers and Containerized Deployments - Docker, Compose
* Introduction to Container Orchestration Technologies - Kubernetes
* Introduction to Docker Native Continuous Integration Services
* A View into DevSecOps and the Container Security Problem
* Container Security Threat Model:
- Container - Host Attacks
- Container - Container Attacks
- Container Sprawl
- Container Secrets Exposure
- Insecure Libraries and Applications in Containerized Deployments
- Container Daemon Threats
* Container Security Best Practices:
- Access Control Models for Containers
- Practical Secrets Management for Container Deployments
- Auditing, Logging and Monitoring for Containerized Deployments
- Container Vulnerability Management Best Practices
- Resource Management and Trust Allocation - Containerized Deployments
* Introduction to Serverless - AWS Lambda
* Deploying Application to AWS Lambda
* Testing a Serverless Application for Vulnerabilities.

The author brings with him extensive experience, packaging and deploying Services using containers and Serverless securely to production. In addition, he has experience with developing integrations for containerized deployments and orchestrating it using docker API, automation in security and have considerable knowledge in DevSecOps. He has helped build 'Orchestron', a Vulnerability Management Solutions and Scalable Scanner Integrations that leverage containers to the hilt.

# Day 1 

## Session 1 
Introduction to Containerized Deployments - Understanding and getting comfortable using Docker.
* An Introduction to Container Deployments
- LXC and Linux Containers
- Introducing Docker Images and Containers
- Docker Commands and Cheatsheet
- Hands-on: Docker commands, Dockerfile, Images, Compose
- Hands-on Lab: Playing with Docker Container Deployments: Deploying a containerized Web App

## Session 2 
Container Deployments - Threat Landscape- An Introduction to possible threats and attack surface when using Docker for Deployments.
* Threat Model for Containerized Deployments
- Daemon-related Threats
- Network related Threats
- OS and Kernel Threats
- Threats with Application Libraries
- Threats from Containerized Applications
> Container Breakout Docker Security Examples
- Hands-on Tour of some of the exploits and the potential damages they can cause.
* Secrets Management of Docker Env Variables and other secrets
* OS and Kernel Level Exploits:
- DirtyCow
- Shellshock
- CVE-2017-1000253
- Privileged User Flaws
* Application Library Flaws:
- Struts2 Web App Flaw - Library
- Python Docx 0.8.5 XXE Flaw with DDoS - Billion Laughs Attack


Required Materials

Laptop Requirements
  • Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work
  • Minimum 80GB HDD space available
  • Working WiFi adapter with ability to connect to third party wireless networks
  • User must be able to use the USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a USB Mass Storage Device (Flash Drive).
  • Soft copy of the Slides and the VMs will be given to participants on a USB Flash Drive that will be formatted with the NTFS format.
  • Please download and install the latest installation of Oracle VM VirtualBox
  • We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization
  • You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu. Please ensure that you have a password (if required) to access the BIOS menu.
Additional Requirements 
An AWS account to deploy a Web-Application on AWS-Lambda will be necessary.

Speakers
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →
avatar for Tilak Thimmappa

Tilak Thimmappa

Senior Solution Engineer, we45
I work at an Application Security company (we45) and have a unique perspective of developing secure and deliberately insecure apps in Python and NodeJS. I have contributed to the development of several Web-Applications using Django, Django-Rest-Framework, NodeJs and more, that have... Read More →


Tuesday October 23, 2018 9:00am - 5:00pm CDT
Cypress Room
 
Wednesday, October 24
 

9:00am CDT

Two-Day Training: AppSec Automation: DevSecOps, Pipelines, APIs and Getting Things Done Faster w/Matt Tesauro (Day 2)
Limited Capacity seats available

Note: This is a two day, hands-on course

See Day 1 for more details

Speakers
avatar for Matt Tesauro

Matt Tesauro

Security Engineer, Citizen of the World
Matt Tesauro is currently rolling out AppSec automation at a major financial institution and is a founder of 10Security.  Prior work included the Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer building an AppSec Pipeline and continuous security... Read More →


Wednesday October 24, 2018 9:00am - 5:00pm CDT
Magnolia A Room

9:00am CDT

Two-Day Training: Attacking Windows w/Powershell & Enterprise Active Directory Attack Playbook w/Aelon Porat (Day 2)
Limited Capacity seats available

Enterprise Active Directory Attack Playbook for Red and Blue Teams

Microsoft Active Directory is the world's most popular directory management suite. Its prevalence, scope, and complex structure have also made it the prime target of many attacks. This training takes place inside a dedicated network, simulating a production environment with full Active Directory deployment. Students will assume the role of both an adversary and the defender, starting as a regular desktop user and gradually escalating privelges and moving laterally across the enterprise. We'll review reconnaisance techniques, discover blind spots, pivot and eventually compromise otherwise-segregated servers. Students will gain invaluable insight into how Active Directory attacks work, understanding the artifacts that they leave behind and practical preventative and monitoring controls. To reduce attack footprint and simulate a real adversary, the playbook is exclusively built on Windows scripts and tools. We will not use Metasploit, Cobalt Strike, etc. Prerequisites: As an introduction class, no previous red or blue-team experience is required. However, students are expected to be familiar with basic Windows and network infrastructure. Basic Powershell and command-line experience is recommended.

Students will need to bring their own computer, capable of simultaneously running at least two guest Windows 10 VMs.

Speakers
AP

Aelon Porat

Aelon Porat is an information security manager at Cision and a content provider at vali.training. He has extensive experience attacking and defending corporate environments. Aelon likes to jump inside networks and out of planes, and in his spare time, he enjoys demoing, speaking... Read More →


Wednesday October 24, 2018 9:00am - 5:00pm CDT
Magnolia B Room

9:00am CDT

Two-Day Training: Container Security, Serverless and Orchestration Training w/Nithin R Jois (Day 2)
Limited Capacity seats available

See Day 1 for course description and required materials.

# Day 2 

## Session 1 
Continuation from Day-1
* Application Level Flaws:
- Server-Side JavaScript Injection
- Template Injection
- RCE + Breakout
* Network:
- Net Host Flaws - SSRF Flaws
- Port Binding Flaws
* Volume and Memory Flaws:
- Volume Expose Security issues: RWX
* Docker Security Assessment
- Docker Bench Security + Lynis
- Scanning Docker images with Clair.
- Securely pulling Docker images from a private repo.
- System Call Profiling
- Identifying system calls from immutable docker Node
* Secure Examples:
- AppArmor
- Secrets Management
- SECCOMP Profiles
- Memory and HDD restrictions

## Session 2 
* Introduction to Serverless
* Advantages and Disadvantages of Serverless over Docker/Kubernetes deployments.
* Understanding Secure configurations when Deploying a serverless App on AWS lambda
* Hands-on Lab: Deploying a Vulnerable App to AWS Lambda.
* Testing Serverless deployment for Vulnerabilities and comparing Results with a similar docker/kubernetes Deployment.

Speakers
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →
avatar for Tilak Thimmappa

Tilak Thimmappa

Senior Solution Engineer, we45
I work at an Application Security company (we45) and have a unique perspective of developing secure and deliberately insecure apps in Python and NodeJS. I have contributed to the development of several Web-Applications using Django, Django-Rest-Framework, NodeJs and more, that have... Read More →


Wednesday October 24, 2018 9:00am - 5:00pm CDT
Cypress Room
 
Thursday, October 25
 

7:30am CDT

Breakfast Tacos (Sponsored by AlienVault)
Thursday October 25, 2018 7:30am - 8:45am CDT
Expo Hall (Live Oak Room)

8:00am CDT

Expo Hall Opens
Thursday October 25, 2018 8:00am - 5:00pm CDT
Expo Hall (Live Oak Room)

9:00am CDT

Keynote: Jayson Street
Speakers
avatar for Jayson Street

Jayson Street

Keynote Speaker
Jayson E. Street is an author of the "Dissecting the hack: Series". Also the DEF CON Groups Global Ambassador. Plus the VP of InfoSec for SphereNY. He has also spoken at DEF CON, DerbyCon, GRRCon and at several other 'CONs and colleges on a variety of Information Security subjects.*He... Read More →


Thursday October 25, 2018 9:00am - 10:00am CDT
Duo Security Ballroom

10:00am CDT

Secure Configuration in the Cloud
Category: Devops + Security Abstract: While the pervasive use of PaaS for application deployment in the cloud has been a boon to businesses and developers, it has also introduced new challenges. Given the open, distributed and on-demand nature of DevOps, sensitive assets once well-guarded behind a corporate firewall could now be scattered in the cloud. Examples of such assets include database credentials, external service credentials, API tokens, and private keys for SSH, TLS, VPN sessions. It is imperative to provide a secure and usable mechanism for protecting these assets at every stage of the deployment cycle. Insufficiently protected configuration secrets could result in pivoting and exfiltration of business-sensitive data, and do significant damage to the image as well as financial bottom line of a company. Unfortunately, the high frequency of data breeches we hear about shows that security principals are not always followed.
Keeping in line with security recommendations, there is a need to have a strategy for sensitive configuration data management which simplifies the process of creation, renewal and expiration of secret data. Additional techniques include access control at every level (application/micro-service/host), usage audits, monitoring of secrets that lack adequate protection, and secure backups. Various solutions are available in the market that address different aspects of configuration data protection. It is important to understand which aspect each solution addresses, and to know its strengths and weaknesses.
In this talk, we will provide an overview of various types of configuration secrets, and their lifecycles. We will also cover available solutions and show how they can protect these configuration secrets. In doing so we will build a list of do’s and don’ts that can serve as recommendations for cloud DevOps.
A rough outline of the talk is as follows:
  1. Introduction to ephemeral application in the cloud
  2. Types of configuration data (passwords, keys, key stores, tokens – textual, file based)
  3. Configuration secret lifecycle
  4. What not to do (things to avoid)
  5. Solutions for protecting sensitive data (e.g. Kubernetes secrets, Keywhiz, Hashicorp Vault)
  6. Strength and weaknesses of each solution
  7. Misconfiguration pitfalls
  8. Conclusion and Recommendations


Speakers
MM

Muein Muzamil

Senior Software Architect, Gemalto
Muein Muzamil is a member of the technical community at Gemalto and works as a senior software architect in the Enterprise and Cybersecurity group based in Austin, TX. His research interests include evolving authentication solutions, federated authentication, one-time password (OTP... Read More →
avatar for Najam Siddiqui

Najam Siddiqui

Solution Architect, Software Security Architect, Gemalto
Najam Siddiqui is a member of the technical community at Gemalto and works in Enterprise and Cybersecurity group based in Austin, TX. His research interests include identity and access management solutions, web application firewalls (WAF), strong authentication solutions, Web application... Read More →


Thursday October 25, 2018 10:00am - 11:00am CDT
Presidio Room

10:00am CDT

Failing at Auth* by succeeding at Microservices
DevOps, MicroServices , Auth , What could go wrong?

MicroServices are awesome, so are DevOps & OAuth. But doing those isn’t enough if you haven’t worked through your security principles - including authorization & authentication.

We’ll discuss the challenges that arise when implementing authentication and authorization in these complicated micro service architectures. We target commonly misinterpreted authorization frameworks like Oauth 2.0 for user authentication and demo the ways an attacker can exploit these weaknesses.

There are good practices you can adopt to scale your authentication and authorization implementations to establish trust across micro service architectures - if you know about them, and knowing is half the battle. We will share out findings that can help you fortify your services.


Speakers
LC

Lashidhar Chennupati

Security Engineer, UA
Lashidhar Chennupati works as an Application Security Engineer at Under Armour and comes from Application Security consulting background. In his current role, Lashidhar helps teams to integrate security into Software Development. In the past he trained developers in Secure coding... Read More →


Thursday October 25, 2018 10:00am - 11:00am CDT
Under Armour Room

10:00am CDT

Rethinking Role-Based Security Education
How do we scale a deeper level of security awareness training without sacrificing efficacy? This talk will explore strategies and tactics for developing security education based on employees’ roles, access, and attack surface while designing not only for efficiency but also for effectiveness. By prioritizing the highest-risk teams, pooling teams to collaboratively threat-model, and contextualizing universal truths of security hygiene to those threat models, we can deliver training that leverages employees’ roles, fosters retention via active participation, and eases the burden on trainers within the security team. Attendees will walk away with a roadmap for building scalable, contextual, and collaborative role-based employee security education within their organizations.

Speakers
avatar for Kat Sweet

Kat Sweet

Kat Sweet works for Duo Security's security operations team as an information security analyst (and senior pun architect). A passionate security educator, she is heavily involved in building her team's employee security awareness and engagement program, and is frequently the first... Read More →


Thursday October 25, 2018 10:00am - 11:00am CDT
Duo Security Ballroom

10:00am CDT

Year[0]: AppSec at a Startup
Have you wanted to be on the application security team at a startup, but were worried about having an employer that can’t figure out how to monetize its user base, being compensated in potentially worthless stock options, or discovering your company’s business model is based on selling a $400 juicer and expensive juice packets that could actually be squeezed by hand? If so, then this talk is for you! From the safety of the audience you’ll hear about the first year of an appsec program at a tech startup. We’ll cover how to win over the hearts and minds of your developers, useful tooling/automation, and other topics to rapidly improve the security of a growing SaaS startup.

Speakers
avatar for Leif Dreizler

Leif Dreizler

Senior Application Security Engineer, Segment
Leif works on the AppSec team at Segment, partnering with engineers to continuously improve their security story and protect customer data. Leif got his start in the security industry at Redspin doing security consulting work, and was later an early employee at Bugcrowd. He was a... Read More →



Thursday October 25, 2018 10:00am - 11:00am CDT
Qualys Room

11:00am CDT

Practical DevSecOps – the simple free pipeline anyone can create
DevSecOps is so much more than forcing developers to use legacy tools. In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools.  We'll use IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in real time without scanning. Then we'll set up RASP (Runtime Application Self-Protection) in production to gain visibility into application attacks and to prevent vulnerabilities from being exploited.  And we'll integrate all of this security vulnerability and attack telemetry into the tools your teams are already using.  

* We will enable developers with real-time security feedback right in their IDE
* We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
* We'll integrate security into the CI/CD process so that we can easily fail a build
* We'll identify application layer attacks and create a whole new level of visibility for your SOC
* We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries

After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference implementation can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.

https://www.contrastsecurity.com/ce


Speakers
avatar for Jeff Williams

Jeff Williams

Cofounder and CTO, Contrast Security
Jeff brings more than 25 years of application security leadership experience as co-founder and Chief Technology Officer of Contrast Security. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by... Read More →



Thursday October 25, 2018 11:00am - 12:00pm CDT
Duo Security Ballroom

11:00am CDT

ML-Based Detection Engine of Device/Network Attacks for IIOT Gateway
Mark will articulate the security architecture of a typical IIOT Gateway that uses embedded linux on ARM, where a Machine-Learning based detection engine is embedded so that attacks from the Device (kernel/physical) and Network (WiFi) vectors will be detected instantly. Mark will perform a live demonstration on a NanoPi/RaspberryPi3 to the audience.


Speakers
avatar for Mark Szewczul

Mark Szewczul

IOT security architect, Zimperium
Mark is an IoT Security Architect at Zimperium with over 20 years of experience from Semiconductor, Telecom/Datacom, and Computing sectors. He currently is Director of Marketing at the Dallas/Fort Worth Cisco Users Group, has led the IEEE-Electromagnetic Compatibility Society and... Read More →


Thursday October 25, 2018 11:00am - 12:00pm CDT
Under Armour Room

11:00am CDT

Vulnerability Management: You're doing it wrong
Threat and vulnerability management (TVM) is a core aspect of every information security program. Many organizations have some level of TVM in place, but frequently these tools are improperly deployed, missing critical automation processes, and are poorly aligned to business requirements. In this presentation, we identify critical aspects often overlooked at many points in the TVM lifecycle -- from architecture and deployment to daily tasks and automation.

If you are familiar with TVM tools and are involved in day to day operations, or if you are architecting and deploying a new installation, you’ll benefit from this talk.

You’ll leave with a better understanding of some best practices for architecting a deployment, building day to day operational tasks, aligning reporting with business processes, communicating vulnerabilities and risk to stakeholders, and adding automation to the TVM life cycle.


Speakers
D

Digitalgrease

Digitalgrease formerly yelled at people for making bad decisions with their cars, and now yells at people for making bad decisions with their keyboards.
avatar for Mauvehed

Mauvehed

AHA!
Mauvehed is a Senior Internet Troll and part-time babysitter for Austin Hackers Anonymous. In his spare time he idles in IdleRPG channels on IRC and writes brainf*ck code.



Thursday October 25, 2018 11:00am - 12:00pm CDT
Qualys Room

11:30am CDT

Lunch - Day 1
Thursday October 25, 2018 11:30am - 12:30pm CDT
(take your lunch to the session you wish to attend)

12:00pm CDT

DevSecOps without DevOps is Just Security
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined.
Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream.
This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.


Speakers
KF

Kevin Fealey

Kevin Fealey is a Sr. Manager at EY, which recently acquired Aspect Security. Previously, Kevin was the Director of Aspect Security's DevSecOps and Automation & Integration Services Division. He specializes building security into CI/CD pipelines by automating commercial, open source... Read More →


Thursday October 25, 2018 12:00pm - 1:00pm CDT
Presidio Room

12:00pm CDT

Building Products People Trust: Designing Privacy, Consent, & Security into Your Products
Building security software is hard. Making it easy to understand and designing security software with trust and privacy in mind is even harder. At the end of this talk you'll have some practical advice from Duo Security's Mobile Product Manager, Taylor McCaslin, on building trust and designing empathy and into your security software. When security software is easy to use and trust, it is more effective.

Speakers
avatar for Taylor McCaslin

Taylor McCaslin

Mobile Product Manager, Duo Secuity
Taylor McCaslin is a multi-disciplinary technologist and Product Manager living in Austin, Texas. He currently works as a Mobile Product Manager at Duo Security. Taylor is an advocate and defender of privacy, consent, and inclusion.Taylor graduated from The University of Texas at... Read More →


Thursday October 25, 2018 12:00pm - 1:00pm CDT
Under Armour Room

12:00pm CDT

Pentesting for Developers
While secure development practices are an important part of keeping your application and its data protected, you also have to prove your defenses are working.  Developers are used to things like unit testing and even functional testing but some feel out of their depth when it comes to security testing.  Effective security testing - or pentesting - is easier than you might think.

We'll cover several topics including:
  • some of the most common web application vulnerability types
  • how they can be prevented
  • examples of tools and techniques to test your own applications
By the end of the session you'll be familiar with some of the most common security issues facing your applications and have the knowledge you need to prevent them.

Speakers
avatar for Chris Cornutt

Chris Cornutt

Chris has worked in web development and security in a wide range of industries over his career including public utilities, customer management, API management and server hosting. He is currently an Application Security Engineer for Duo Security and an active member of the PHP community.He... Read More →


Thursday October 25, 2018 12:00pm - 1:00pm CDT
Qualys Room

1:00pm CDT

10 Reasons Your AppSec Testing Might Not Be Working
Is your application security solution working for you? A nightmare scenario for any security leader is getting management to opt-in on a promising AppSec testing solution, raising the funds, allocating the time and then… nothing. Your AppSec testing solution finds itself sitting on a shelf, untouched. If this sounds familiar, or if you really want to prevent this at all costs, please attend this session. We will walk you through the top ten reasons AppSec solutions may not be working as expected and provide the tools to prevent such situations from happening.
  • Learn the top reasons AppSec testing can fail 
  • Understand how to deal with common issues as well as to prevent future issues 
  • Receive best-practice advice on dealing with AppSec testing challenges

Speakers


Thursday October 25, 2018 1:00pm - 2:00pm CDT
Under Armour Room

1:00pm CDT

Be Prepared - Things you can do today for the breach you hope never comes
When a company goes through a data breach, its like a major traffic accident where everyone on both sides of the highway slows down, rubbernecks, and breathes a sigh of relief, thanking themselves that “it wasn’t us”. Yet by every measure, data breaches are a matter of when, not if you’ll experience one. The average data breach disclosure notification lag time is over 30 days.
For Under Armour’s MyFitnessPal, we disclosed 4 days after we became aware of the data breach. Our goal in this talk is to share some of the building blocks that made that rapid disclosure possible.


Speakers
BT

Bankim Tejani

Sr. Manager, Product Security, Under Armour
Bankim Tejani has conducted security research, assessments, training, and consulting for over 15 years. His recent focus is on helping product engineering teams integrate security into their software development life cycles (SDLC) in scalable, agile, DevOps centric ways. Bankim is... Read More →


Thursday October 25, 2018 1:00pm - 2:00pm CDT
Qualys Room

1:00pm CDT

Invited Speaker: Robert Hansen
TBA

Speakers

Thursday October 25, 2018 1:00pm - 2:00pm CDT
Duo Security Ballroom

1:00pm CDT

Running at Light Speed: Cloud Native Security Patterns
No matter how fast you ship software, a good design is critical to security. Cloud native systems are no exception. Containerized microservices running on distributed management and orchestration platforms, bring new challenges to address as well as classic software problems that we’ve been dealing with for years. Secure software design patterns can be used to model security controls at different trust boundaries within your architecture, providing security in a repeatable and consumable way. Using patterns such as the Service Mesh or Ambassador pattern lets us focus on proper security control placement and lifting security outside of the core services we’ve traditionally bolted security onto later.

The goal of this presentation is to arm software developers and security architects with reference architecture guidance that can be used in any cloud native environment. The topics we’ll cover include multi-tenancy considerations, authentication, authorization, encryption, and more. We will focus on newer cloud native architecture patterns as well as some classic software design patterns that are still applicable. At the end of this presentation, you’ll have a greater understanding of cloud native security design at an architectural level and you’ll be eager to begin white-boarding your ideas.


Speakers
avatar for Brian Glas

Brian Glas

Director of Strategic Services, nVisium
Brian Glas has worked in IT for over 17 years and information/application security for the last decade. He started as an enterprise Java developer, then transitioned to helping build an application security program as both tech lead and manager. He later played the role of enterprise... Read More →
JM

Jack Mannino

CEO, nVisium
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance... Read More →


Thursday October 25, 2018 1:00pm - 2:00pm CDT
Presidio Room

2:00pm CDT

Orchestrating Security Tools with AWS Step Functions
Increasingly frequent deployments make it impossible for security teams to manually review all of the code before it is released.

We wrote a Terraform-deployed application to solve this problem by tightly integrating into the developer workflow. The plugin-based application has three core components, each represented by at least one lambda function: a trigger, processing and analysis, and output. The plugins, such a static analysis, dependency checking, github integrations, container security scanning, or secret leak detection can be written in any language supported by AWS Lambda.

The underlying technology for this tool is a serverless system utilizing several AWS Services, such as API Gateways, Step Functions and Lambdas.

In this talk you'll not only learn about our tool and how to implement it in your CI/CD pipeline, but also how to easily deploy complex serverless systems and step functions for your own automated tooling.
Other Information

Speakers
avatar for Jules Denardou

Jules Denardou

Security Engineer, Datadog
Jules is a Security Engineer at Datadog. He did a MS Degree in Computer Science at Ecole Centrale Paris in France, before joining the company in New York City. He especially focuses on making security integrate into developers workflow rather than blocking it. Blue teaming during... Read More →
JM

Justin Massey

Security Engineer, Datadog



Thursday October 25, 2018 2:00pm - 3:00pm CDT
Presidio Room

2:00pm CDT

Bridging GDPR from your Application to your Cloud
When GDPR became a law recently, it became the most wide-ranging and stringent data protection initiative in history. In preparation for this change and to ensure compliance, IBM, along with most organizations updated their services and information security policies. However applications themselves arguably pose the biggest threat of data breaches and non-compliance with GDPR.
In this session, we first review the main tenants of GDPR. We will then describe how GDPR affected IBM Cloud services, what changes and decisions had to be made, how the DevOps and SRE processes were updated. Finally we describe best practices for customer applications to build in data protection from design and achieve GDPR compliance.


Speakers
avatar for Anton Aleksandrov

Anton Aleksandrov

Chief Architect, IBM Cloud Application Identity Service, IBM
Anton Aleksandrov is the Chief Architect for IBM Cloud Application Identity Service - a cloud service that lets developers to easily add authentication, authorization and user profile capabilities to apps and APIs running on cloud.  Having 15+ years of hands-on software architecture... Read More →


Thursday October 25, 2018 2:00pm - 3:00pm CDT
Under Armour Room

2:00pm CDT

The White Hat’s Advantage: Open-source OWASP tools to aid in penetration testing coverage
White hat penetration testers are generally at a disadvantage compared to the malicious attackers they help defend against. They have limited time and resources to secure the entire application, whereas attackers have unlimited time and may only need a single vulnerability. This session will discuss how web application penetration testers can improve the efficiency and comprehensiveness of their white box testing using two new open source OWASP tools. These tools leverage access to application source code and server bytecode to provide an advantage to the penetration tester working with the development team.
 
The first tool, OWASP Code Pulse, uses glass box testing techniques to instrument the web application server bytecode to provide real-time code coverage while testing the application. This allows the penetration tester to measure how much of the application’s server code their testing has touched, and visually displays gaps in their testing coverage. This real-time feedback helps testers tune their testing to maximize the amount of code covered, compare performance of different testing tools and activities, and communicate useful metrics of testing activity to others.
 
The second tool, Attack Surface Detector performs static code analysis to first detect the web application endpoints, parameters, and parameter datatypes. This information is then pulled into the Burp Suite and OWASP ZAP web application testing suites to allow for rapid dynamic testing of the discovered attack surface. The benefit of this approach over traditional spidering techniques is that hidden endpoints are found without brute force guessing, and optional parameters not seen in the client-side code are discovered. The Attack Surface Detector is being continually updated; the most recently added functionality includes seeing endpoint differences between application versions, so penetration testers can focus their testing only on the changes.
 
Recent features and major releases will be discussed, a brief demonstration of the tools will be given, and a question and answer portion will complete the session. We are particularly interested in feedback from the audience on whether these tools help their specific needs and what future improvements would make them even better.

Speakers
avatar for Ken Prole

Ken Prole

CTO, CodeDx
Ken Prole is the CTO of Code Dx and Principal Investigator for Secure Decisions. He has a passion for helping organizations through the process of building secure applications. He has published several articles on cyber security in peer-reviewed journals and is active in the application... Read More →



Thursday October 25, 2018 2:00pm - 3:00pm CDT
Qualys Room

2:45pm CDT

Snack Break
Thursday October 25, 2018 2:45pm - 3:15pm CDT
Expo Hall (Live Oak Room)

3:00pm CDT

How to Assess the Maturity of your Security Program
We are continuously improving our security programs and controls – to protect against new threats, keep up with evolving compliance requirements, or to just get better at what we are doing. But how can we quantify the impact of these efforts on the overall maturity of our organization's security posture?
The ability to express maturity in a consistent fashion helps to communicate the value of our initiatives to executives and provide an objective way to visualize gaps and identify priorities on the path to a robust security program.
In this talk, we will discuss the challenges and importance of measuring the maturity of a security program, available solutions, and then dive into how our team combined NIST's Cybersecurity Framework with a defined way of expressing maturity to solve this problem.
Attendees will leave with ideas on how to assess and measure the maturity of a security program, using methods beyond check-the-box compliance frameworks.


Speakers
avatar for David Ochel

David Ochel

Director of Security and Compliance, AllClear ID
David Ochel (@lostgravity) is a security & privacy technologist with extensive experience in pragmatic information risk and compliance management. David serves as the Director of Security and Compliance at AllClear ID.



Thursday October 25, 2018 3:00pm - 4:00pm CDT
Under Armour Room

3:00pm CDT

Conducting Table Top Exercises to Get Your Team Battle Ready
For this session, we will be conducting a live Security Table Top Exercise (TTX).  We will talk about some free resources that you can use to make your own and give guidance on how they work and can be used for process improvements.

Cyber Incident Response Test

For those of you who are unfamiliar with the term, a Table Top Exercise is a small but inclusive exercise that occurs as part of a the Cyber Security Organization’s attempt to be better prepared to potential cyber related incidents.
The TTX serves as a means to exercise preparedness, validate plans, test operational capabilities, maintain leadership effectiveness and examine the ways we work with the larger community outside of our company to prevent, protect from, respond to, recover from, and mitigate cyber related incidents. 
Larger Focus
Cyber incidents are no longer, “Just an IT problem.” With more and more companies under attack by hacktivists, organized criminals and nation state militaries, incidents are routinely making front page news and will require many different organizations both internal and external to the company to respond- much like you wouldn’t ask the communications team to build out a defense-in-depth security program, the IT Security organization shouldn’t be interfacing directly with the media. Additionally, many branches of law enforcement have enhanced their capabilities to better assist organizations of all sizes respond to incidents. By including them, and others, in the exercise and/or identifying areas where there may be touch-points, we can be better prepared to reach out and enlist their help in the event an incident occurs.
Cyber Incident Scenario
The scenario focuses on the company’s ability to coordinate and implement prevention, preparedness, response and recovery plans and capabilities pertaining to a significant cyber event or a series of events. In addition, the process examines response plans and procedures, including the Cyber Incident Response Plan, any response frameworks and more.

Speakers
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Information Security has always been Josh's passion and in early 2010 National Instruments finally gave him the opportunity to become the Information Security Program Owner.  Today, he continues to run their security program handling everything from compliance to enterprise risk... Read More →



Thursday October 25, 2018 3:00pm - 4:00pm CDT
Duo Security Ballroom

3:00pm CDT

Don't @ Me - Hunting Twitter Bots at Scale
Automated Twitter accounts have been making headlines for their ability to spread spam and malware as well as significantly influence online discussion and sentiment. In this talk, we explore the economy around Twitter bots, as well as demonstrate how attendees can track down bots in through a three step methodology: building a dataset, identifying common attributes of bot accounts, and building a classifier to accurately identify bots at scale.

We first demonstrate how to amass a large dataset of public Twitter accounts using the Twitter API, gathering basic profile information as well as public activity from each account. We go on to gather and map the “social graph” of each account, such as who the account is following and, likewise, who is following the account.

After this dataset has been obtained, we explore how to identify bots within it. We show common techniques used by real-world bot operators to try and keep the bot “under the radar”, which can in many cases be used to help to fingerprint the bot. Finally, we demonstrate how we can tackle the bot problem at scale using data science to build a classifier that accurately identifies bots across our large global dataset.


Speakers
avatar for Olabode Anise

Olabode Anise

Olabode is a Data Scientist at Duo Security where he wrangles data, prototypes data-related features, and makes pretty graphs to support engineering, product management, and marketing efforts. Prior to Duo, Olabode studied usable security at the University of Florida. When he’s... Read More →



Thursday October 25, 2018 3:00pm - 4:00pm CDT
Qualys Room

4:00pm CDT

Keynote: Heather Hinton
Speakers
avatar for Heather Hinton

Heather Hinton

Keynote Speaker
Dr. Heather Hinton is an IBM Distinguished Engineer, an IBM Master Inventor and a member of the IBM Academy of Technology. She was recently awarded an IBM Corporate Patent Portfolio for her patent work in the area of single sign on and identity federation, an area she helped create... Read More →



Thursday October 25, 2018 4:00pm - 5:00pm CDT
Duo Security Ballroom

5:00pm CDT

Speed Debates
Thursday October 25, 2018 5:00pm - 6:00pm CDT
Duo Security Ballroom

5:00pm CDT

Happy Hour (Sponsored by Duo Security)
Thursday October 25, 2018 5:00pm - 7:00pm CDT
Lobby

5:00pm CDT

Ride the Bull!
Thursday October 25, 2018 5:00pm - 7:00pm CDT
Presidio Room
 
Friday, October 26
 

8:00am CDT

Expo Hall Opens
Friday October 26, 2018 8:00am - 3:00pm CDT
Expo Hall (Live Oak Room)

9:00am CDT

Keynote: Shannon Lietz
Speakers
avatar for Shannon Lietz

Shannon Lietz

Keynote Speaker



Friday October 26, 2018 9:00am - 10:00am CDT
Duo Security Ballroom

10:00am CDT

Invited Speaker - Wendy Nather
TBA

Speakers
avatar for Wendy Nather

Wendy Nather

Head of Advisory CISOs, Duo Security
Wendy Nather is Director of Advisory CISOs at Duo Security. She was previously theResearch Director at the Retail ISAC, as well as Research Director of the InformationSecurity Practice at independent analyst firm 451 Research. Wendy led IT securityfor the EMEA region of the investment... Read More →


Friday October 26, 2018 10:00am - 11:00am CDT
Duo Security Ballroom

10:00am CDT

Making Continuous Security a Reality with OWASP's AppSec Pipeline
You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work. Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started.
The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided. Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline. The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them. If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.


Speakers
avatar for Matt Tesauro

Matt Tesauro

Security Engineer, Citizen of the World
Matt Tesauro is currently rolling out AppSec automation at a major financial institution and is a founder of 10Security.  Prior work included the Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer building an AppSec Pipeline and continuous security... Read More →



Friday October 26, 2018 10:00am - 11:00am CDT
Presidio Room

10:00am CDT

The FaaS and the Curious
Function as a Service (FaaS) platforms facilitate application deployment and event-driven execution with minimal cloud infrastructure and operational overhead. Consequently, the FaaS market is forecasted to grow 33% with an estimated valuation of $7.75B USD by 2021. However, every benefit has a cost and FaaS is no exception. Despite Amazon’s diligent efforts to secure their Lambda FaaS platform, its intended ability to access a variety of resources and services can be abused for unintended results.
This presentation explores the attack surface of the AWS Lambda FaaS platform and how it can be surreptitiously used to circumvent security controls. Specifically, it will demonstrate how to hijack and impersonate Lambda functions, gain persistent remote access to the AWS cloud environment, and reverse engineer the Lambda runtime environment itself.


Speakers
BM

Bryan McAninch

Founder & Executive Director, Prevade Cybersecurity



Friday October 26, 2018 10:00am - 11:00am CDT
Qualys Room

10:00am CDT

The Road Less Travelled: Use-cases, Challenges, and Solutions of Homomorphic Encryption

In this hyper-connected and data-driven world, information can be highly valuable.  User data can be collected and analyzed using machine learning techniques to create a superior customer experience. There is a tension between the benefits of digital freedom and privacy. Striking a careful and unique balance between privacy and security of user data can be challenging.  In this asymmetric battle, are there techniques that help to protect the privacy of user data while benefiting from the results of collected data analysis?  The answer is Yes. Homomorphic encryption may be an effective mechanism to protect both privacy and confidentiality of the data at the same time by enabling computation on encrypted data.

The concept of homomorphic encryption has been around in theory since the RSA algorithm was published in 1978. Recent research shows promising applications of this mathematical invention. The presentation provides an overview of homomorphic encryption and how it can be used to perform computations while helping to preserve privacy. The speaker will also discuss a few use-cases of differential privacy, homomorphic encryption and security implications associated with them.

The target audience for this talk is security engineers, privacy advocates, software development engineers and managers, technical program managers and anyone who is involved in protecting privacy. The attendees will walk away with a general understanding of this topic and its usage and a framework to mitigate challenges.


Speakers
avatar for Trupti Shiralkar

Trupti Shiralkar

Principal Application Security Engineer, Illumio
Trupti Shiralkar is a Principal Application Security Engineer at the world’s most customer-centric security company Illumio. She has a strong passion for security and privacy and believes in influencing security by creating a mutual win for all involved parties. She enjoys diving... Read More →



Friday October 26, 2018 10:00am - 11:00am CDT
Under Armour Room

11:00am CDT

Cryptography may or may not protect you - how it is used matters
In today’s inter-connected IT environment, Internet applications, services, and devices are heavily dependent on cryptography, either through direct use or indirect reliance on components that use cryptographic modules. In both cases cryptography is a fundamental building block for security protections.

Given its importance, cryptography is always under attack from adversaries who want to exploit vulnerabilities for their own nefarious ends, and under scrutiny from researchers or innocuous hackers who, maybe out of curiosity, discover the weaknesses. The problem can be in the algorithms, the protocols built around them, specific software implementations of these algorithms or protocols, or applications that using them. Regardless of the motive, the mode of attack, or where they occurred, cryptographic vulnerabilities once exposed or exploited can have a lasting impact to vendors and their customers (financial loss, reputation damage, compliance or legal violation, and so on). It is therefore extremely important to follow sound design and implementation techniques when building applications and solutions that rely on cryptography.

This talk provides practical advice on proper use of cryptography in software and systems. The information is based on our research and years of experience in building security solutions. Audiences can walk away with concrete ideas about what they should do and should not do when using cryptographic algorithms.

Speakers
KL

Karen Lu

Dr. Karen Lu is a principal security architect at Gemalto, a digital security company. She has over 10 years of experience in security, risk assessment, identity and access management, and privacy protection. Karen holds 23 patents with many pending, and has 50+ publications over... Read More →


Friday October 26, 2018 11:00am - 12:00pm CDT
Presidio Room

11:00am CDT

Eisenhower and the Internet
The speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. "Connections: Eisenhower and the Internet" explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the Information Superhighway and how information security professionals can prepare.

Speakers


Friday October 26, 2018 11:00am - 12:00pm CDT
Duo Security Ballroom

11:00am CDT

Poking Holes in the Cloud: Auditing AWS Security
This talk covers the tools and techinques I have learned over the past year in conducting penetration tests against AWS hosted systems and applications.


Speakers
DL

David Lister

Research, Cisco
Crosswind landings.


Friday October 26, 2018 11:00am - 12:00pm CDT
Under Armour Room

11:00am CDT

The Mitre ATT&CK Framework is for all of us, and it is time to pay attention to it
Mitre has created the “Adversarial Tactics, Techniques & Common Knowledge” (ATT&CK) base to help security practitioners understand the actual techniques and tactics that adversaries use against us. The advantage of the ATT&CK base is it allows us to build a framework to understand how we might detect, respond, and prevent many of the tactics. The ATT&CK framework provides for a way for us to map what technologies and procedures we have, and then map any gaps that we have that then can be addressed. Applying ATT&CK to existing, or as you design systems and applications can benefit us in the long run. Whether you are a security generalist, application security specialist, blue team defender, or even on the red team, the ATT&CK framework helps us understand the areas we should focus. Whether your role is to detect and respond to attacks, or design a new system or application, the goal in the end is to improve prevention and/or shore up our defenses.
The mappings of tactics help us to understand how and what the hackers actually use to attack our systems. Whether our web applications, what happens once they exploit a flaw, the tactics they then use to move further within our environments, and then detect and then respond, or help us identify and build a process and the needed procedures to respond to an attack. ATT&CK is something information security has needed for a long time as it provides us valuable insight to help us identify our gaps, know our weaknesses, but more importantly map them to something non-compliance related that is based on the actual tactics and techniques of our adversaries.
This talk will go over the ATT&CK matrix and how we might use it to measure ourselves and our gaps, something all of us need, or must do. ATT&CK exceeds what compliance has been trying to do for decades, because ATT&CK is what the hackers actually do, not what compliance says to do.


Speakers
avatar for Michael Gough

Michael Gough

Founder, Malware Archaeology
Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free... Read More →


Friday October 26, 2018 11:00am - 12:00pm CDT
Qualys Room

11:30am CDT

Lunch - Day 2
Friday October 26, 2018 11:30am - 12:30pm CDT
(take your lunch to the session you wish to attend)

12:00pm CDT

Evolving Your Security Mindset to Embrace DevSecOps
 What is DevSecOps? It is not one thing, but multiple journeys integrally embedded together - DevOps, Security, Agile*, Cloud, Containers, CI/CD, and many more. So aligning to DevSecOps IS daunting, and IS many changes all at once - a scary journey with so many unknowns.
How can security approaches & paradigms scale to match the velocity of software development & cloud-based operations? the adaptability & flexibility of agile and containerization? the automation of CI/CD and API-driven configuration? How will updating your security mindset to integrate with DevOps help your business win?
Evolving your security mindset will help you embrace and succeed with DevSecOps


Speakers
BT

Bankim Tejani

Sr. Manager, Product Security, Under Armour
Bankim Tejani has conducted security research, assessments, training, and consulting for over 15 years. His recent focus is on helping product engineering teams integrate security into their software development life cycles (SDLC) in scalable, agile, DevOps centric ways. Bankim is... Read More →


Friday October 26, 2018 12:00pm - 1:00pm CDT
Presidio Room

12:00pm CDT

It takes a village to get security right: Building collaborative IAM solutions
We have seen two evolutionary trends in the Identity and Access Management (IAM) industry. The first is a universal realization that passwords are not enough and must be combined with a second additional factors to properly authenticate users. The second, more recent trend is that even this stronger authentication should not stop at the perimeter, but instead should be done, or re-done, as close as possible to the actual interactions that matter. These interactions can be starting an application, accessing a data block, or performing a transaction. In response to these trends players in the IAM space have been developing targeted solutions that address a specific aspect of the overall need. For example, there are products that specialize in single sign-on (SSO), multi-factor authentication (MFA or 2FA), access management (AM) and or privileged access management (PAM). Although these products may rely on standards such as SAML, OpenID Connect (OIDC), they are generally not interchangeable across vendor boundaries. As a result customers have to get a bundled solution from a single vendor – not an ideal situation to say the least.
Instead of being forced to select all of these individual products from a single source, customers prefer to have the flexibility to pick products from different vendors. Multiple vendors in the IAM space have recognized this need and have created an industry consortium, Identity Defined Security Alliance (IDSA, https://www.idsalliance.org/) to promote interoperability among member products so customers can have this flexibility.
In this talk, we will explain why MFA, SSO, AM, and PAM are specialized areas and how they have evolved independently in response to the two aforementioned trends. We will also explain why it is difficult for a single vendor to deliver robust solutions in all four of these specialized areas, and why it is important to build solutions that inter-operate. The complexity of building robust security solution in today’s ever-changing environment demands this industry collaboration and confluence of expertise. We will then show an example of how SSO-AM-MFA-PAM chain of service can be build using products from different vendors.
This talk will cover the following topics:
  1. Evolutionary trends in IAM space
  2. Difference between SSO, MFA, AM, PAM
  3. Why it is difficult for a single vendor to deliver products in all four of these areas
  4. How IDSA can help build identity centric security strategies
  5. A dDemo of an example integration to get chain of chained SSO-AM-MFA-PAM services

Speakers


Friday October 26, 2018 12:00pm - 1:00pm CDT
Qualys Room

12:00pm CDT

Microservices Security Landscape
The microservices architecture expands the attack surface with multiple microservices communicating with each other remotely. It’s a common principle in security that the strength of a given system is only as strong as the strength of its weakest link. Unlike in any other system design, the repercussions will be extremely highly if we do not get right the security in a microservices design.

The key driving force behind microservices architecture is the speed to production (or the time to market). One should be able to introduce a change to a service, test it and instantly deploy it into production. A proper secure development lifecycle and test automation strategy needs to be there to make sure that we do not introduce security vulnerabilities at the code level. We need to have a proper plan for static code analysis and dynamic testing — and most importantly those tests should be part of the continuous delivery (CD) process. Any vulnerability should be identified early in the development lifecycle and should have shorter feedback cycles.

There are multiple microservices deployment patterns — but the most commonly used one is service-per-host model. The host does not necessarily mean a physical machine — most probably it would be a container (Docker). The DevOps security needs to worry about container-level security. How do we isolate a container from other containers and what level of isolation we have between the container and the host operating system?

How do we authenticate and access control users to microservices and how do we secure the communication channels between microservices? All fall under application level security.

This talk addresses multiple perspectives in securing microservices: SDLC, DevOps, and application-level security.

Speakers
avatar for Prabath Siriwardena

Prabath Siriwardena

Engineer, WSO2
Prabath Siriwardena (@prabath) is an identity evangelist, author, blogger and the VP of Identity Management and Security at WSO2, with more than 11 years of industry experience in designing and building critical Identity and Access Management (IAM) infrastructure for global enterprises... Read More →


Friday October 26, 2018 12:00pm - 1:00pm CDT
Under Armour Room

1:00pm CDT

Building An AppSec Program From The Ground Up: An Honest Retrospective
This talk will cover the lessons learned from a 2-year journey starting an appsec program at a small-medium sized company that previously had no security program. This will be an honest look at what worked, what didn't work, as well as a follow-up analysis. There will be plenty of stories, common sense perspective, as well as discussion around goal-setting and execution. This will be the talk I wish I had two years ago when I was starting this adventure.


Speakers
avatar for John Melton

John Melton

Principal Security Researcher, WhiteHat Security
John Melton: I'm the lead developer for OWASP AppSensor, which I discovered after building a nearly identical tool, and looking for prior art. For my day job, I am currently a principal security researcher at WhiteHat Security, where I do R&D work, particularly in the static analysis... Read More →



Friday October 26, 2018 1:00pm - 2:00pm CDT
Qualys Room

1:00pm CDT

Data Protection at Scale
In the era when everybody, including “well established” companies, have decided that Agile is way of life, nobody has the luxury to execute in an old waterfall-style manner. It doesn’t matter that you have a mandate of something as important and fundamental as data protection, and that a single data breach incident can completely erode hard earned consumer trust and be lethal for your company’s business.
What it takes to implement those fundamental tools and processes in an agile manner and at scale is the topic of our presentation. Automation is critical to this journey, but as we’ve stated in this paper (https://blog.sonatype.com/author/oleg-gryb), automation alone is not going to cut it, because security is everyone’s business. It means that if you want to make it agile, the boundaries of your data protection program will expand well beyond a security team and it'll requires a village. Come to our presentation to learn:
  1. How to optimize your security processes to make them fast
  2. How to automate your data protection tools in such a manner that changes in core cryptographic services do not affect performance and operational resilience
  3. How to innovate in the area that is considered very difficult to change; this elephant can dance!
  4. How to hire people with the right skills to achieve your current goals and move to the next generation of data protection tools in the future

Speakers
avatar for Naga Vinod Duggirala

Naga Vinod Duggirala

Chief Security Architect, Visa Inc.
Vinod is a Chief Security Architect at Visa, driving the enterprise data protection strategies and solutions with Visa Global locations. Vinod have 20 years of international experience in Security Product Architecture and Development and also have great experience with Security Operations... Read More →
avatar for Oleg Gryb

Oleg Gryb

Chief Security Architect, Visa Inc
Oleg Gryb is Chief Security Architect at Visa Inc. working in security architecture and security engineering domains. He was previously Sr. Manager and de-facto CISO of Samsung’s IoT platform called Artik Cloud.  Before that he worked as Security Architect at Intuit, where he was... Read More →
SK

Subra Kumaraswamy

VP Cybersecurity Architecture & Engineering, Visa Inc.
Subra Kumaraswamy is the VP of Security Architecture and Engineering has over 25 years of industry experience in product engineering and cybersecurity.  He joined Visa in 2015 and leads key initiatives including Data protection, Shift-left, Artificial Intelligence for threat management... Read More →


Friday October 26, 2018 1:00pm - 2:00pm CDT
Presidio Room

1:00pm CDT

How To Kick Butt in InfoSec Blogging!
Blogging in InfoSec is a great way to improve your visibility and reinforce your personal brand, and/or your company's brand. It's easy to do, but hard to do exceptionally well. I've been editor of a corporate blog for the past 4 years and blogging in InfoSec for 6 years, and I'd like to share what I've learned. Topics will include insights on:
  • Why blog?
  • Technical blogs beat "thought leadership" in general
  • SEO is tedious but oh so necessary. I'll share some easy tips and tricks.
  • Include screen caps, graphics, pictures, in your blogs or risk boring your audience :( -Avoid clickbait on social to get traffic to your blog, but you should be clever and interesting! -
  • Always include pics.
  • Metrics are "king" - you need to measure the success of each blog in order to improve.
  • Measure traffic by source.
  • Examples of great InfoSec blogs
  • How to pick a topic
  • How to socialize your blog
  • Site reputation, how to place your blog
  • Uh-ohs! Pitfalls to avoid
  • Demo of how to measure blog success
  • Ah Blogspot, how to do that well

Speakers
avatar for Kate Brew

Kate Brew

Editor of blog, AlienVault
InfoSec blogs.



Friday October 26, 2018 1:00pm - 2:00pm CDT
Under Armour Room

1:00pm CDT

Invited Speaker - James Wickett
TBA

Speakers

Friday October 26, 2018 1:00pm - 2:00pm CDT
Duo Security Ballroom

1:45pm CDT

Snack Break
Friday October 26, 2018 1:45pm - 2:15pm CDT
Expo Hall (Live Oak Room)

2:00pm CDT

Empathy & Vulnerability in SecOps
Security Operations can be challenging work, but it’s often made more so by a lack of communication skills, empathy, and emotional vulnerability. Empathy and vulnerability are catalysts to improving engagement with other teams, becoming more receptive to feedback, and building more capable and resilient SecOps programs. Teams who challenge each other and collaborate with respect are better positioned to tackle difficult Incident Response events and provide engaging Security Awareness programs.

Speakers
avatar for Joe Parker

Joe Parker

Infosec Analyst II, Duo Security
Joe Parker is an Information Security Analyst at Duo Security in Austin, TX. Before joining Duo he founded a managed service provider, a SaaS business, and a security department and consultancy. Joe is passionate about helping people, digital privacy, and security education. When... Read More →


Friday October 26, 2018 2:00pm - 3:00pm CDT
Presidio Room

2:00pm CDT

Red Team\Pen Testing Panel Discussion
Speakers
avatar for David Hughes

David Hughes

I am a Red Team lead at General Motors and large scale password analysis is one of my side projects. I’ve been in the IT industry for over 20 years, most of which has involved penetration testing and Red Teaming. I am heavily involved in the local Austin security community, OWASP... Read More →


Friday October 26, 2018 2:00pm - 3:00pm CDT
Duo Security Ballroom

2:00pm CDT

Securing the Future of TLS - What's new in TLS 1.3
TLS has had many changes and updates throughout the past two decades, TLS 1.3 is a major milestone in the series of TLS protocols. This talk tells of what's changed between prior versions of TLS and TLS 1.3 as well as how the protocol was designed with security and speed front of mind.
Other Information

Speakers
avatar for Carl Mehner

Carl Mehner

Carl Mehner is an Information Security professional at a Fortune 100 company and independent security researcher who has been working with PKI and TLS since 2008. Carl created a series of educational posters about certificates, keys, and other PKI topics on his website which were... Read More →



Friday October 26, 2018 2:00pm - 3:00pm CDT
Qualys Room

3:00pm CDT

Securing Legacy Applications
It’s common to hear people preach “plan in security from the start” and in an ideal world, you can. Here in the real world, though, we have legacy code that’s gathered over time and comes with a host of problems - (in)security included. What do you do when you’ve been commissioned with securing an application that’s showing its age? Follow along with me as I step you through a list of tips and tricks you can use to discover security issues in your application and effectively fix them and secure your application.
Topics will include some of the most common vulnerability types, key places to look for potential issues and arm you with the tools and knowledge you’ll need to refactor that legacy application into something secure.


Speakers
avatar for Chris Cornutt

Chris Cornutt

Chris has worked in web development and security in a wide range of industries over his career including public utilities, customer management, API management and server hosting. He is currently an Application Security Engineer for Duo Security and an active member of the PHP community.He... Read More →


Friday October 26, 2018 3:00pm - 4:00pm CDT
Qualys Room

3:00pm CDT

Adapting Your AppSec
In the ever-evolving, fast-paced development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories, stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. David will talk through the various solutions using his experiences to help build security into the development process.

Speakers
avatar for Brian Glas

Brian Glas

Director of Strategic Services, nVisium
Brian Glas has worked in IT for over 17 years and information/application security for the last decade. He started as an enterprise Java developer, then transitioned to helping build an application security program as both tech lead and manager. He later played the role of enterprise... Read More →



Friday October 26, 2018 3:00pm - 4:00pm CDT
Under Armour Room

3:00pm CDT

Threat Modeling for IoT Systems
The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals
and businesses to make radical changes to how they live their lives and conduct commerce. The
challenge with this trend is that IoT devices are just computers with sensors running
applications. Because IoT devices interact with our personal lives the proliferation of these
devices exposes an unprecedented amount of personal sensitive data to significant risk. In
addition, IoT security is not only about the code running on the device. These IoT devices are
connected to systems that include supporting web services as well as other client applications
that allow for management and reporting.

A critical step to understanding the security of any system is building a threat model. This helps
to enumerate the components of the system as well as the paths that data takes as it flows
through the system. Combining this information with an understanding of trust boundaries
helps provide system designers with critical information to mitigate systemic risks to the
technology and architecture. This presentation looks at how Threat Modeling can be applied to
IoT systems to help build more security systems during the design process, as well as how to
use Threat Modeling when testing the security of IoT systems.

Speakers
avatar for Dan Cornell

Dan Cornell

Vice President, Product Strategy, COALFIRE
A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their... Read More →



Friday October 26, 2018 3:00pm - 4:00pm CDT
Duo Security Ballroom

3:00pm CDT

Expo Hall Closes
Expo Hall closes at 3:00 PM on Friday.  Thanks to all our wonderful Sponsors!

Friday October 26, 2018 3:00pm - 5:00pm CDT
Expo Hall (Live Oak Room)

4:00pm CDT

Closing, Giveaways and Drawings!
Friday October 26, 2018 4:00pm - 5:00pm CDT
Duo Security Ballroom