Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Join us at AppSec California 2014!


AppSec California is the first of hopefully many annual conferences hosted by all of the California chapters. Join us on the beaches of Santa Monica which is closest to our Los Angeles Chapter. Space is limited to around 200 attendees so be sure to get your ticket before we sell out!

Come a little early or stay the rest of the week; however you enjoy it, the weather is likely going to be warmer than where you are. Enjoy the Santa Monica pier and downtown area or explore the surrounding cities. You probably have a client or 10 near by too so say hello to them too.

Stay tuned as activities around the event are updated and more speakers are added to the lineup. A schedule will come at some point.


Register today! 
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, January 27
 

8:45am

Welcome Address
Speakers
avatar for richard.greenberg

richard.greenberg

Chapter Leader, OWASP Los Angeles
Hi everyone! I am the Chair for AppSec California, the Chapter Leader for OWASP Los Angeles, on the ISSA Int'l Honor Roll, am an ISSA Fellow, and the President of ISSA Los Angeles. I love our community.
avatar for Neil Matatall

Neil Matatall

Information Security Engineer, Twitter
Twitter security engineer, football fan, hiker. I like writing code. I like breaking code. I like protecting code.


Monday January 27, 2014 8:45am - 9:00am
Track 1

9:00am

Opening Remarks
Speakers

Monday January 27, 2014 9:00am - 9:30am
Track 1

9:30am

Keynote (Robert Hansen)
Speakers
avatar for Robert Hansen

Robert Hansen

Director of Product Management & Technical Evangelist, WhiteHat Security
Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the... Read More →


Monday January 27, 2014 9:30am - 10:30am
Track 1

10:30am

Break
Monday January 27, 2014 10:30am - 10:45am
Track 3

10:30am

Break
Monday January 27, 2014 10:30am - 10:45am
Track 2

10:30am

Break
Monday January 27, 2014 10:30am - 10:45am
Track 1

10:45am

AppSec at DevOps Speed and Portfolio Scale
Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002.

Here are some of the technologies and practices that today’s best software assurance techniques *can’t*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.Although we’re making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It’s not just security tools – application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect real time data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive.

Speakers
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and... Read More →


Monday January 27, 2014 10:45am - 11:45am
Track 3

10:45am

Attack Driven Defense
Traditionally, defense has been approached without enough emphasis on countering real world attack behaviors. This presentation will cover new network defense techniques from an attack perspective, specifically focusing on building detection systems around initial compromise, persistence/C2, and lateral movement. It will discuss practical methods of alerting on both host and network level persistence, what works (and what doesn’t!) with network traffic anomaly analysis, and useful approaches for correlating weak and strong attack signals. Finally, this presentation will demonstrate effective ways to reduce organizational attack surface, simulate realistic adversaries, and increase cost for attackers.

Speakers
avatar for Zane Lackey

Zane Lackey

Director of Security Engineering, Etsy
Zane Lackey is the Director of Security Engineering at Etsy and a member of the Advisory Council to the US State Department-backed Open Technology Fund. Prior to Etsy, Zane was a Senior Security Consultant at iSEC Partners. | | He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA... Read More →


Monday January 27, 2014 10:45am - 11:45am
Track 1

10:45am

Confessions of a Social Engineer: Why Developers Are My Favorite Target
Social engineers use a dangerous combination of technology and old fashioned con artistry to infiltrate organizations every day. In this talk we'll walk through the social engineering process including research, target selection, attack selection, and attack execution. Learn to see the world through the eyes of a social engineer and prevent yourself from being a victim.

Speakers
avatar for Valerie Thomas

Valerie Thomas

Securicon LLC
Valerie Thomas (hacktress09) is a Senior Information Security Consultant for Securicon LLC that specializes in social engineering and physical penetration testing. After obtaining her bachelor's degree in Electronic Engineering, Valerie led information security assessments for the Defense Information Systems Agency (DISA) before joining private industry. Throughout her career, Valerie has conducted penetration tests, vulnerability assessments... Read More →


Monday January 27, 2014 10:45am - 11:45am
Track 2

11:45am

An inconvenient Zeus: The rise of Saas targeted malware
We at Adallom are proposing a session where we will showcase a new variant of Zeus which we have found in the wild that specifically targets Salesforce.com users. It remains dormant until the user logs in to SFDC and then discretely piggybacks on the user session, downloads data, and uploads it to a Dropbox account. We will do a live demonstration of an attack as well as show that Salesforce.com shows no record of the attack, meaning it can execute very clandestinely.

Speakers
avatar for Ami Luttwak

Ami Luttwak

co-founder and CTO, Adallom
Ami Luttwak is the co-founder and CTO of Adallom, a complete cloud security solution provider for SaaS applications. Prior to that, he was a senior software architect at Phonaris, where he designed the architecture and led the development of the Phonaris agents for the iPhone and Android platforms. Luttwak is an alumnus of the Israeli Defense Force's 8200 unit.


Monday January 27, 2014 11:45am - 12:15pm
Track 1

11:45am

CSO's Myopia
Before reading this article imagine what it would be like to manage your company without your customer’s data or if the data was in your competitors’ hands.
The value of data is an established fact and almost doesn’t bear mentioning. The experiences your customers acquire along the years as well as their database are fundamental and represent a great competitive edge in this new corporate era.
Keeping this in mind we realize the importance of implementing specific policies in order to build a base to guarantee the safety of these data.
Recently, there’s been an increase in security related incidents in a way that IT management has become more and more complex and, automatically, the need for a new kind of professional has emerged, the Chief Security Officer (CSO).
The CSO has become the person responsible for all risk areas, data security and, also for the definition and implementation of security strategies and policies that a company will implement.
I will show how the "limited" vision of some CSO's can impact on fool vulnerabilities making the company with serious security issues.

Speakers
avatar for Jordan Bonagura

Jordan Bonagura

Jordan M. Bonagura is a computer scientist, post graduated in Business Strategic Management, Innovation and Teaching (teaching methodology and research). | He works as a teacher and course coordinator. Work too as information security consultant with emphasis to new breaches and its exploration forms. (CEH) | Professor in the area of information technology in various institutions, founder of Vale Security Conference, Stay Safe Podcast and... Read More →


Monday January 27, 2014 11:45am - 12:15pm
Track 2

11:45am

Mantra OS
OWASP Mantra OS was developed under the mantra of “OWASP because the world is cruel”;The reason this mantra is used for a underlying principle for the development of Mantra OS is because simply it is better for the pen tester to find the exploit then the hacker. The tool-set of Mantra OS v13 contains the same tools many hackers use to exploit web applications such ddos, SQL injection, man in the middle attacks, and poisoning attacks. The purpose of this presentation is to show practical testing methodologies using Mantra OS and how to run these test in a controlled environment. In this talk we will discuss and demo:

• Demo of tool-set of Mantra OS
• Maltego and Intelligence collection.
• DDoS using LOIC, Slow HTTP poisoning and ping of death with scampy.
• SQL injection with burp and sqlmap.
• Man in the Middle with SSL stripping.
• Arp Poisoning, ICMP poisoning and Smurf attacks.
• How to deploy these attacks in controlled environment.

In addition we will discuss why and how hackers use these tools, methods of mitigation these style attacks by hackers, and how to turn pen testing into a risk mitigation plan.

Speakers
avatar for Gregory Disney

Gregory Disney

Gregory Disney-Leugers is a security engineer at Hytrust. He attended United Stares Air Force Institute of Technology and Defense Acquisition University. He is the developer of OWASP Mantra OS and The Onion Server.


Monday January 27, 2014 11:45am - 12:15pm
Track 3

12:15pm

Lunch
Monday January 27, 2014 12:15pm - 1:45pm
Track 2

12:15pm

Lunch
Monday January 27, 2014 12:15pm - 1:45pm
Track 3

12:15pm

Lunch
Delicious noms

Monday January 27, 2014 12:15pm - 1:45pm
Track 1

1:45pm

Can AppSec Training Really Make a Smarter Developer?
Most application risk managers agree that training software developers to understand security concepts can be an important part of any software security program. Couple that with the Payment Card Industry, who mandate that developers should have training in secure coding techniques as laid out in their Data Security Standard. Yet others call developer training "compliance-ware," a necessary evil and a tax on software development in the enterprise.
This presentation shares the results of a yearlong survey of nearly 1,000 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements. The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Speakers
avatar for John Dickson

John Dickson

Principal, Denim Group
John Dickson is a Principal at Denim Group, Ltd. and a CISSP who helps CSOs manage secure software initiatives. He is a Distinguished Fellow of ISSA and one of the civilian advisers to the Air Force Space Command, which organizes, trains and equips cyberspace forces to conduct network defense, attack and exploitation. Dickson is a former U.S. Air Force officer who specialized in network defense and command and control while on active duty and Air... Read More →


Monday January 27, 2014 1:45pm - 2:45pm
Track 3

1:45pm

PRISM-AS-A-SERVICE: Not Subject to American Law
X-as-a-Service products are integral in the U.S. tech industry with their ability to take the pain out of server configuration, maintenance, provisioning, data storage and other aspects of running a server. With the recent outing of PRISM, a clandestine national security electronic surveillance program, the next desirable IT feature is "not subject to American law." How can we leverage cloud-based software while maintaining privacy?

This talk is a look at what exactly PRISM is, how PRISM affects cloud services, and how best to approach securing data and preserving privacy within the cloud.

Speakers
avatar for Lynn Root

Lynn Root

Partner Engineer, Spotify
Software engineer for Spotify, founder of the San Francisco Chapter of PyLadies, board member of the Python Software Foundation.  VM breaker, insomniac, coffee addict.


Monday January 27, 2014 1:45pm - 2:45pm
Track 2

1:45pm

Warning Ahead: Security Storms are Brewing in Your JavaScript
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language?Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal.In this talk we explore the vulnerabilities behind Javascript, including:- A new class of vulnerabilities unique only to JavaScript- Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code- HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities

Speakers
avatar for Maty Siman

Maty Siman

JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language? | Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to... Read More →


Monday January 27, 2014 1:45pm - 2:45pm
Track 1

2:45pm

HTTP Time Bandit
While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying those pages gives both application owners as well as potential attackers the chance to be more efficient in performance or attack.

Speakers
TG

Tigran Gevorgyan

Born in Yerevan, Armenia. Graduated from Yerevan State University with honors in 1996. Immigrated to USA in 1999. Workwd in various companies in network security field, such as Network Associates, Imperito Networks and Qualys.
avatar for vaagn toukharian

vaagn toukharian

qualys
Principal Engineer for Qualys's Web Application Scanner. Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests  include Photography, and Ironman Triathlons.


Monday January 27, 2014 2:45pm - 3:45pm
Track 2

2:45pm

Million Browser Botnet
Online advertising networks can be a web hacker¹s best friend. For mere
pennies per thousand impressions (that means browsers) there are service
providers who allow you to broadly distribute arbitrary javascript -- even
malicious javascript! You are SUPPOSED to use this ³feature² to show ads,
to track users, and get clicks, but that doesn¹t mean you have to abide.
Absolutely nothing prevents spending $10, $100, or more to create a
massive javascript-driven browser botnet instantly. The real-world power
is spooky cool. We know, because we tested itŠ in-the-wild. Besides
attacking ourselves we've also tested against a well known target with
lots of DDoS protectionŠ Akamai.

With a few lines of HTML5 and javascript code we¹ll demonstrate just how
you can easily commandeer browsers to perform DDoS attacks, participate in
email spam campaigns, crack hashes and even help brute-force passwords.
Put simply, instruct browsers to make HTTP requests they didn¹t intend,
even something as well-known as Cross-Site Request Forgery. With CSRF, no
zero-days or malware is required. Oh, and there is no patch. The Web is
supposed to work this way. Also nice, when the user leaves the page, our
code vanishes. No traces. No tracks.

Before leveraging advertising networks, the reason this attack scenario
didn¹t worry many people is because it has always been difficult to scale
up, which is to say, simultaneously control enough browsers (aka botnets)
to reach critical mass. Previously, web hackers tried poisoning search
engine results, phishing users via email, link spamming Facebook, Twitter
and instant messages, Cross-Site Scripting attacks, publishing rigged open
proxies, and malicious browser plugins. While all useful methods in
certain scenarios, they lack simplicity, invisibility, and most
importantly -- scale. That¹s what we want! At a moment¹s notice, we will
show how it is possible to run javascript on an impressively large number
of browsers all at once and no one will be the wiser. Today this is
possible, and practical.

Speakers
avatar for Jeremiah Grossman

Jeremiah Grossman

Chief Technology Officer, WhiteHat Security
Jeremiah Grossman founded WhiteHat Security in August 2001 and currently | serves as Chief Technology Officer, where he is responsible for Web | security R&D and industry outreach. Over the last decade, Mr. Grossman has | written dozens of articles, white papers, and is a published author. His | work has been featured in the Wall Street Journal, Forbes, NY Times and | hundreds of other media outlets around the world. | | As a well-known... Read More →
avatar for Matt Johansen

Matt Johansen

Manager, Threat Research Center, WhiteHat Security
Matt Johansen is the Manager of the Threat Research Center at WhiteHat | Security where he manages a team of Application Security Specialists, | Engineers and Supervisors to prevent website security attacks and protect | companies and their customer data. Before managing the team he was an | Application Security Engineer where he oversaw and assessed more than | 20,000 web applications that WhiteHat has under contract for many Fortune | 500... Read More →


Monday January 27, 2014 2:45pm - 3:45pm
Track 1

2:45pm

Whiz, Bang, ZAP! An introduction to OWASP's Zed Attack Proxy
The OWASP Zed Attack Proxy (ZAP) is "an easy to use integrated penetration testing tool for finding vulnerabilities in web applications." The technology is comparable to IBM AppScan and HP WebInspect - but free, open source and maintained by OWASP volunteers. The project has seen a tremendous amount of development lately. Learn about the tool, what it can do for you, and optionally bring your laptop to follow along as we use it to test some (purposefully insecure) web applications.

Speakers
avatar for Ben Walther

Ben Walther

Security Engineer
Ben Walther is a security engineer, with a background consulting and teaching for Symantec, Cigital, and within higher education. He is the co-author of the Web Security Testing Cookbook and an active contributor to OWASP projects.


Monday January 27, 2014 2:45pm - 3:45pm
Track 3

3:45pm

Break
Monday January 27, 2014 3:45pm - 4:15pm
Track 3

3:45pm

Break
Monday January 27, 2014 3:45pm - 4:15pm
Track 1

3:45pm

Break
Monday January 27, 2014 3:45pm - 4:15pm
Track 2

4:15pm

New Frameworks, Old Problems
The web development community has seen a rise in new web frameworks that provide small to large organizations with the opportunity to decrease development time and increase productivity. Frameworks such as Play! and Node.js as well as their supporting API(s) allow development staff to quickly and efficiently create and ship a product. But with these new frameworks come the same security issues that have plagued the web for years.

This talk will show how frameworks such as Spring and Django have solved these issues in the past, gaps in the newer frameworks, and provide code examples as well as offer helpful solutions to address these concerns within the frameworks discussed during this talk.


Monday January 27, 2014 4:15pm - 5:15pm
Track 2

4:15pm

OWASP Top 10 Mobile Risks: 2014 Reboot
The OWASP Top 10 Mobile Risks were first created in 2011. However, a lot has changed over the past three years. The mobile platforms themselves have evolved, mobile threats have evolved, and app developers have experimented with crazy new things. As a result, the OWASP Mobile Security Project decided it was the time to take another look at the threat landscape.

In this presentation, we will present the 2014 version of the OWASP Top 10 Mobile Risks for the first time. We will highlight the differences between the 2011 and 2014 versions and we will explain why some risks were added to the list, dropped altogether, elevated in criticality, or bumped down a few notches. As we present each risk that made the list, we will provide supporting data and explain the reasoning behind each entry in detail.

But what would an OWASP presentation be without also providing solutions to the problems we’re pointing out? For each of the risks identified, recommended fixes will be provided for the most commonly used mobile platforms (which pretty much means iOS, Android, and if we’re feeling adventurous, Windows Phone).

Speakers
avatar for Jason Haddix

Jason Haddix

Jason is also the Director of Penetration Testing at Fortify Software. Jason performs (and trains internal candidates for) mobile penetration testing, black box web application auditing, network/infrastructural security assessments, cursory mainframe security analysis, cloud architecture reviews, wireless network assessment, binary reverse engineering, and static analysis. He is also a semi-regular player on the capture the flag team... Read More →
JM

Jack Mannino

Jack Mannino is a Partner at nVisium, a DC area firm specializing in application security. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the... Read More →


Monday January 27, 2014 4:15pm - 5:15pm
Track 1

4:15pm

Securing the Software Supply Chain
In today’s digitally connected world, organizations must work with multiple partners across their lines of businesses. As these partners are allowed to connect into the parent networks, the risk of propagating a vulnerability from a partner into parent networks increases. Cybercriminals are looking to exploit the holes in the partner and supply chain networks to steal corporate information and valuable data from parent networks. As these targeted attacks can be a substantial risk to organizations along the breadth of the supply chain, software security experts have been working to find a more permanent way to ensure the integrity of the software supply chain.

In this presentation, Cenzic’s CEO John Weinschenk will discuss the software supply chain domain, and the potential checks and balances that could enable companies to ensure the “chain of custody” as the applications connect across multiple networks. John will discuss methods for securing code as it is passed between organizations, and methods for improving the software development process so that vulnerabilities are less likely to be introduced.

Speakers
avatar for John Weinschenk

John Weinschenk

CEO and President, Cenzic
John Weinschenk is a technology executive who has led several companies to unprecedented success. John's career is marked by an unusually broad background in both engineering and business. John has led technical groups in key security and enterprise software firms, and has brought his in-depth understanding of the latest technologies, market dynamics, and business models to leadership roles in business-strategy and marketing divisions at... Read More →


Monday January 27, 2014 4:15pm - 5:15pm
Track 3

5:15pm

Adventures in Reviewing Mountains of Code
I recently found myself at a client site, faced with 2.6 million lines of code; none of which could leave the building. I started climbing this small mountain. This talk discusses my approach to this problem, experiments run during this assessment, and some unexpected encounters along the way.

Speakers
avatar for Jon Boyd

Jon Boyd

Jon Boyd is a Sr. Security Engineer at Security Innovation, where he conducts penetration testing and security assessments on hardened targets. When not looking for vulnerabilities in code, Jon enjoys picking locks and hiking the in Cascades.


Monday January 27, 2014 5:15pm - 6:15pm
Track 3

5:15pm

DIY Command & Control For Fun And *No* Profit
This talk is called "DIY Command & Control For Fun And *No* Profit" because many security professionals have heard about Command & Control botnets, even more have been infected by them. Very few have had the opportunity to actually look inside the server control panel of a C&C. This mainly hands - on presentation will walk you through a very dark corner of the Internet and provide a glimpse of the daily life of a cybercriminal. Live malware will be used during this presentation so make sure you turn off your Wi-Fi.

Speakers
avatar for David Schwartzberg

David Schwartzberg

Senior Security Engineer, Barracuda Networks
David Schwartzberg is a Senior Security Engineer at Barracuda Networks, specializing in malware, web threats, endpoint and data protection, mobile security, cloud and network security. David has presented at GrrCON, THOTCON, DerbyCon, BSides and several other conferences. David is currently blogging independently, but previously wrote for Dark Reading, and was a guest blogger for the award winning Naked Security blog. He also published... Read More →


Monday January 27, 2014 5:15pm - 6:15pm
Track 2

5:15pm

The Cavalry Is Us: Protecting the public good
In the Internet of Things, security issues have grown wellbeyond our day jobs. Our dependence on software is growing faster than ourability to secure it. In our efforts to find the grown-ups who are payingattention to these risks, one painful truth has become clear: The CavalryIsn¹t Coming. Our fate falls to us or to no one. At BSidesLV and DEF CON21, a call was made and many of you have answered. At DerbyCon, we beginthe work of shaping our futures. Here at AppSec, we have the opportunityto level-up and reframe our role in all of this. As the initiated, we facea clear and present danger in the criminalization of research, to ourliberties, and (with our increased dependence on indefensible IT) even tohuman safety and human life. What was once our hobby became our professionand (when we weren't looking) now permeates every aspect of our personallives, our families, our safety Now that security issues are mainstream,security illiteracy has lead to very dangerous precedents as many of usare watching our own demise. It is time for some uncomfortableexperimentation.
This session will both frame the plans to engage in Legislative, Judicial,Professional, and Media (hearts & minds) channels and to organize andinitiate our constitutional congress working sessions.  The time is now. It will not be easy, butit is necessary, and we are up for the challenge.
It's high time we make our dent in the universe. For background, pleasewatch the video of the launch of @iamthecavalry : http://bit.ly/16YbpC1 > Join the conversations also at: google group:https://groups.google.com/d/forum/iamthecavalry

Speakers
avatar for Beau Woods

Beau Woods

Founder/CEO, Stratigos Security
Beau Woods is Founder/CEO of Stratigos Security, with over a decade in the IT and Information Security industries. Beau is an active participant in the security community and has contributed to several publications and articles, participating in OWASP and HIMSS mobile security groups. Beau has been involved in The Cavalry movement from early on and is helping drive its future. |  


Monday January 27, 2014 5:15pm - 6:15pm
Track 1

6:15pm

Reception
Light appetizers and snacks with an open (beer and wine) bar!

Sponsored in part by Shape Security. 

Monday January 27, 2014 6:15pm - 10:00pm
Track 1
 
Tuesday, January 28
 

9:20am

Day 2 Opening Remarks
Speakers
avatar for richard.greenberg

richard.greenberg

Chapter Leader, OWASP Los Angeles
Hi everyone! I am the Chair for AppSec California, the Chapter Leader for OWASP Los Angeles, on the ISSA Int'l Honor Roll, am an ISSA Fellow, and the President of ISSA Los Angeles. I love our community.
avatar for Neil Matatall

Neil Matatall

Information Security Engineer, Twitter
Twitter security engineer, football fan, hiker. I like writing code. I like breaking code. I like protecting code.


Tuesday January 28, 2014 9:20am - 9:30am
Track 1

9:30am

Application Sandboxes: Know thy limits
As we secure applications leveraging sandboxes, it is important to understand the attack surface as it presents opportunities for attackers. In this talk we’ll decompose application sandboxes from the lens of a pen-tester. We look at various popular sandboxes such as Google Chrome, Adobe ReaderX, and Sandboxie, amongst others, and discuss the limitations of each technology and its implementation details. Further, we discuss in depth with live exploits how to break out of each category of sandbox by leveraging various kernel and user mode exploits – something that future malware could leverage. Some of these exploit vectors have not been discussed widely and awareness is important.

Speakers
avatar for Rahul Kashyap

Rahul Kashyap

Chief Security Architect, Head of Research, Bromium
Rahul Kashyap is Chief Security Architect, Head of Security Research at Bromium. Before joining Bromium, he led the worldwide Threat Research teams at McAfee Labs, a wholly owned subsidiary of Intel. Rahul has created and worked on several security technologies that are deployed in highly sensitive military, government, banking and healthcare institutions around the world. He has led cyber defense strategies for several initiatives such as... Read More →


Tuesday January 28, 2014 9:30am - 10:30am
Track 1

9:30am

CSRF: not all defenses are created equal
CSRF is an often misunderstood vulnerability. In this talk I will introduce CSRF and the basic defenses against it. Then I will go through all of the various major solutions and describe how theyimplement the general solution and the positives and negatives of each implementation.
The general solution is to implement the synchronizer token pattern. This is usually done in the framework and not by the individual developer. For example .net applications can use the antiforgerytoken (for MVC applications) or viewstateuserkey. Tomcat web server and F5 load balancers also now include CSRF prevention filters. OWASP of course has the CSRF guard. All of these solutions though are slightly different and can lead to different side effects, some of which are little understood and poorly documented. Some side effects can impact usability, or cause worse security problems while trying to defend against CSRF.

Speakers
avatar for Ari Elias-Bachrach

Ari Elias-Bachrach

Defensium
Ari has been in infosec for about 10 years. A former penetration tester, he has since migrated over to the defensive side, and spends most of his time working with developers trying to address application security concerns, and trying to bridge the gap between development and security. He can be found at www.defensium.com


Tuesday January 28, 2014 9:30am - 10:30am
Track 2

9:30am

Running At 99%: Surviving An Application DoS
Application-Level Denial of Service (DoS) attacks are a threat to nearly everyone hosting content on the Internet. DoS attacks are simple to launch, but can be difficult to defend against. Modern websites are a diverse set of moving parts, and a malicious actor only needs to find the point at which any one of these systems is overwhelmed to bring your website to a halt.

Organizations may approach this problem by increasing capacity, perhaps leveraging the cloud to expand horizontally. This can be a successful short term mitigation strategy, but a combined historic and real-time view of who is accessing your website (and why) gives you the chance to actively defend as opposed to simply absorbing the traffic. Trending this data over time allows your response time to decrease while keeping your front door open. In this talk I will present a new open source project, written primarily in Node.js, that can be used as a defense framework for mitigating these attacks.

Speakers
avatar for Ryan Huber

Ryan Huber

Engineer, Risk I/O
Ryan is an engineer at Risk I/O, a security Software-as-a-Service company. Prior to Risk I/O he spent the majority of his career at Orbitz.com, where his varied roles included: management of the flight search farm, leader of EU information security at sister site eBookers.com, and finally architect on the security team where he explored the defensive side of security.


Tuesday January 28, 2014 9:30am - 10:30am
Track 3

10:30am

Anatomy of a Webshell
WebShells are an often misunderstood and overlooked form of malware. Yet they continue to be a popular and powerful attacker tool. WebShells can range from extremely simple to elegant and complex. And they are often a favorite tool used by intruders to establish a long term, stealthy presence in a compromised network. Webshells fall into a few distinct categories, and most follow the same common concepts in their design and purpose.
This talk will outline the common parts of a WebShell, why they are designed the way they are, and their typical usage. After covering the internal workings of WebShells, we will cover ways to detect them - even when they are dormant, and not being actively used by the intruder.

Speakers
avatar for D0n Quixote

D0n Quixote

D0n Quix0te is the author and creator of OMENS: A Windows Web Server intrusion detection and monitoring system. He has more than 25 years of experience in architecting, installing, maintaining, and defending high value targets. And he has been involved in the response and analysis of a number of major security incidents.


Tuesday January 28, 2014 10:30am - 11:00am
Track 3

10:30am

Andoid / iPhone Mobile Risks and Solutions
Android Security is quite multifaceted not surprisingly given the depth and complexity of the Android OS. In this talk, you will learn what makes up the various layers of security and how they work together. By the end of this talk, you’ll have a solid un

Speakers
JC

Jonathan Carter

Technical Director, Arxan Technologies
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security. Jonathan’s technical background in artificial intelligence and static code analysis... Read More →


Tuesday January 28, 2014 10:30am - 11:00am
Track 2

10:30am

Detecting and Defending Against State-Actor Surveillance
Recently released secret documents are leaving a trail of details on how state actors with out of control budgets take on technological spying. This talk is the result of critically thinking on how these alleged bugs would work, and compiling the defences and detection methods.

Don your tin-foil hats and join me in this discussion over what to do if you're targeted by state sponsored spy agencies.

Speakers
avatar for Robert Rowley

Robert Rowley

Robert is an active member of the southern california hacking scene for over the last 10 years. Co-Founding Irvine underground and recently presenting on many topics including Juice Jacking, Web Application Security and more… I am presenting on a personal passion this time, Privacy.


Tuesday January 28, 2014 10:30am - 11:00am
Track 1

11:00am

Break
Tuesday January 28, 2014 11:00am - 11:30am
Track 3

11:00am

Break
Tuesday January 28, 2014 11:00am - 11:30am
Track 1

11:00am

Break
Tuesday January 28, 2014 11:00am - 11:30am
Track 2

11:30am

libinjection: from SQLi to XSS
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs.  Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots.  This talk will introduce a new algorithm for detecting XSS attacks.   Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate.   Also like the original libinjection algorithm, this is available on GitHub with free license.   We’ll discuss the current state of libinjection SQLi, how SQLi and XSS differ semantically from an defenders point of view,  how the libinjection algorithm works, the current results and availability.

Speakers
avatar for Nick Galbreath

Nick Galbreath

Owner, Client9
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features.  Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open... Read More →


Tuesday January 28, 2014 11:30am - 12:30pm
Track 1

11:30am

OWASP Top Ten Proactive Controls
You cannot hack your way secure! 
The OWASP Proactive Controls is a "Top 10 like document" aimed to help developers build secure applications. This project is phrased and built in a positive, testable manner that describes the Top 10 software control categories that architects and developers should absolutely, positively include 100% of the time in every software project. 
This talk will cover the fundamental controls in critical software categories such as Authentication, Access Control, Validation, Encoding, Query Parameterization, Data Protection, Secure Requirements, Secure Architecture and Secure Design.

Speakers
avatar for Jim Manico

Jim Manico

Consultant, Independent
Jim is a global board member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects.


Tuesday January 28, 2014 11:30am - 12:30pm
Track 2

11:30am

What is CSP and why haven't you applied it yet?
It’s 2013, and cross-site scripting is still on the OWASP top 10, ten years after it was in the number four slot on the same list. Cross-site scripting, although seemingly easy to remediate, continues to be problematic for developers, as edge cases crop up where the typical mitigation strategies are confusing. However advances in modern browser security provide developers the opportunity to become far more proactive in addressing this vulnerability class using a technology known as content-security policy (CSP).

When configured and implemented correctly, CSP can severely cripple cross-site scripting attacks. Big technology companies such as Twitter, Facebook, Etsy, and Github are using this to transparently protect their end users from this common vulnerability class.

This session is a combination of short micro talks and a panel discussion geared at getting you the tools needed to understand and implement CSP.

The first microtalk will be a primer to CSP. We will break down what CSP is and provide you the tools to get started with it. The next microtalk is centered around how to sell CSP to management, and techniques to increase adoption in your organization. The final microtalk is around what the web may look like in 5 years, and how content-security policy will play a key role in mitigating increasingly potent client-side attacks.

Speakers
CP

CSP Peeps

Ian Melven - New Relic | Joel Weinberger - Google - Google engineer on Chrome Security, working on CSP and other security features, and former UC Berkeley grad student and security researcher. | Caleb Queern - Cyveillance | Kenneth Lee - Etsy | Scott Behrens - Netflix - Scott Behrens is a senior application security engineer at Netflix, security researcher, open source developer and a heavy metal drummer. | Patrick Thomas - Neohapsis... Read More →


Tuesday January 28, 2014 11:30am - 12:30pm
Track 3

12:30pm

Lunch
Tuesday January 28, 2014 12:30pm - 2:00pm
Track 1

12:30pm

Lunch
Tuesday January 28, 2014 12:30pm - 2:00pm
Track 3

12:30pm

Lunch
Tuesday January 28, 2014 12:30pm - 2:00pm
Track 2

2:00pm

7 Deadly Sins: Unlock the Gates of Mobile Hacking Heaven
Speakers
avatar for Dan Kuykendall

Dan Kuykendall

co-CEO and CTO, NT Objectives
Dan is a founder of NT OBJECTives and has been with the company for more than 10 years. He is responsible for the strategic direction and development of products and services and works closely with technology partners to make sure integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most... Read More →


Tuesday January 28, 2014 2:00pm - 2:45pm
Track 1

2:00pm

HTML 5 Security
• What is HTML 5.0?
o New features
• HTML & Security
o Cross Origin Resource Sharing (CORS)
o Local Client Storage
o Local Storage
o WebSQL
o New tags and attributes
o Web Workers
o Sandboxing iframes
o GeoLocation
o Optional content – would be included in a training session
• Cross Document Messaging
• WebGL
• Desktop Notifications
• SVG and new formats
• Speech input mechanisms
• Web Sockets

Speakers
avatar for Joe Basirico

Joe Basirico

Vice President, Security Services, Security Innovation
Joe is responsible for managing the professional services business at Security Innovation. He leverages his unique experience as a development lead, trainer, researcher, and test engineer to direct the security consulting team in the delivery of high-­‐quality, impactful risk assessment and remediation solutions to the company’s customers. His ability to blend deep technical skills with risk-­‐based business and... Read More →


Tuesday January 28, 2014 2:00pm - 2:45pm
Track 2

2:00pm

Next Generation Red Teaming
Too often organizations conduct assessments within a vacuum: physical, network, social, or application-layer. Attackers do not confine themselves similarly and avail themselves of whatever combination of techniques most effectively achieves their desired impact. Red team assessments aim to simulate these attacks more realistically and identify risk through composite, cross-domain attack vectors. This talk will cover several shortcomings with the current "model" of red teaming across the industry and how we can more effectively incorporate the application-specific attack surface into a red team effort. War stories will be shared to show the effectiveness of application-centric composite attacks in this new approach.

Speakers

Tuesday January 28, 2014 2:00pm - 2:45pm
Track 3

2:45pm

Break
Tuesday January 28, 2014 2:45pm - 3:00pm
Track 2

2:45pm

Break
Tuesday January 28, 2014 2:45pm - 3:00pm
Track 3

2:45pm

Break
Tuesday January 28, 2014 2:45pm - 3:00pm
Track 1

3:00pm

Keynote (Gene Kim) Why Infosec Needs Rugged DevOps Now: A Fifteen Year Study Of High Performing IT Organizations
The velocity of modern IT is breathtaking: while most IT organizations struggle with monthly releases, agile organizations like Netflix, LinkedIn, Twitter, Github, Etsy and others are doing tens, hundreds, or even thousands of code deploys per day.  They have shown the competitive advantage that the combination of commoditized cloud infrastructure, DevOps processes and hypothesis-driven development can create. 
They are quickly releasing features that matter to customers, saving the business money, while helping the business win. This agility and cost-savings delights the business. And with good reason, it can terrify information security and audit. If security was easily marginalized in a conventional IT organization, DevOps can be completely bypass security. 
DevOps aligns the former adversaries of Dev and Ops. Security needs to enable ludicrous speed or be left behind. Where security has failed, we believe Rugged DevOps can succeed, by integrating into DevOps, helping develop applications that are scalable, available, survivable, securable, and supportable.
In this talk, I’ll presenting key findings of my 15 years of research of high performing IT organizations, and prescriptive patterns of how infosec can best integrate into the daily work of Dev and Ops.  

Speakers
avatar for Gene Kim

Gene Kim

Founder, Tripwire
Gene Kim is a multiple award winning CTO, researcher and author. He was founder and CTO of Tripwire for 13 years. He has written three books, including “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win" and “The Visible Ops Handbook.” Gene is a huge fan of IT operations, and how it can enable developers to maximize throughput of features from “code complete” to “in production... Read More →


Tuesday January 28, 2014 3:00pm - 4:00pm
Track 1

4:00pm

Closing Remarks (and prizes!)
Speakers
avatar for richard.greenberg

richard.greenberg

Chapter Leader, OWASP Los Angeles
Hi everyone! I am the Chair for AppSec California, the Chapter Leader for OWASP Los Angeles, on the ISSA Int'l Honor Roll, am an ISSA Fellow, and the President of ISSA Los Angeles. I love our community.
avatar for Neil Matatall

Neil Matatall

Information Security Engineer, Twitter
Twitter security engineer, football fan, hiker. I like writing code. I like breaking code. I like protecting code.


Tuesday January 28, 2014 4:00pm - 5:00pm
Track 1