Join us at AppSec California 2014!

AppSec California is the first of hopefully many annual conferences hosted by all of the California chapters. Join us on the beaches of Santa Monica which is closest to our Los Angeles Chapter. Space is limited to around 200 attendees so be sure to get your ticket before we sell out!

Come a little early or stay the rest of the week; however you enjoy it, the weather is likely going to be warmer than where you are. Enjoy the Santa Monica pier and downtown area or explore the surrounding cities. You probably have a client or 10 near by too so say hello to them too.

Stay tuned as activities around the event are updated and more speakers are added to the lineup. A schedule will come at some point.

Register today! 

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Turbo Talk [clear filter]
Monday, January 27

11:45am PST

An inconvenient Zeus: The rise of Saas targeted malware
We at Adallom are proposing a session where we will showcase a new variant of Zeus which we have found in the wild that specifically targets Salesforce.com users. It remains dormant until the user logs in to SFDC and then discretely piggybacks on the user session, downloads data, and uploads it to a Dropbox account. We will do a live demonstration of an attack as well as show that Salesforce.com shows no record of the attack, meaning it can execute very clandestinely.

avatar for Ami Luttwak

Ami Luttwak

co-founder and CTO, Adallom
Ami Luttwak is the co-founder and CTO of Adallom, a complete cloud security solution provider for SaaS applications. Prior to that, he was a senior software architect at Phonaris, where he designed the architecture and led the development of the Phonaris agents for the iPhone and... Read More →

Monday January 27, 2014 11:45am - 12:15pm PST
Track 1

11:45am PST

CSO's Myopia
Before reading this article imagine what it would be like to manage your company without your customer’s data or if the data was in your competitors’ hands.
The value of data is an established fact and almost doesn’t bear mentioning. The experiences your customers acquire along the years as well as their database are fundamental and represent a great competitive edge in this new corporate era.
Keeping this in mind we realize the importance of implementing specific policies in order to build a base to guarantee the safety of these data.
Recently, there’s been an increase in security related incidents in a way that IT management has become more and more complex and, automatically, the need for a new kind of professional has emerged, the Chief Security Officer (CSO).
The CSO has become the person responsible for all risk areas, data security and, also for the definition and implementation of security strategies and policies that a company will implement.
I will show how the "limited" vision of some CSO's can impact on fool vulnerabilities making the company with serious security issues.

avatar for Jordan Bonagura

Jordan Bonagura

Jordan M. Bonagura is a computer scientist, post graduated in Business Strategic Management, Innovation and Teaching (teaching methodology and research).He works as a teacher and course coordinator. Work too as information security consultant with emphasis to new breaches and its... Read More →

Monday January 27, 2014 11:45am - 12:15pm PST
Track 2

11:45am PST

Mantra OS
OWASP Mantra OS was developed under the mantra of “OWASP because the world is cruel”;The reason this mantra is used for a underlying principle for the development of Mantra OS is because simply it is better for the pen tester to find the exploit then the hacker. The tool-set of Mantra OS v13 contains the same tools many hackers use to exploit web applications such ddos, SQL injection, man in the middle attacks, and poisoning attacks. The purpose of this presentation is to show practical testing methodologies using Mantra OS and how to run these test in a controlled environment. In this talk we will discuss and demo:

• Demo of tool-set of Mantra OS
• Maltego and Intelligence collection.
• DDoS using LOIC, Slow HTTP poisoning and ping of death with scampy.
• SQL injection with burp and sqlmap.
• Man in the Middle with SSL stripping.
• Arp Poisoning, ICMP poisoning and Smurf attacks.
• How to deploy these attacks in controlled environment.

In addition we will discuss why and how hackers use these tools, methods of mitigation these style attacks by hackers, and how to turn pen testing into a risk mitigation plan.

avatar for Gregory Disney

Gregory Disney

Gregory Disney-Leugers is a security engineer at Hytrust. He attended United Stares Air Force Institute of Technology and Defense Acquisition University. He is the developer of OWASP Mantra OS and The Onion Server.

Monday January 27, 2014 11:45am - 12:15pm PST
Track 3
Tuesday, January 28

10:30am PST

Anatomy of a Webshell
WebShells are an often misunderstood and overlooked form of malware. Yet they continue to be a popular and powerful attacker tool. WebShells can range from extremely simple to elegant and complex. And they are often a favorite tool used by intruders to establish a long term, stealthy presence in a compromised network. Webshells fall into a few distinct categories, and most follow the same common concepts in their design and purpose.
This talk will outline the common parts of a WebShell, why they are designed the way they are, and their typical usage. After covering the internal workings of WebShells, we will cover ways to detect them - even when they are dormant, and not being actively used by the intruder.

avatar for D0n Quixote

D0n Quixote

D0n Quix0te is the author and creator of OMENS: A Windows Web Server intrusion detection and monitoring system. He has more than 25 years of experience in architecting, installing, maintaining, and defending high value targets. And he has been involved in the response and analysis... Read More →

Tuesday January 28, 2014 10:30am - 11:00am PST
Track 3

10:30am PST

Andoid / iPhone Mobile Risks and Solutions
Android Security is quite multifaceted not surprisingly given the depth and complexity of the Android OS. In this talk, you will learn what makes up the various layers of security and how they work together. By the end of this talk, you’ll have a solid un


Jonathan Carter

Technical Director, Arxan Technologies
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other... Read More →

Tuesday January 28, 2014 10:30am - 11:00am PST
Track 2

10:30am PST

Detecting and Defending Against State-Actor Surveillance
Recently released secret documents are leaving a trail of details on how state actors with out of control budgets take on technological spying. This talk is the result of critically thinking on how these alleged bugs would work, and compiling the defences and detection methods.

Don your tin-foil hats and join me in this discussion over what to do if you're targeted by state sponsored spy agencies.

avatar for Robert Rowley

Robert Rowley

Robert is an active member of the southern california hacking scene for over the last 10 years. Co-Founding Irvine underground and recently presenting on many topics including Juice Jacking, Web Application Security and more… I am presenting on a personal passion this time... Read More →

Tuesday January 28, 2014 10:30am - 11:00am PST
Track 1