Loading…

The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Sunday, January 28
 

8:00am

Registration and Breakfast
Sunday January 28, 2018 8:00am - 9:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

9:00am

Advanced Web Hacking and Secure Coding
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Abstract:
Tired of alert(‘xss’)? You want to learn advanced web hacking techniques, if you want to go beyond automated scanners and perform manual testing to bypass Filters and Web Application Firewalls (WAF) or you want to defend web applications, then this training is for you. This training covers and goes beyond OWASP TOP 10 and also covers secure coding practices recommended by OWASP.
This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one. 
This training starts with the basic web app hacking and then move into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack. 
This training covers both offensive and defensive approach towards web applications. Firstly training would cover how to use certain attack on web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code so that the attack would not have happened. It covers various mistakes made by developers and wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. . Also training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc. 
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code. 
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Training Outline: 
  • Introduction
  • User Enumeration
  • Bypassing Password Verification 
  • Information Leakage 
  • HTTP Verb Tampering  
  • Injection - iFrame Injection, LDAP Injection, CSS Injection, JSON Injection
  • Cross Site Scripting (XSS) 
  • Cross Site Request Forgery (CSRF)
  • Clickjacking
  • Insecure direct object reference (IDOR) 
  • Open Redirects
  • Server Side Request Forgery (SSRF)
  • Server Side Includes Injection (SSI Injection)
  • JavaScript Validation Bypass
  • SQL Injection
  • JSON Hijacking 
  • Session Management and Cookie Stealing 
  • HTML5 
  • XML 
  • Insecure System Configuration
  • Database Security - MySql, SQL Server etc.
  • Remote Command or OS Command Injection
  • Path traversal 
  • Local File Inclusion (LFI) 
  • Remote File Inclusion (RFI) 
  • Serialization Attacks 
  • HTTP Response Splitting 
  • MongoDB 
  • CMS Attacks and Defenses - Wordpress, Drupal, Joomla
  • Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
  • Logical Flaws
  • Filter Evasion and Bypassing Web Application Firewalls (WAF)
  • OWASP Top 10 Attacks
  • OWASP Secure Coding Practices
  • and more ...
Upon the completion of this training, attendees will:
  • This training brings attendees into a world of web hacking and secure coding
  • Attendees will learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future
  • They can test different CMS such as Wordpress, Drupal, Joomla as well as recent vulnerabilities 
  • They can do secure code review as well as write secure code in multiple languages such as PHP, Java, C# etc.
  • Attendees will get to know the common but dangerous coding mistakes done by the developers 
  • They can think like developer as well as penetration tester
Attendees will be provided with:
  • Multiple vulnerable applications
  • Hosted VMs for testing and training labs.
  • Over 50 labs and 30+ challenges to solve
  • Training materials – presentation materials and lab examples
  • Custom tools and scripts 
  • Additional reading materials
Attendee requirements for this training:
  • Modern laptop with wireless networking capabilities and have admin/root access on it. (64-bit Machine)
  • Minimum 4 GB RAM installed
  • At least 60 GB HD Free
  • VMware Workstation / Fusion installed
Pre-requisites:
This course requires following pre-requisites:
  • Web application development skills 
  • Basic knowledge on HTTP, HTML and Scripting
  • Reading and understanding of PHP, Java, C# Server-side Code (Optional)
Who should attend this training?
  • Penetration Testers
  • Security Consultants 
  • Web Developers
  • QA testers
  • Web Application Tester
  • System administrators
  • IT Security professionals with a technical background
  • IT managers
  • System architects 
  • Bug Bounty Hunters

Speakers
avatar for Vikram Salunke

Vikram Salunke

Information Security Researcher, Consultant and Founder, Vmaskers
Vikram is the Information Security Researcher, Consultant and Founder at Vmaskers. Vmaskers provide network, wireless, web, Android and iOS applications penetration testing services and training for corporates. His main responsibilities are to look after application security, lea... Read More →


Sunday January 28, 2018 9:00am - 5:00pm
Garden Terrace Room

9:00am

Extended Web Application Hacking [Day 1 of 2]
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
In this training class, you'll attack a custom BitCoin Exchange with the common and even advanced vulnerabilities.  This isn't your average web app course!  We built the labs around what we are seeing as penetration testers and bug bounty hunters.
Who's This Class For: 
- Those that might have had a little experience or those that want to get into Web Penetration Testing. 
- Those that have played with Web Proxies manipulating traffic and want more 
- Those that want to get into Bug Bounties and make $$$ 
Real World Web Application Penetration Testing Course: 
- Two Day Course on Real World Web Penetration Test and Bug Hunting 
- Recon/Spidering 
- Attacking XSS, Polygots, and Blind XSS 
- Cross-Site Request Forgery 
- Integer Underflows 
- Insecure Direct Object Reference 
- Local File Inclusions and Server Side Request Forgery 
- Manual SQL Injections 
- Remote Code Execute with Images 
- Advanced Attacks: XML eXternal Entities (XXE) 
- Advanced Attacks: Deserialization Attacks 
- Advanced Attacks: NodeJS vulnerabilities
- Cloud Issues 

Speakers
avatar for Peter Kim

Peter Kim

Director of Vulnerability Research, Blizzard Entertainment
Peter Kim has been in the information security industry for the last 13 years and has been running red teams/penetration testing for the past 9 years. He has worked for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and financial organizations.He is the author of the best-selling computer hacking book, ‘The Hacker Playbook: Practical Guide to Penetration Testing Series... Read More →


Sunday January 28, 2018 9:00am - 5:00pm
Club Room

9:00am

Intro To Web Hacking Using ZAP/Hacking APIs And The MEAN Stack
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


One Day Session
Presenters: Nicole Becher and Tanya Janca
Introduction to Hacking Web applications, APIs and Web Services with OWASP DevSlop
The OWASP DevSlop team are back!  This full day workshop will have two parts: introduction to application security, and web app scanning with OWASP ZAP in the morning, and manual testing of web services and APIs in the afternoon using Postman.  The DevSlop team will use the first phase of their open source project, a MEAN stack app called, Pixi, for API and Web Service testing and demonstrations, and a Ruby on Rails Application called Cyclone Transfers for the vulnerable web application scanning.  
Both parts of this workshop are appropriate for application developers or security practitioners, even with no prior knowledge of hacking.
Morning:
The “How to Hack Your Own Apps" workshop will start with a lesson that includes hands on demo of how to find security flaws, how they happen in the first place, and most importantly, how to fix them. If you've written a fast, beautiful application that meets all your requirements but it isn't secure, then it's not the best. This lesson will focus on helping developers find and fix their own security issues.
Once the lesson is over participants will set up their own machines to scan intentionally vulnerable applications, with support from Tanya and Nicole, to ensure everyone is finding security bugs before lunch.
Afternoon:
Modern applications often use APIs and other micro services to deliver faster and better products and services. However, there are currently few training grounds for security testing in such areas. In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike. DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure. Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.
What will be discussed?


  • Web app, API and Web Service Hacking & OWASP Project DevSlop
What will attendees learn from attending this session?


  • How to scan a basic web app and how to hack APIs and web services manually
Items attendees are required to bring with them


  • A laptop with a web proxy and modern web browser (Chrome or FireFox are great). Admin Priv on your machine, and the ability to install software.  If possible, install VirtualBox or VMWare, Docker, GitHub and OWASP Zap on your machine in advance.  If you don’t have them, we will get them for you, don’t worry.  Windows and Mac OS are supported for this workshop, if you you have linux you’ll probably be fine, but we make no guarantees.  

Speakers
avatar for Nikki Becher

Nikki Becher

Application Security, red teaming, penetration testing, malware analysis and computer forenscics.  OWASP Brooklyn Chapter Leader, OWASP DevSlop Project Leader, Adjunct Instrcutor at NYU, political junkie, marathoner, martial artist and animal lover.  OWASP WASPY 2017 winner... Read More →
avatar for Tanya Janca

Tanya Janca

AppSec Trainer and PenTester
Tanya Janca is an application security evangelist, technical advisor, web application penetration tester and vulnerability assessor, international public speaker and trainer, ethical hacker, OWASP DevSlop Project Leader, OWASP Ottawa Chapter Leader, Effective Altruist and has been developing software since the late... Read More →


Sunday January 28, 2018 9:00am - 5:00pm
Sand and Sea Room

9:00am

New OWASP Top 10 - Exploitation and Effective Safeguards [Day 1 of 2]
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This course provides web developers deep hands-on knowledge about the OWASP Top 10 most critical web application security risks. 
Participants will first learn the technical details about each vulnerability. Demos, attack examples, threat modeling discussions, code review as well as other methods will be used to describe and discuss each risk.
Participants taking the class will practice security assessment techniques through several hands-on exercises using the free version of Burp Proxy and a safe online hacking environment. We focus on the manual assessment techniques of this popular tool.
The majority of the course will focus on defensive theory. Hacking a web application, as we will find out, is not a difficult task for an experienced web developer armed with the right knowledge. However, defending a web application is difficult and complex work. Mastering web defense is the primary thrust of this course.
Course Objectives:
- Understand how hackers attack web applications in order to better defend them
- Learn how to test your own web application
- Which security safeguards are truly effective (and which ones are not)
- Understand secure coding best practices
Training Outline:
1. OWASP Top 10 web app vulnerabilities:
    A1 - Injection (Command Injection, SQL Injection)
    A2 - Broken Authentication
    A3 - Sensitive Data Exposure
    A4 - XML External Entities (XXE)
    A5 - Broken Access Control
    A6 - Security Misconfiguration
    A7 - Cross-Site Scripting (XSS)
    A8 - Insecure Deserialization
    A9 - Using Components with Known Vulnerabilities
    A10 - Insufficient Logging and Monitoring
2. Password Management
3. Secure Coding Best Practices
4. HTTPS Best Practices
5. Using a Vulnerability Proxy
… and much more!
Hands-on Exercises:
1. Input Validation
2. Cross Site Scripting Filter Bypass
3. Online Password Guessing Attack
4. Account Harvesting
5. Injection Attacks
6. Using a Web Application Vulnerability Proxy
… and much more!
Upon the completion of this training, attendees will know:
- Most critical web application vulnerabilities
- Secure coding best practices
- How to use common security assessment tools
Attendees will be provided with (by trainer):
- The slides in raw PPT format
- Access to the online lab environment during and after class
- “cheat mode” that reveals all answers will be enabled after class
Attendees should bring:
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 4GB of RAM, 30 GB of free disk space and either VMWare Workstation Player (free 30-day trial), VMWare Workstation Pro, VMWare Fusion or Oracle VirtualBox pre-installed. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.
Prerequisites for attendees:
This course is designed to help intermediate and expert web developers and web architects understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will also benefit from this class.          

Speakers
avatar for Jim Manico

Jim Manico

Owner/Trainer, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is also a frequent speaker on secure software practic... Read More →


Sunday January 28, 2018 9:00am - 5:00pm
Terrace Lounge
 
Monday, January 29
 

7:30am

Registration and Breakfast
Monday January 29, 2018 7:30am - 8:30am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

8:30am

Extended Web Application Hacking [Day 2 of 2]
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
In this training class, you'll attack a custom BitCoin Exchange with the common and even advanced vulnerabilities.  This isn't your average web app course!  We built the labs around what we are seeing as penetration testers and bug bounty hunters.
Who's This Class For: 
- Those that might have had a little experience or those that want to get into Web Penetration Testing. 
- Those that have played with Web Proxies manipulating traffic and want more 
- Those that want to get into Bug Bounties and make $$$ 
Real World Web Application Penetration Testing Course: 
- Two Day Course on Real World Web Penetration Test and Bug Hunting 
- Recon/Spidering 
- Attacking XSS, Polygots, and Blind XSS 
- Cross-Site Request Forgery 
- Integer Underflows 
- Insecure Direct Object Reference 
- Local File Inclusions and Server Side Request Forgery 
- Manual SQL Injections 
- Remote Code Execute with Images 
- Advanced Attacks: XML eXternal Entities (XXE) 
- Advanced Attacks: Deserialization Attacks 
- Advanced Attacks: NodeJS vulnerabilities
- Cloud Issues 

Speakers
avatar for Peter Kim

Peter Kim

Director of Vulnerability Research, Blizzard Entertainment
Peter Kim has been in the information security industry for the last 13 years and has been running red teams/penetration testing for the past 9 years. He has worked for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and financial organizations.He is the author of the best-selling computer hacking book, ‘The Hacker Playbook: Practical Guide to Penetration Testing Series... Read More →


Monday January 29, 2018 8:30am - 4:30pm
Club Room

8:30am

New OWASP Top 10 - Exploitation and Effective Safeguards [Day 2 of 2]
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This course provides web developers deep hands-on knowledge about the OWASP Top 10 most critical web application security risks. 
Participants will first learn the technical details about each vulnerability. Demos, attack examples, threat modeling discussions, code review as well as other methods will be used to describe and discuss each risk.
Participants taking the class will practice security assessment techniques through several hands-on exercises using the free version of Burp Proxy and a safe online hacking environment. We focus on the manual assessment techniques of this popular tool.
The majority of the course will focus on defensive theory. Hacking a web application, as we will find out, is not a difficult task for an experienced web developer armed with the right knowledge. However, defending a web application is difficult and complex work. Mastering web defense is the primary thrust of this course.
Course Objectives:
- Understand how hackers attack web applications in order to better defend them
- Learn how to test your own web application
- Which security safeguards are truly effective (and which ones are not)
- Understand secure coding best practices
Training Outline:
1. OWASP Top 10 web app vulnerabilities:
    A1 - Injection (Command Injection, SQL Injection)
    A2 - Broken Authentication
    A3 - Sensitive Data Exposure
    A4 - XML External Entities (XXE)
    A5 - Broken Access Control
    A6 - Security Misconfiguration
    A7 - Cross-Site Scripting (XSS)
    A8 - Insecure Deserialization
    A9 - Using Components with Known Vulnerabilities
    A10 - Insufficient Logging and Monitoring
2. Password Management
3. Secure Coding Best Practices
4. HTTPS Best Practices
5. Using a Vulnerability Proxy
… and much more!
Hands-on Exercises:
1. Input Validation
2. Cross Site Scripting Filter Bypass
3. Online Password Guessing Attack
4. Account Harvesting
5. Injection Attacks
6. Using a Web Application Vulnerability Proxy
… and much more!
Upon the completion of this training, attendees will know:
- Most critical web application vulnerabilities
- Secure coding best practices
- How to use common security assessment tools
Attendees will be provided with (by trainer):
- The slides in raw PPT format
- Access to the online lab environment during and after class
- “cheat mode” that reveals all answers will be enabled after class
Attendees should bring:
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 4GB of RAM, 30 GB of free disk space and either VMWare Workstation Player (free 30-day trial), VMWare Workstation Pro, VMWare Fusion or Oracle VirtualBox pre-installed. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.
Prerequisites for attendees:
This course is designed to help intermediate and expert web developers and web architects understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will also benefit from this class.          

Speakers
avatar for Jim Manico

Jim Manico

Owner/Trainer, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is also a frequent speaker on secure software practic... Read More →


Monday January 29, 2018 8:30am - 4:30pm
Terrace Lounge

8:30am

So You Want to Run a Secure Service on AWS?
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Abstract:
Learn how to secure your AWS environment while building a TOR hidden service.  

Areas within AWS that will be covered:
1. The 3 Layers in AWS
2. Security Constructs in AWS
3. What does an ideal architecture look like
4. How do I build it
5. How do I maintain/monitor it
6. How do I break it




The first part of each topic will bring the students up to speed followed by hands on exercises to put their knowledge to the test.  Each area covered focuses on core resources within AWS that need to be understood in order to successfully secure your AWS cloud environment.  In the end, students will build a multi-account AWS environment with restricted access and network routes and operate a TOR hidden service.

Speakers
avatar for William Bengtson

William Bengtson

Senior Security Engineer, Netflix
Will Bengtson is senior security engineer at Netflix focused on security operations and tooling.  Prior to Netflix, Bengtson led security at a healthcare data analytics startup, consulted across various industries in the private sector, and spent many years in the Department of Defense... Read More →
avatar for Nag Medida

Nag Medida

Cloud Security Engineer, Netflix
Nag Medida is a Senior Security Engineer at Netflix working in the SecOps team, where he loves to spend his time on AWS, building tools and automating stuff with passion for cloud security. Nag's expertise lies in security automation for the cloud in big data world, penetration t... Read More →


Monday January 29, 2018 8:30am - 4:30pm
Garden Terrace Room

6:00pm

Netflix Happy Hour
There will be drinks. And snacks, lots of snacks.
Let's kick offAppSecCali the right way...with a happy hour courtesy of Netflix! Let's all get together to network, enjoy some food & drinks and talk shop. It will be located about 1.5 miles away from the conference location, with free Lyft codes to make travel easy (details to come). RSVP below!
RSVP Link

Monday January 29, 2018 6:00pm - 9:00pm
Viceroy Hotel Santa Monica 1819 Ocean Avenue, Santa Monica, CA, United States + - 1819 OCEAN AVENUE, SANTA MONICA, CA 90401
 
Tuesday, January 30
 

7:30am

Registration, Breakfast, and Vendor Expo
Tuesday January 30, 2018 7:30am - 9:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

9:00am

Welcome Address
Speakers
avatar for Richard Greenberg

Richard Greenberg

Chapter Leader, OWASP Los Angeles
Hi everyone! I am the Chair for AppSec California and the Chapter Leader for OWASP Los Angeles. I am a Fellow and have been appointed to the Honor Roll of ISSA Int'l. I am the President of ISSA Los Angeles, and Chair of the Annual Security Summit. My day job is Information Secur... Read More →


Tuesday January 30, 2018 9:00am - 9:10am
Sand and Sea Room

9:10am

Diamond Sponsor Greetings
Tuesday January 30, 2018 9:10am - 9:25am
Sand and Sea Room

9:25am

Opening Keynote - Flipping the script: Fighting Advanced Threats at their Software Roots
Abstract
For almost two decades, software security practitioners have successfully defined advanced techniques and tools that can effectively be applied to develop secure software. Yet, all recent major security breaches can be linked to a software vulnerability - either left unpatched or a zero day – that made the attacker's job easier. Today, with tens of millions of developers creating code for all kinds of software-enabled devices, mobile apps and cloud services, it is time to expand the fight against advanced threats and focus on how to scale software security. 
Scaling software security will require expanding the security conversation beyond developers. This talk will challenge the entire software ecosystem to play their part in building more secure software and deliver software security at scale. Learning from the collected real-world experience of SAFECode's members, we will review short term strategies for development organizations to adopt a secure software development process. For the longer term, we will discuss the drastic changes required in how we teach, develop, test, govern and purchase software-based products to permanently change the software culture and deliver software security at scale.

Speakers
avatar for Eric Baize

Eric Baize

Chairman, SAFECode
Eric Baize – Chairman of SAFECode and Vice President, Product Security, Dell EMC Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Of... Read More →


Tuesday January 30, 2018 9:25am - 10:15am
Sand and Sea Room

10:15am

Break and Vendor Expo
Tuesday January 30, 2018 10:15am - 10:45am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

10:15am

CTF / Challenge Room
Tuesday January 30, 2018 10:15am - 5:10pm
Marion Davies Guest House

10:45am

The Best Flaw Didn't Make Into Production
Abstract
Security practitioners - the Sisyphus of information technology. We stand with a huge mass of developers creating new content every day, and we trust the training that we offer them, our own abilities as subject matter experts, in the tools we create and the methods we suggest. And still, the application security debt keeps growing and flaws we thought were already well-understood keep reappearing. This talk proposes yet another way of working with developers, testers and architects to address the gaps between training and coding, design and implementation, security testing and making sure that the security practitioner has enough timely information to be able to influence development rather than run after fixing the next version. These are supported by observation and interaction with many distinct development teams, feedback from peer practitioners, and pilot tests.

Speakers
avatar for Izar Tarandach

Izar Tarandach

Lead Product Security Architect, Autodesk Inc.
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he's willing to admit to in the informa... Read More →


Tuesday January 30, 2018 10:45am - 11:35am
Garden Terrace Room

10:45am

The Only Reason Security Really Matters for DevOps
Abstract :
This talk begins by exploring the answer to the question, why does DevOps matter? Business do what they need to do to survive and succeed. If their customers need agility, then they will evolve to accommodate that.

Next, key differences between the pre-DevOps world and the post-DevOps world are discussed. Before, it was about on-premise, protecting the perimeter, and enforcing gates in the SDLC. Now, supply chain is king. Applications and APIs matter more and more. And everything is mobile.

A detailed look at 10 companies "killing it at DevOps" reveals that for agile companies, security is a strategic business driver. It prevents unplanned work and re-work, and security requirements are explicitly specified during the sales process as part of vendor security assessments.

Additional drivers also include avoiding bad press and compliance reasons - both of which, if you look under the covers, are ultimately about getting more sales. This presentation analyzes the actual language in Bill Gates' Trustworthy Computing memo to see that in fact even Microsoft's "noble" initiative was "all about the money."

That being said, what's a security professional to do? BSIMM has 113 controls, ISO27017 has 121, and CCM has 133. It's enough to make a person's brain explode.

This session concludes with expert recommendations on how to think about security for DevOps in a way that aligns with a modified version of the NIST Cybersecurity Framework. The 5 points (Identify, Prevent, Detect, Respond, and Recover) are simplified down to just 3 (Identify, Prevent, and React) and the end of the session covers detailed recommendations on how to incorporate practical security concepts into a DevOps environment using this uncomplicated framework.



Speakers
avatar for Caroline Wong

Caroline Wong

Vice President of Security Strategy, Cobalt
Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and has been fea... Read More →


Tuesday January 30, 2018 10:45am - 11:35am
Terrace Lounge

10:45am

Authentication without Authentication
Abstract :
Authentication is important, but how do you authenticate when user interaction is not an option? For example, an IoT app without a user interface. We need to authenticate the app ― without any predefined credentials. But how? Join this session to find out - including a demo of the solution on a Raspberry Pi!

Speakers
avatar for Omer Levi Hevroni

Omer Levi Hevroni

Security Champion, Soluto
Writing code for the last 10 years. Currently working at Soluto as a Security Champion and Software Developer for the last 3 years. Actively involved in open source projects, including OWASP's projects like Zap and Glue.


Tuesday January 30, 2018 10:45am - 11:35am
Sand and Sea Room

10:45am

DevOps Is Automation, DevSecOps Is People
Abstract
A lot of appsec boils down to DevOps ideals like feedback loops, automation, and flexibility to respond to situations quickly. DevOps has the principles to support security, it should have to knowledge and tools to apply it. Real-world appsec deals with constraints like time, budget, and resources. Navigating these trade-offs requires building skills in collaboration and informed decision-making. On the technology side, we have containers, top 10 lists, and tools. Whether we are focused on more efficient meetings or trying to driving change across an organization, we need equal attention on techniques that make the social aspects of security successful. We build automation with apps. We build relationships with people. This presentation explores methods for establishing incentives, encouraging participation, providing constructive feedback, and reaching goals as a team. It shows different ways to use metrics and communication to drive positive behaviors. These are important skills not only for managing teams, but for influencing appsec among peers and growing a career.Security is an integral part of DevOps. And, yes, it's made of people.

Speakers
avatar for Mike Shema

Mike Shema

VP of SecOps and Research, Cobalt.io
Mike Shema is VP of SecOps and Research at Cobalt.io. Mike's experience with information security includes managing product security teams, building web application scanners, and consulting across a range of infosec topics. He's put this experience into books like Anti-Hacker... Read More →


Tuesday January 30, 2018 10:45am - 11:35am
Club Room

11:45am

ReproNow - Save time Reproducing and Triaging Security bugs
Abstract :
Crowdsourcing security aka Bug Bounty Programs are adapted by almost all companies today: big, small, mid size. While companies reap a lot of benefits, the challenge is to have a security engineer/engineers reproduce each of the bug, understand the replication method and spend time recreating the security bug that the researcher reported. And sometimes (read all the time) it may also require a lot of going back and forth with the researcher to reproduce the vulnerability. As security engineers we felt the pain as well and we created a tool that solves this challenge and helps organization focus their resources on resolving these vulnerabilities and strengthening their security posture.

Our tool is an open source software and an easy to install browser extension. A researcher can install this extension on their browser and record the entire walkthrough of the vulnerability. Our tool captures not only the screen but even Network requests. So, a researcher can capture the entire session and submit this video to the organization. Then, the security engineers who validate this can play the video on the tool and see the exploit in action. They don’t have to spin up Burp Suite or other bazillion tools and again spend time on reproducing  the entire thing. The tool also lets you search for a string, therefore you can jump to a specific payload to see the exploit. This makes triaging much easier, saving engineers valuable time.

Speakers
avatar for Vinayendra Nataraja

Vinayendra Nataraja

Senior Product Security Engineer, Salesforce
Vinayendra Nataraja is a Senior Product Security Engineer at Salesforce and an independent security researcher. He has been in the security industry for 5 years now and holds a Masters degree in Information Security from Northeastern University. He leads the bug bounty efforts fo... Read More →
avatar for Lakshmi Sudheer

Lakshmi Sudheer

Security Researcher, Adobe
Lakshmi Sudheer is a Security Researcher at Adobe. She holds a Master of Science in Information Security from Northeastern University and has been in the security industry for about 4 years now. At Adobe, she works on solving challenging security issues across products and the or... Read More →


Tuesday January 30, 2018 11:45am - 12:35pm
Club Room

11:45am

Robots with Pentest Recipes - Democratizing Security Testing Pipelines for DevOps Wins
Abstract :
Application Security (AppSec) Teams are usually short-staffed. While this is no surprise in itself. Now there’s the added impetus of continuous delivery of security solutions for the continuous delivery pipelines of myriad engineering teams within an organization. While some teams have leveraged SAST, DAST and IAST as part of the continuous delivery pipeline, AppSec teams could definitely use a helping hand from other teams including QA, Engineering and Infrastructure (Security) Teams. However, this presents a problem, largely because the tools used by AppSec Teams (and security teams in general) are not easily understood or known by Engineering and QA teams. In addition, there are a diverse set of tools ranging from Application Vulnerability Scanners to Recon Tools, etc that are used by Security Teams, Pentest Teams and so on that are typically not meshed together in a common fabric. What if there were a way were we could create security testing recipes and run a battery of security tests right from baseline application security testing, to pre-deployment infrastructure vulnerability assessments, across various environments, and what’s better, UNDER A COMMON FABRIC!! For one, security testing would become much easier to create and execute, with various teams being able to author security testing pipelines themselves with limited involvement from an already-stretched appsec team. That’s what this talk is all about….

Over the last few months, my team and I have leveraged the all-powerful Robot Framework to integrate various security testing tools, including OWASP ZAP, Nmap, Nessus. Robot Framework is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It provides a very extensible test-driven syntax that extend test libraries implemented in Python or Java. We have developed Open Source libraries for popular tools like OWASP ZAP, Nmap, Nessus and some recon tools, which can be invoked with existing libraries like Selenium, etc to perform completely automated, parameterized, security tests across the continuous delivery pipeline with easy-to-write, almost trivial test syntax like

`run nmap scan` OR `start zap active scan`

thereby making it easier for engineering teams to be able to create “recipes” of security tests that they want to run, integrate with functional test automation to run anything from a baseline scan to a complete parameterized security test of the application on various environments. In fact, we have used these libraries to run a “mostly automated pentest as a recipe” replete with recon, mapping, vulnerability discovery phases with evidences and reporting built-in.

Ill be making most of the code available on GitHub for the community to use.



Speakers
avatar for Abhay Bhargav

Abhay Bhargav

CTO, we45 an AppSec company
Abhay Bhargav is the CTO of we45, a focused Application Security company. Abhay is the author of two international publications. “Secure Java for Web Application Development” and “PCI Compliance: A Definitive Guide”. Abhay is a builder and breaker of applications, and has... Read More →


Tuesday January 30, 2018 11:45am - 12:35pm
Terrace Lounge

11:45am

Threat Modeling Toolkit
Abstract
Threat Modeling is a great way to analyze security early in software development by structuring possible attacks, bad actors and countermeasures over a broad view of the targeted system. This talk will describe basic components of a threat model and how to use them effectively. Modeling concepts will be demonstrated using a cryptocurrency ecosystem as example.


Speakers
avatar for Jonathan  Marcil

Jonathan Marcil

Application Security Engineer, Twitch
Jonathan Marcil is the former chapter leader of OWASP Montreal and is now based in beautiful Irvine, California. Jonathan has been involved with OWASP for many years and is behind the official OWASP YouTube channel. He was also part of NorthSec CTF as a challenge designer special... Read More →


Tuesday January 30, 2018 11:45am - 12:35pm
Garden Terrace Room

11:45am

Leveraging Cloud SDNs to Solve OWASP Top Ten
Abstract :
Historically, implementing network security controls within a virtualized cloud environment have been difficult to implement requiring tricky networking and hypervisor integration. Advancements in software-defined networking (SDN) now allow virtualized security controls to be implemented within virtual layer 2 (media link) network reducing the complexity. Through the use of SDN defined service chains, network traffic can be required to flow through security controls allowing policy to be implemented within the virtual network itself. This presentation illustrates how common security functions (such as Snort) can be virtualized and injected within layer 2 of a virtual network without requiring any layer 3 (IP) networking changes.

This presentation elaborates on the open-source technologies available to make implementing networking virtualized web security a reality. The presentation culminates in a walk-through of a full workshop available via GitHub for those that are interested in trying out the full implementation. This work has been completed using open-source software including Linux (CentOS), Snort, nginx, and OpenStack.



Speakers
avatar for John Studarus

John Studarus

Technical Risk, Compliance, and Security Advisor, JHL Consulting
John Studarus is a technical risk, compliance, and security advisor at JHL Consulting. He has over 20 years of software product development across the finance, high tech, government and healthcare industries, including working with internal and external technical teams, business... Read More →



Tuesday January 30, 2018 11:45am - 12:35pm
Sand and Sea Room

12:35pm

Lunch and Vendor Expo
Tuesday January 30, 2018 12:35pm - 2:00pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:00pm

Breaking Fraud & Bot Detection Solutions
Abstract
Browser fingerprinting and user behavior tracking are powerful techniques used by most fraud and bot detection solutions. These are implemented as JavaScript snippets running the user browser. In this presentation, we’ll demystify what kind of signals these snippets collect. We'll then describe why these signals are unreliable, propose attacks against defenses relying on them and finally show demos of POC attacks.

Speakers
avatar for Mayank Dhiman

Mayank Dhiman

Principal Security Researcher, Stealth Security
Mayank Dhiman serves as Stealth Security’s Principal Security Researcher. His primary interests include solving problems related to online fraud and internet abuse. His current focus lies in detecting and mitigating malicious automation attacks. Previously, he had worked on fra... Read More →


Tuesday January 30, 2018 2:00pm - 2:50pm
Garden Terrace Room

2:00pm

The Path Of DevOps Enlightenment For InfoSec
Abstract
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.

Speakers
avatar for James Wickett

James Wickett

Signal Sciences
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing wit... Read More →


Tuesday January 30, 2018 2:00pm - 2:50pm
Terrace Lounge

2:00pm

Threat Modeling Panel

Moderated by: Haral Tsitsivas, Software Sr Principal Engineer, Dell EMC


Speakers
avatar for Jonathan  Marcil

Jonathan Marcil

Application Security Engineer, Twitch
Jonathan Marcil is the former chapter leader of OWASP Montreal and is now based in beautiful Irvine, California. Jonathan has been involved with OWASP for many years and is behind the official OWASP YouTube channel. He was also part of NorthSec CTF as a challenge designer special... Read More →
avatar for Brook Schoenfield

Brook Schoenfield

Principal Architect Product Security, McAfee
Brook S.E. Schoenfield is the Author of Securing Systems: Applied Security Architecture and Threat Models (CRC Press, 2015). He is the Principal Architect for product security at Intel Security Group. He provides strategic technical leadership, training and mentoring for 75 secur... Read More →
avatar for Adam Shostack

Adam Shostack

Consultant
Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped found the CVE and many other things. He's currently helping a variety of organizations improve their security, and advising and mentoring startup... Read More →
avatar for Izar Tarandach

Izar Tarandach

Lead Product Security Architect, Autodesk Inc.
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he's willing to admit to in the informa... Read More →


Tuesday January 30, 2018 2:00pm - 2:50pm
Sand and Sea Room

2:00pm

Decrease Your Stress and Increase Your Reach with Appsec Champions
Abstract
Being the only person in the entire company who works the appsec program gets old. You're getting no help from anyone and no one cares about what you're doing. Are you the ONLY PERSON who actually cares about security? Are you even making a difference, or are you just counting the days until a breach? 
If this is your appsec story, job after job, I'll cover things you can do immediately to start a culture change at your company and recruit appsec champions in this fight. Let's change your story.

Speakers
avatar for Coleen Coolidge

Coleen Coolidge

Head of Security, Segment, San Francisco.
Coleen Coolidge is Head of Security at Segment in San Francisco. Previously, she was at Twilio (pre-to-post IPO) as Sr Director of Trust and Security. She's also served in security-leadership positions at more traditional, enterprise companies like First American Title and CoreLo... Read More →


Tuesday January 30, 2018 2:00pm - 2:50pm
Club Room

3:00pm

MarkDoom: How I Hacked Every Major IDE in 2 Weeks.
Abstract
JavaScript (and HTML) has completely conquered the Web, and now it’s taking over the Desktop. In order to provide more user-friendly graphical interfaces, today's software applications are being built with embedded browsers. Companies such as GitHub, Apple, Microsoft, Facebook, and Slack all build complex, desktop-like web applications completely in JavaScript. Many other organizations embed entire browsers into their products for rendering content. We call all of this the “Desktop Web,” and it’s full of security problems that have more devastating consequences than your typical JavaScript injection. 
I will walk through examples of arbitrary code execution that I discovered in Visual Studio Code, GitHub Atom Editor, Sublime Text, Adobe Brackets Editor, all JetBrains Products (IntelliJ IDEA, PhpStorm, WebStorm, PyCharm, RubyMine, AppCode, CLion, ...) and more. This research resulted in 5 CVEs and $(TBD)k in bounties. 
Welcome to the unholy marriage of web application and desktop security. Let’s explore how each editor was implemented, what went wrong, and the controls that can be used to do this more safely.

Speakers
avatar for Matt  Austin

Matt Austin

Director of Security Research, Contrast Security


Tuesday January 30, 2018 3:00pm - 3:50pm
Garden Terrace Room

3:00pm

OWASP Top 10
Speakers
avatar for Andrew van der Stock

Andrew van der Stock

Director, OWASP Foundation
Andrew is an in demand speaker and trainer, with past speaking engagements at AusCERT, linux.conf.au, Black Hat, OWASP AppSec EU and AppSec USA, and training many thousands of developers and information security professionals through public and private training offerings. Andrew van der Stock is an acknowledged leader of the application security field, with nearly 20 years application security experience in Australia and the USA, and over 20 years' experience in the IT and System Administration fields. Andrew joined OWASP in... Read More →


Tuesday January 30, 2018 3:00pm - 3:50pm
Terrace Lounge

3:00pm

SecDevOps: Current Research and Best Practices
Abstract:
The last decade has seen widespread changes in how organization develop and release software. It's not uncommon now for companies to dynamically provision huge numbers of servers using cloud providers based on need, automatically configure the servers with change management systems like Puppet or Chef, and push new code into production tens to hundreds of time per day. In most companies, developers outnumber security engineers by 50:1 or more. How do you keep up?

Speakers
avatar for Clint Gibler

Clint Gibler

Research Director, NCC Group
Clint Gibler is a senior security consultant and research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. Clint has spoken at a number of security conferences, including Black Hat USA, Virus Bulletin... Read More →


Tuesday January 30, 2018 3:00pm - 3:50pm
Club Room

3:00pm

Seeing Through the Fog - Navigating the Security Landscape of a Cloud-First World
Abstract :
The prospect of the cloud is extremely attractive to many enterprises, so it’s no surprise that several industries are in an all out sprint to get there. Cloud has become so popular that many CIOs have simply been given the directive “get to the cloud,” and thus are moving forward at a staggering rate with little regard for cost or security. This is putting security teams on their heels, in large part because many haven’t had the chance to truly grasp the shared responsibility model that most cloud providers operate under.

There is a common misconception in the industry that, when you buy space with a cloud provider, the cloud provider is also responsible for securing your data. This simply isn’t the case. The agreement is much more like leasing an apartment - the landlord maintains the roof, walls and windows, but if you leave the door unlocked that’s on you. That said, determining who has responsibility for the protection of applications, services, and data once cloud has become part of an enterprise stack is a lot harder than locking a door. If it weren’t, we wouldn’t be constantly reading about huge troves of sensitive data stored on unsecured AWS servers. So, figuring out this shared model has become one of the major challenges of navigating this new and only vaguely-defined landscape.

The first thing we all need to understand is that cloud providers are not managing data so much as providing a platform or infrastructure, so the protection of the data is still up to the enterprises. While the cloud offers more availability and uptime, it can also make data more vulnerable to attack. Every copy of data is a potential liability, so while availability is convenient it comes with elevated risk. Cloud providers can certainly make it easier for enterprises to set up their servers correctly, but enterprises need to own the responsibility of securing their data and make sure they are maintaining access control lists properly, performing quality-assurance on configurations and policies, and auditing who has access to what.
 
In this session we will explore how security professionals can own security for their organization as they migrate to the cloud, and detail the steps they can take to make sure the cloud stays secure for their enterprise, thus ensuring that they don’t end up making headlines for all the wrong reasons.



Speakers
avatar for Ben Johnson

Ben Johnson

CTO, Obsidian Security
Ben Johnson is a prominent voice in cybersecurity, having co-founded and been CTO of both Obsidian Security and Carbon Black. Additionally, Ben sits on several cyber start-up boards and spent 7 years at the NSA. Ben has spoken to over 600 organizations and given thought-leadershi... Read More →


Tuesday January 30, 2018 3:00pm - 3:50pm
Sand and Sea Room

3:50pm

Break and Vendor Expo
Tuesday January 30, 2018 3:50pm - 4:20pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

4:20pm

The Bug Hunters Methodology 2.0
Abstract
Building on the Bug Hunter's Methodology 1.0 given at Defcon 23, 2.0 brings the newest testing techniques, tools, and vulnerability data to penetration testers and security folk. Dive into new-school advents in discovery, XSS, server-side template injection, server-side request forgery, Code injection (SQLi, PHP, ++), XXE, robbing misconfigured infrastructure, CI, Code repositories, and more!

Speakers
avatar for Jason Haddix

Jason Haddix

Head of Trust and Security, Bugcrowd
Jason is the Director of Technical Operations at Bugcrowd. Jason trains and works with internal analysts to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the... Read More →


Tuesday January 30, 2018 4:20pm - 5:10pm
Sand and Sea Room

4:20pm

Costs of Coding to Compliance
Abstract
The problem with most compliance, such as PCI, is that when you manage a project, design, or code only to the line of compliance, there are going to be security gaps. When you have gaps, your risk gets higher, and it becomes more costly to fill those gaps later. 
This talk will describe the requirements of some compliance frameworks and the gaps that can occur when you’re following the bare minimum secure coding practices that they require. The presenters will also give suggestions on how to address these gaps and how to plan for future risk as your applications and dependencies grow and requirements change. 
The approach will look at prioritizing security initiatives to better manage risk as they pertain to application security and create more efficient processes as they relate to software development. Together, these will increase the ability to prevent, detect, and respond to security events that threaten your apps while supporting compliance initiatives. 
At the end of the presentation attendees will have a good understanding of how a more mature security posture and implementing a framework that also allows you to follow secure coding practices can help harden even your more robust applications, as well as address compliance requirements for application security.

Speakers
avatar for Joel Cardella

Joel Cardella

Consultant, CBI
Joel Cardella has over 25 years of experience in information security, having run the gamut from CISO to field operations. He currently is a consultant with CBI, helping C-suite executives better understand and interact with information security topics spanning building and runni... Read More →
avatar for Magen Wu

Magen Wu

Senior Consultant, Rapid7
Magen Wu has over 10 years of specialized IT experience, is a Sr. Consultant with Rapid7's Strategic Advisory Service group. In her career, she has consulted with organizations in multiple industries including: state and local government, education, retail, technology, and health... Read More →


Tuesday January 30, 2018 4:20pm - 5:10pm
Terrace Lounge

4:20pm

Edgeguard: Client-side DOM Security - detecting malice - AN Open Framework
Abstract :
“Project edgeguard” is a open framework that allows you to detect when malicious content (planted in your browser  via hacking or client-side malware attacks) results in sensitive user data to be stolen and  transmitted to third parties (hackers, cybercrime etc). - Similar to many banking Trojans.

Injection and tampering attacks:
Malicious content can be placed within a user’s browser whilst using your web application by virtue of a client-side security weakness/vulnerability or certain types of browser malware (e.g. Man in the Browser attacks).

edgeguard is a “Zero-footprint” library that aims to detect exfiltration of sensitive user data from the browser.




Speakers
avatar for Rahim Jina

Rahim Jina

Chief Operating Officer, edgescan.com
Rahim is the Chief Operating Officer of edgescan™, a Security Consultancy firm and Fullstack Vulnerability Management SaaS based in Dublin, Ireland. Rahim is responsible for operational excellence and has extensive experience delivering penetration testing services to a wide range of organizations globally across many industry verticals. Prior to this, Rahim was Head of Product... Read More →
avatar for Eoin Keary

Eoin Keary

Founder/CEO, edgescan.com
Eoin Keary CISSP Founder/CEO edgescan.com Eoin is the CEO and founder of edgescan.com a managed web vulnerability intelligence and threat detection service which is a listed “Sample vendor” and 'Noteable vendor" in the Gartner Application Security Hypecycle and MQ for Managed Security Services. Eoin previously was on the international board member of OWASP (2009-2015), The Open Web Application Security Project. During his time in OWASP he has lead the OWASP Testing Guide and founded the Security Code Review Guide and also contributed to OWASP SAMM, was the original author of the CISO Survey and contributor to the OWASP Cheat Sheet Series. Eoin is a well-known technical leader in industry in the area of software security and penetration testing, and has led global security engagements for some of the world's largest financial services and consumer products companies. Eoin was voted “OWASP Security Person of the year 2015... Read More →


Tuesday January 30, 2018 4:20pm - 5:10pm
Garden Terrace Room

4:20pm

How Privacy Violations, Fines and Economic Sanctions Create Darker Opportunities.
Abstract
Welcome to 2018. Although there’s no flying car in every garage yet. We do have malicious code capable of crashing governments and markets easily available by Google. A world where data seems leaked more often than secured. New laws and fines appear an opportunity to reverse the current, rather depressing trend of our private data seemingly spilled everywhere, breach after breach. Leaked data, compromised and vulnerable systems have become a new type of currency in the underground cyber crime economy. Some economically sanctioned countries, seeing high returns possible from digital crime, have invested heavily. The European Union’s new data protection regulations, EU GDPR, come into force in May 2018 with wide ranging implications and worldwide income fining teeth. Unfortunately, with progress comes new cyber crime opportunities, for some regimes with nuclear weapons. Learn key points and the effect the EU GDPR can have on your organization. Serious pitfalls, loopholes and take aways. Unravel the way some sanctioned countries actively utilize breaches ad digital crime to fund “interesting” regimes and a new type of cyber crime built on privacy.

Speakers
avatar for Christina Kubecka

Christina Kubecka

CEO, HypaSec
Chris Kubecka, Security Researcher and CEO of HypaSec. Formerly, setting up several security groups for Saudi Aramco’s affiliates after the Shamoon 1 attacks. Implementing and leading the Security Operations Centre, Network Operation Centre, Joint International Intelligence Group and EU/UK Privacy Group for Aramco Overseas Company. With... Read More →


Tuesday January 30, 2018 4:20pm - 5:10pm
Club Room

5:20pm

Closing Keynote - Digital Disease: How Healthcare Cybersecurity Challenges Can Claim -or Save- Lives
Abstract
Old “data security first” and HIPAA compliance paradigms in healthcare can’t address the patient safety concerns of a hyper-connected healthcare future built (currently) on the back of insecure software. Healthcare devices and infrastructure are generally poorly secured and are rapidly advancing towards the potential to harm or kill patients if compromised (if they haven't already). New healthcare security paradigms must include diverse and novel team members including clinicians working closely with software developers to identify risks to patient privacy and safety.

Speakers
avatar for Christian  Dameff

Christian Dameff

Doctor, Hacker, Researcher, UC San Diego
Dr. Christian Dameff is an Emergency Medicine physician and researcher. He is currently a Clinical Informatics fellow at the University of California San Diego. Published clinical works include post cardiac arrest care including hypothermia, novel drug targets for acute myocardia... Read More →


Tuesday January 30, 2018 5:20pm - 6:10pm
Sand and Sea Room

6:10pm

Opening Reception
Tuesday January 30, 2018 6:10pm - 9:00pm
Pool
 
Wednesday, January 31
 

7:30am

Registration, Breakfast, and Vendor Expo
Wednesday January 31, 2018 7:30am - 9:00am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

9:00am

Opening Remarks
Speakers
avatar for Richard Greenberg

Richard Greenberg

Chapter Leader, OWASP Los Angeles
Hi everyone! I am the Chair for AppSec California and the Chapter Leader for OWASP Los Angeles. I am a Fellow and have been appointed to the Honor Roll of ISSA Int'l. I am the President of ISSA Los Angeles, and Chair of the Annual Security Summit. My day job is Information Secur... Read More →


Wednesday January 31, 2018 9:00am - 9:05am
Sand and Sea Room

9:05am

OWASP Executive Director Greeting
Speakers
avatar for Karen Staley

Karen Staley

Executive Director, OWASP



Wednesday January 31, 2018 9:05am - 9:10am
Sand and Sea Room

9:10am

Keynote - Prove It! Quantitatively Confronting Security With Data
Abstract:
What would you see occurring that would let you know that your security capabilities are improving while the business scales? Scale meaning more staff, more systems, more software, more cloud platforms/apis, more third parties and more regions/markets all growing with more speed. This talk will focus on methods of measurement, with code, that will help you answer these questions.

Speakers
avatar for Richard Seiersen

Richard Seiersen

SVP/CISO, Lending Club
Richard is a security executive with ~20 years experience ranging from start-ups to global organizations. He currently is the SVP/CISO of Lending Club.  Previously he was the CISO and VP of Trust for Twilio as well as the VP & GM Cybersecurity & Privacy for GE Healthcare.  His current focus is developing quantitatively informed strategies, building agile teams that scale and making digital risk measurable. Likewise, he recently co-authored a decision analysis book... Read More →


Wednesday January 31, 2018 9:10am - 10:00am
Sand and Sea Room

10:00am

Break and Vendor Expo
Wednesday January 31, 2018 10:00am - 10:30am
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

10:00am

CTF / Challenge Room
Wednesday January 31, 2018 10:00am - 4:10pm
Marion Davies Guest House

10:30am

Pack your Android: Everything you need to know about Android Boxing
Abstract
Android malware authors may enforce one or a combination of protection techniques like obfuscators, packers and protectors. This additional step just before publishing the app adds complexity for Android Bouncers and various static, and dynamic code analysis tools. Along with these protection techniques a combination of features such as emulation detection, anti debugging, root detection, tampering detection, anti runtime injection enables malicious application practically makes malicious app go undetected. As a result we have seen a steady increase in the malicious apps published in various Android app stores. ZDNet reported around 1000 spyware mobile apps are published in the official Google Play Store this year alone. These apps may have the capability to monitor almost every action on an infected device. Actions such as taking photos, recording calls, monitoring information about Wi-Fi access point and inspecting user’s web traffic. 
We will focus on all three commonly used Apk protection techniques and how they operate under the hood. For obfuscation, we will demo a tool designed to remove switch case injection, dead code injection, and string encryption and get a readable code. In case of packer talk will showcase avenues to unpack the packer by first finding the algorithm, hooking into libc before packer opens DEX file, dumping DEX from memory. Protectors such as DexProtector mangles code by modifying entry point to loader stub and perform anti-emulation, anti-debug and anti-tampering checks. Protector are easy to patch, one can by attaching cloned process or dump odex and get readable code. By adding these techniques an ethical hacker or Android bouncer can identify many a malicious application published in app store.

Speakers
avatar for Swapnil Deshmukh

Swapnil Deshmukh

Swapnil Deshmukh has over a decade of information technology and information security experience, including technical expertise, leadership, strategy, operational and risk management. Charged with incubating and evangelizing security-driven, context-driven risk management strateg... Read More →


Wednesday January 31, 2018 10:30am - 11:20am
Club Room

10:30am

Architecting for Security in the Cloud
Abstract
The best part about creating new products and services in the cloud is the agility that it provides. Your company literally can scale at the click of a button. But if you take the simplicity of the cloud for granted, you wind up with brittle security that even a novice adversary can overcome. This talk will focus on identifying the holes in your cloud application before the attackers do, closing those gaps, and building architectures that can withstand the barrage of attacks that the Internet will throw at it.

Speakers
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments.
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Inform... Read More →


Wednesday January 31, 2018 10:30am - 11:20am
Sand and Sea Room

10:30am

Taking on the King: Killing Injection Vulnerabilities
Abstract:
How do we dismantle the reign of dangerous and prevalent vulnerabilities? "Injection" has crowned the OWASP Top 10 since 2010, while cross-site scripting (a type of injection) has maintained placement in the top four since 2003. If these two vulnerabilities are well-understood, well-documented, and have "clear" solutions, why have they remained on the OWASP Top 10 for nearly 15 years? Let's take a step back to examine what causes injection (and XSS) vulnerabilities and potential plans for their dethronement.

Speakers
avatar for Justin Collins

Justin Collins

CEO, Brakeman, Inc.
Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive, and is the primary author of Brakeman, an open source static analysis security tool for Ruby on Rails.


Wednesday January 31, 2018 10:30am - 11:20am
Terrace Lounge

10:30am

Prevention as a Business Strategy
Abstract
The world of cybersecurity has changed. Cybercriminals target organizations and unleash a torrent of malicious files and attacks that flood an enterprise until a breach occurs. Many businesses, whether small or large, have been infiltrated and employing traditional detect and respond solutions exposes these businesses to high risks and long-term costs. Risk management leaders need agile defenses that quickly adapt to the rapidly changing environment. Organizations can successfully use advances in automation, including artificial intelligence, machine learning, and big data to secure like never before, protecting against both known and unknown attacks. This shift to prevent and protect brings the strategic benefits of cybersecurity to every aspect of the organization.

Speakers
avatar for Corey White

Corey White

Vice President of Worldwide Consulting, ThreatZERO Services at Cylance
Corey White serves as the Vice President of Worldwide Consulting and ThreatZERO Services at Cylance. He leads the strategic growth of prevention-based consulting services for both private and public sector organizations across the company’s international locations. Cylance Consulting drives business outcomes for customers and partners through six practice areas led by distinguished experts in Industrial Control Systems, Red Team Services, Incident Containment and Forensics, IoT and Embedded Systems Security, ThreatZERO Services, and... Read More →


Wednesday January 31, 2018 10:30am - 11:20am
Garden Terrace Room

11:30am

Hunter – Optimize your Pentesters time
Abstract: Is your pentest report filled with low risk items? Are these projects that you pentest too short for a full-fledged secure SDLC process or are they third party systems that you have little control over? We at eBay had a similar problem wherein more than 25% of our pentesting resources used to get bogged down by these low risk items. We understand that it takes time to find, document and report these items (some which get entangled in a never ending remediation cycle). 
So we built Hunter to help us get ahead of some of these time sinks. Hunter is a simple open source tool that grades any website or rest endpoint. It quickly checks for certain low risk items and provides the requester with a grade (A – F). You can use hunter as a precursor to your pentest. Non security product development managers don’t understand security jargon, but they love to see a grade A on their product. The use of Hunter sits in between doing nothing before a pentest and a full-fledged secure SDLC process that might be an overkill. 
This talk is about our journey of why we built Hunter and how we saved about 10 – 15% of our pentesting budget. This talk is aimed at managers and pentesters who want to optimize their team’s resources and attendees will walk away with the knowledge of how they can leverage this open source tool.

Speakers
avatar for Kiran Shirali

Kiran Shirali

Senior Security Engineer, eBay
Kiran Shirali is a Senior Security Engineer in eBay’s blue team. Prior to joining the blue team, Kiran has worked on the Security Assessments Team (Red Team and Pentesting) and Application Security team at eBay. When he is not at work, he is at home souring the web finding secu... Read More →


Wednesday January 31, 2018 11:30am - 12:20pm
Terrace Lounge

11:30am

Lessons From The Threat Modeling Trenches
Abstract
What wisdom percolates from building threat modeling practices across 4 organizations? This presentation is drawn from hundreds of students, years of coaching, 100 formal trainings, and 1000’s of threat models. This presentation draws upon experience gained in the trenches of the battle to reduce design errors that is often fought through threat modeling. Conclusions may overturn cherished beliefs.

Speakers
avatar for Brook Schoenfield

Brook Schoenfield

Principal Architect Product Security, McAfee
Brook S.E. Schoenfield is the Author of Securing Systems: Applied Security Architecture and Threat Models (CRC Press, 2015). He is the Principal Architect for product security at Intel Security Group. He provides strategic technical leadership, training and mentoring for 75 secur... Read More →


Wednesday January 31, 2018 11:30am - 12:20pm
Sand and Sea Room

11:30am

Security After Death -- Not your problem, or is it?
Abstract :
The talk covers practical solutions to storing passwords and secure ways to share those passwords. The solutions range from commercial to open source and even some roll your own.

It will also cover solutions that answer the question; “How do I allow others to access all my password after I am unavailable, incapacitated or dead?”

I will review the current state of password key rings, password managers and vault systems available in commercial and open source forms. I will also talk about why you should be using password managers in your personal life and at your businesses to help manage the security of your passwords, share passwords safely, and how to recover from the unexpected.
Finally I will cover Shamir’s Secret Sharing https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing (SSS) as a solution that can be used to safely share passwords, following a dual control rule, where one shared part cannot be used to recover the password but can be used by t of n trusted persons to recover the password(s) and use SSS to access encrypted data.

Speakers
avatar for Ty Shipman

Ty Shipman

Ty Shipman has 30+ years in the computer industry. He started writing games in the 1980’s and now focuses on security and compliance. He co-founded Kagi, an online store that ran for 20+ years. Mostly recently he was the V.P. of Security and Compliance at LoopPay; which was acq... Read More →


Wednesday January 31, 2018 11:30am - 12:20pm
Garden Terrace Room

11:30am

What's new in TLS 1.3
Abstract: 
TLS 1.3 is just about here ! This talk will cover the more notable attacks against prior versions of TLS and examine their applicability to TLS 1.3. In doing so, important security related design decisions of TLS 1.3, which thwart these attacks, will be highlighted. We will also highlight the new protocol handshakes and how they can give rise to 0-RTT resumption. Finally, potential pitfalls of deploying TLS 1.3 and ways to avoid them will be discussed.



Speakers
avatar for Alex Balducci

Alex Balducci

Principal Security Consultant, NCC Group
Alex Balducci is a Principal Security Consultant at NCC Group's Cryptography Services. His experience includes security research, source code auditing, application security assessments, and software development - but his expertise is in cryptographic security including analysis a... Read More →


Wednesday January 31, 2018 11:30am - 12:20pm
Club Room

12:20pm

Lunch and Vendor Expo
Wednesday January 31, 2018 12:20pm - 2:00pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

2:00pm

Predicting Random Numbers in Ethereum Smart Contracts
Abstract:
Smart contracts are not only about ICOs - various lotteries, roulettes and card games are implemented in Solidity and can be played by anyone on the Ethereum blockchain. Autonomy of the blockchain limits the sources of entropy for random number generators. There is no common library that could help developers to create secure RNGs either.  That is why it is very easy to mess things up when implementing your own random number generator.

The talk features the analysis of the gambling smart contracts on the blockchain. As you will see many of them failed to implement a secure RNG which allows to predict the outcome and steal significant sums of money.  At the talk the examples of wrong RNG implementations found in the wild will be demonstrated. The attendees will also learn how to spot problems in RNGs as well as how to build a secure random number generator under blockchain limitations.

Speakers
avatar for Arseny Reutov

Arseny Reutov

Head of Application Security Research, Positive Technologies Ltd
Arseny Reutov is a web application security researcher from Moscow, Russia. Arseny is the Head of Application Security Research at Positive Technologies Ltd where he specializes in penetration testing, the analysis of web applications, and, more recently, smart contracts audit. H... Read More →


Wednesday January 31, 2018 2:00pm - 2:50pm
Garden Terrace Room

2:00pm

Panel: Women in Security
Speakers
avatar for Coleen Coolidge

Coleen Coolidge

Head of Security, Segment, San Francisco.
Coleen Coolidge is Head of Security at Segment in San Francisco. Previously, she was at Twilio (pre-to-post IPO) as Sr Director of Trust and Security. She's also served in security-leadership positions at more traditional, enterprise companies like First American Title and CoreLo... Read More →
avatar for Christina Kubecka

Christina Kubecka

CEO, HypaSec
Chris Kubecka, Security Researcher and CEO of HypaSec. Formerly, setting up several security groups for Saudi Aramco’s affiliates after the Shamoon 1 attacks. Implementing and leading the Security Operations Centre, Network Operation Centre, Joint International Intelligence Group and EU/UK Privacy Group for Aramco Overseas Company. With... Read More →
avatar for Kayva Pearlman

Kayva Pearlman

Information Security Director, Linden Lab
Kavya Pearlman is the Information Security Director at Linden Lab; protector of two virtual world economies, Second Life and the latest social VR platform called Sansar. | Prior to Linden Lab, Kavya advised Facebook Information Security Team on mitigating Third Party Security Risks. Kavya graduated from DePaul University, Chicago with a Masters in Network Security and holds a CISM (Certified Information Security Manager) certificate from ISACA. Kavya is also certified PCI-DSS ISA (Internal Security Assessor). | Kavya Grew up in India and came to the United States in 2007. She proudly uses the freedom this country offers, being a Hindu born jewish woman who converted to Islam. Besides Security Kavya's other passions are... Read More →
avatar for Caroline Wong

Caroline Wong

Vice President of Security Strategy, Cobalt
Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and has been fea... Read More →
avatar for Magen Wu

Magen Wu

Senior Consultant, Rapid7
Magen Wu has over 10 years of specialized IT experience, is a Sr. Consultant with Rapid7's Strategic Advisory Service group. In her career, she has consulted with organizations in multiple industries including: state and local government, education, retail, technology, and health... Read More →


Wednesday January 31, 2018 2:00pm - 2:50pm
Sand and Sea Room

2:00pm

A Tour of API Underprotection
Abstract :
Effective API protection is a growing concern, reflecting the popularity of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured Web APIs and techniques to strengthen your API security posture. You'll gain a clear understanding of user authorization via OAuth2, software authorization via static API keys and the critical interplay between them. Of particular concern are mobile API consumers whose code is statically published with secrets which are often poorly concealed. Practical advice with code examples will show how to improve mobile API security. TLS is necessary but insufficient to fully secure client-server communications. Certificate pinning is explained with code examples to show how to strengthen channel communications. Some advanced techniques will be discussed such as app hardening, white box cryptography and mobile app attestation. You should gain a good understanding of the underprotected API problem, with some immediately practical tips to improve your API security posture and a sense of emerging tools and technologies that enable a significant step change in API security.

Speakers
avatar for Skip Hovsmith

Skip Hovsmith

Principal Engineer and VP Americas, CriticalBlue
Skip Hovsmith is a Principal Engineer and VP Americas for CriticalBlue, working on securing API usage between mobile apps and backend services. Previously, Skip consulted with CriticalBlue customers on accelerating mobile and embedded software running on multicore and custom copr... Read More →


Wednesday January 31, 2018 2:00pm - 2:50pm
Club Room

2:00pm

Where, how, and why is SSL traffic on mobile getting intercepted? A look at ten million real-world SSL incidents
Abstract :
Over the last two years, we've received and analyzed more than ten million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.

We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.

First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.

Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.

Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.

Speakers
avatar for Alban Diquet

Alban Diquet

Head of Engineering, Data Theorem
Alban Diquet is Head of Engineering at Data Theorem, a cloud-enabled scanning service for mobile application security and data privacy. Alban's research focuses on security protocols, data privacy, and mobile security. Alban has released several open-source security tools includi... Read More →


Wednesday January 31, 2018 2:00pm - 2:50pm
Terrace Lounge

3:00pm

European Vacation - Leveraging GDPR for Security
Abstract: 
Our friends across the pond, love their privacy. Makes you wonder what they're up to, huh? While many organizations are dreading achieving and maintaining GDPR compliance, if approached properly, it can be a big win for the security of your applications. This presentation will cover how GDPR can be a driver for many security initiatives and how to automate much of the work.

Speakers
avatar for Anthony Trummer

Anthony Trummer

Tinder
Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently a penetration tester for LinkedIn, running point on their mobile security initiatives. Prior to LinkedIn, he has worked for Warner Bros... Read More →


Wednesday January 31, 2018 3:00pm - 3:50pm
Garden Terrace Room

3:00pm

Applied Deception Beyond the Honeypot: Moving Past 101
Abstract
Conflict in cyberspace moves quickly, is primarily asynchronous and can be carried out by a broad range of centralized and decentralized adversaries with great effectiveness. There are many nuanced aspects to this field that make playing defense difficult, offensive deception and challenges in attribution are two which stand out in particular. This talk will focus on applying deception techniques in a security program beyond the standard of honeypots that exists today. We will enumerate and adapt the various means that military and political operations employ deception in a strategic capacity and what we can learn from these other fields.

Speakers
avatar for Robert Wood

Robert Wood

Chief Security Officer, SourceClear
Robert Wood is a security technologist, strategic advisor, and speaker. He currently leads the Security efforts at SourceClear, helping empower the open source software community to create more secure software along with the many organizations that rely on it, daily. Previously... Read More →


Wednesday January 31, 2018 3:00pm - 3:50pm
Sand and Sea Room

3:00pm

Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare
Abstract
Artificial Intelligence, or even just Machine Learning for those who prefer organic, is influencing nearly all aspects of modern digital life. Whether it be financial, health, education, energy, transit...emphasis on performance gains and cost reduction has driven the delegation of human tasks to non-human agents. Yet who in infosec today can prove agents worthy of trust? Unbridled technology advances, as we have repeatedly learned in history, bring very serious risks of accelerated and expanded humanitarian disasters. The infosec industry has been slow to address social inequalities and conflict that escalates on the techincal platforms under their watch; we must stop those who would ply vulnerabilities in big data systems, those who strive for quick political (arguably non-humanitarian) power wins. It is in this context that algorithm security increasingly becomes synonymous with security professionals working to avert, or as necessary helping win, kinetic conflicts instigated by digital exploits. This presentation therefore takes the audience through technical details of defensive concepts in algorithmic warfare based on an illumnating history of international relations. It aims to show how and why to seed security now into big data technology rather than wait to unpoison its fruit.

Speakers
avatar for Davi Ottenheimer

Davi Ottenheimer

Flyingpenguin LLC
More than twenty years' experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. Co-author of the book “Securing the Virtual Environment: How to Defend the Enterprise Against Attack,” published in May 2012 by Wiley. Author of forthcoming book "Realities of Securing Big Data... Read More →


Wednesday January 31, 2018 3:00pm - 3:50pm
Terrace Lounge

3:00pm

We Come Bearing Gifts: Enabling Product Security with Culture and Cloud
Abstract :
What would it look like if security never had to say “no”?

This talk explores that counter-intuitive premise, and shows how it is not just possible but *necessary* to discard many traditional security behaviors in order to support modern high-velocity, cloud-centric engineering teams. For the product security team at Netflix, this is the logical implication of a cultural commitment to enabling the organization.

Attendees will learn how to replace heavy-handed gating with an automation-first approach, and build powerful security capabilities on top of cloud deployment primitives. Specific examples including provable application identity, immutable and continuous deployment, and secret bootstrapping illustrate how this approach balances security impact with engineering enablement.



Speakers
avatar for Astha Singhal

Astha Singhal

Application Security Lead, Netflix
Astha Singhal currently leads the Application Security team at Netflix. Prior to this, she managed the Salesforce AppExchange Security Review as a Senior Manager on Product Security. She is a security engineer by qualification who is passionate about proactive security and develo... Read More →
avatar for Patrick Thomas

Patrick Thomas

Senior Application Security Engineer, Netflix
Patrick Thomas is a professional breaker of software with a tremendous amount of love for the builders. He started as a developer, spent years as a penetration tester, and has now found a home in the middle improving appsec as a Senior Application Security Engineer at Netflix. He... Read More →


Wednesday January 31, 2018 3:00pm - 3:50pm
Club Room

3:50pm

Break and Vendor Expo
Wednesday January 31, 2018 3:50pm - 4:20pm
Annenberg Community Beach House 415 Pacific Coast Hwy, Santa Monica, CA 90402

4:20pm

Closing Keynote - A free, fair and open internet is a process, not a product.
Abstract
We're never going to be finished with the great work of securing the internet, and we will never be finished with the great work of making sure that it is a force for freedom, privacy, human rights and human flourishing. 
These are processes, not products, and surrender is not an option. It's tempting to just say, "Not my dumpster, not my fire," and walk away, but even if you stop caring about the internet, it's not going to stop caring about you. 
There's no winning and there's no losing. There's only the fight, and you're on the front lines.

Speakers
avatar for Cory Doctorow

Cory Doctorow

Science Fiction Author, Activist and Journalist
Cory Doctorow (craphound.com) is a science fiction author, activist, journalist and blogger — the co-editor of Boing Boing (boingboing.net) and the author of WALKAWAY, a novel for adults, a YA graphic novel called IN REAL LIFE, the nonfiction business book INFORMATION DOESN’T... Read More →


Wednesday January 31, 2018 4:20pm - 5:10pm
Sand and Sea Room

5:10pm

Raffle and CTF Prize Drawings
Wednesday January 31, 2018 5:10pm - 5:30pm
Sand and Sea Room