Loading…

The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Talk: Build It [clear filter]
Tuesday, January 30
 

10:45am

The Best Flaw Didn't Make Into Production
Abstract
Security practitioners - the Sisyphus of information technology. We stand with a huge mass of developers creating new content every day, and we trust the training that we offer them, our own abilities as subject matter experts, in the tools we create and the methods we suggest. And still, the application security debt keeps growing and flaws we thought were already well-understood keep reappearing. This talk proposes yet another way of working with developers, testers and architects to address the gaps between training and coding, design and implementation, security testing and making sure that the security practitioner has enough timely information to be able to influence development rather than run after fixing the next version. These are supported by observation and interaction with many distinct development teams, feedback from peer practitioners, and pilot tests.

Speakers
avatar for Izar Tarandach

Izar Tarandach

Lead Product Security Architect, Autodesk Inc.
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he's willing to admit to in the information... Read More →



Tuesday January 30, 2018 10:45am - 11:35am
Garden Terrace Room

10:45am

The Only Reason Security Really Matters for DevOps
Abstract :
This talk begins by exploring the answer to the question, why does DevOps matter? Business do what they need to do to survive and succeed. If their customers need agility, then they will evolve to accommodate that.

Next, key differences between the pre-DevOps world and the post-DevOps world are discussed. Before, it was about on-premise, protecting the perimeter, and enforcing gates in the SDLC. Now, supply chain is king. Applications and APIs matter more and more. And everything is mobile.

A detailed look at 10 companies "killing it at DevOps" reveals that for agile companies, security is a strategic business driver. It prevents unplanned work and re-work, and security requirements are explicitly specified during the sales process as part of vendor security assessments.

Additional drivers also include avoiding bad press and compliance reasons - both of which, if you look under the covers, are ultimately about getting more sales. This presentation analyzes the actual language in Bill Gates' Trustworthy Computing memo to see that in fact even Microsoft's "noble" initiative was "all about the money."

That being said, what's a security professional to do? BSIMM has 113 controls, ISO27017 has 121, and CCM has 133. It's enough to make a person's brain explode.

This session concludes with expert recommendations on how to think about security for DevOps in a way that aligns with a modified version of the NIST Cybersecurity Framework. The 5 points (Identify, Prevent, Detect, Respond, and Recover) are simplified down to just 3 (Identify, Prevent, and React) and the end of the session covers detailed recommendations on how to incorporate practical security concepts into a DevOps environment using this uncomplicated framework.



Speakers
avatar for Caroline Wong

Caroline Wong

Vice President of Security Strategy, Cobalt
Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and has been featured... Read More →



Tuesday January 30, 2018 10:45am - 11:35am
Terrace Lounge

11:45am

Robots with Pentest Recipes - Democratizing Security Testing Pipelines for DevOps Wins
Abstract :
Application Security (AppSec) Teams are usually short-staffed. While this is no surprise in itself. Now there’s the added impetus of continuous delivery of security solutions for the continuous delivery pipelines of myriad engineering teams within an organization. While some teams have leveraged SAST, DAST and IAST as part of the continuous delivery pipeline, AppSec teams could definitely use a helping hand from other teams including QA, Engineering and Infrastructure (Security) Teams. However, this presents a problem, largely because the tools used by AppSec Teams (and security teams in general) are not easily understood or known by Engineering and QA teams. In addition, there are a diverse set of tools ranging from Application Vulnerability Scanners to Recon Tools, etc that are used by Security Teams, Pentest Teams and so on that are typically not meshed together in a common fabric. What if there were a way were we could create security testing recipes and run a battery of security tests right from baseline application security testing, to pre-deployment infrastructure vulnerability assessments, across various environments, and what’s better, UNDER A COMMON FABRIC!! For one, security testing would become much easier to create and execute, with various teams being able to author security testing pipelines themselves with limited involvement from an already-stretched appsec team. That’s what this talk is all about….

Over the last few months, my team and I have leveraged the all-powerful Robot Framework to integrate various security testing tools, including OWASP ZAP, Nmap, Nessus. Robot Framework is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It provides a very extensible test-driven syntax that extend test libraries implemented in Python or Java. We have developed Open Source libraries for popular tools like OWASP ZAP, Nmap, Nessus and some recon tools, which can be invoked with existing libraries like Selenium, etc to perform completely automated, parameterized, security tests across the continuous delivery pipeline with easy-to-write, almost trivial test syntax like

`run nmap scan` OR `start zap active scan`

thereby making it easier for engineering teams to be able to create “recipes” of security tests that they want to run, integrate with functional test automation to run anything from a baseline scan to a complete parameterized security test of the application on various environments. In fact, we have used these libraries to run a “mostly automated pentest as a recipe” replete with recon, mapping, vulnerability discovery phases with evidences and reporting built-in.

Ill be making most of the code available on GitHub for the community to use.



Speakers
avatar for Abhay Bhargav

Abhay Bhargav

CTO, we45 an AppSec company
Abhay Bhargav is the CTO of we45, a focused Application Security company. Abhay is the author of two international publications. “Secure Java for Web Application Development” and “PCI Compliance: A Definitive Guide”. Abhay is a builder and breaker of applications, and has... Read More →



Tuesday January 30, 2018 11:45am - 12:35pm
Terrace Lounge

11:45am

Threat Modeling Toolkit
Abstract
Threat Modeling is a great way to analyze security early in software development by structuring possible attacks, bad actors and countermeasures over a broad view of the targeted system. This talk will describe basic components of a threat model and how to use them effectively. Modeling concepts will be demonstrated using a cryptocurrency ecosystem as example.


Speakers
avatar for Jonathan Marcil

Jonathan Marcil

Jonathan has created over a hundred threat models during his career and enjoys sharing his experience. He currently leads the OWASP Media Project and is a board member of the OWASP Orange County chapter located in beautiful Irvine, California. Originally from Canada, he was the Montreal... Read More →



Tuesday January 30, 2018 11:45am - 12:35pm
Garden Terrace Room

2:00pm

The Path Of DevOps Enlightenment For InfoSec
Abstract
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.

Speakers
avatar for James Wickett

James Wickett

Signal Sciences
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with... Read More →


Tuesday January 30, 2018 2:00pm - 2:50pm
Terrace Lounge

3:00pm

OWASP Top 10
Speakers
avatar for Andrew van der Stock

Andrew van der Stock

Director, OWASP Foundation
Andrew is an in demand speaker and trainer, with past speaking engagements at AusCERT, linux.conf.au, Black Hat, OWASP AppSec EU and AppSec USA, and training many thousands of developers and information security professionals through public and private training offerings. Andrew van der Stock is an acknowledged leader of the application security field, with nearly 20 years application sec... Read More →


Tuesday January 30, 2018 3:00pm - 3:50pm
Terrace Lounge

3:00pm

SecDevOps: Current Research and Best Practices
Abstract:
The last decade has seen widespread changes in how organization develop and release software. It's not uncommon now for companies to dynamically provision huge numbers of servers using cloud providers based on need, automatically configure the servers with change management systems like Puppet or Chef, and push new code into production tens to hundreds of time per day. In most companies, developers outnumber security engineers by 50:1 or more. How do you keep up?

Speakers
avatar for Clint Gibler

Clint Gibler

Research Director, NCC Group
Clint Gibler is a senior security consultant and research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. Clint has spoken at a number of security conferences, including Black Hat USA, Virus Bulletin, SecTor... Read More →



Tuesday January 30, 2018 3:00pm - 3:50pm
Club Room

4:20pm

Costs of Coding to Compliance
Abstract
The problem with most compliance, such as PCI, is that when you manage a project, design, or code only to the line of compliance, there are going to be security gaps. When you have gaps, your risk gets higher, and it becomes more costly to fill those gaps later. 
This talk will describe the requirements of some compliance frameworks and the gaps that can occur when you’re following the bare minimum secure coding practices that they require. The presenters will also give suggestions on how to address these gaps and how to plan for future risk as your applications and dependencies grow and requirements change. 
The approach will look at prioritizing security initiatives to better manage risk as they pertain to application security and create more efficient processes as they relate to software development. Together, these will increase the ability to prevent, detect, and respond to security events that threaten your apps while supporting compliance initiatives. 
At the end of the presentation attendees will have a good understanding of how a more mature security posture and implementing a framework that also allows you to follow secure coding practices can help harden even your more robust applications, as well as address compliance requirements for application security.

Speakers
avatar for Joel Cardella

Joel Cardella

Consultant, CBI
Joel Cardella has over 25 years of experience in information security, having run the gamut from CISO to field operations. He currently is a consultant with CBI, helping C-suite executives better understand and interact with information security topics spanning building and running... Read More →
avatar for Magen Wu

Magen Wu

Senior Consultant, Rapid7
Magen Wu has over 10 years of specialized IT experience, is a Sr. Consultant with Rapid7's Strategic Advisory Service group. In her career, she has consulted with organizations in multiple industries including: state and local government, education, retail, technology, and healthcare... Read More →



Tuesday January 30, 2018 4:20pm - 5:10pm
Terrace Lounge
 
Wednesday, January 31
 

10:30am

Architecting for Security in the Cloud
Abstract
The best part about creating new products and services in the cloud is the agility that it provides. Your company literally can scale at the click of a button. But if you take the simplicity of the cloud for granted, you wind up with brittle security that even a novice adversary can overcome. This talk will focus on identifying the holes in your cloud application before the attackers do, closing those gaps, and building architectures that can withstand the barrage of attacks that the Internet will throw at it.

Speakers
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Information Security has always been Josh's passion and in early 2010 National Instruments finally gave him the opportunity to become the Information Security Program Owner.  Today, he continues to run their security program handling everything from compliance to enterprise risk... Read More →



Wednesday January 31, 2018 10:30am - 11:20am
Sand and Sea Room

10:30am

Taking on the King: Killing Injection Vulnerabilities
Abstract:
How do we dismantle the reign of dangerous and prevalent vulnerabilities? "Injection" has crowned the OWASP Top 10 since 2010, while cross-site scripting (a type of injection) has maintained placement in the top four since 2003. If these two vulnerabilities are well-understood, well-documented, and have "clear" solutions, why have they remained on the OWASP Top 10 for nearly 15 years? Let's take a step back to examine what causes injection (and XSS) vulnerabilities and potential plans for their dethronement.

Speakers
avatar for Justin Collins

Justin Collins

CEO, Brakeman, Inc.
Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive, and is the primary author of Brakeman, an open source static analysis security tool for Ruby on Rails.



Wednesday January 31, 2018 10:30am - 11:20am
Terrace Lounge

11:30am

Lessons From The Threat Modeling Trenches
Abstract
What wisdom percolates from building threat modeling practices across 4 organizations? This presentation is drawn from hundreds of students, years of coaching, 100 formal trainings, and 1000’s of threat models. This presentation draws upon experience gained in the trenches of the battle to reduce design errors that is often fought through threat modeling. Conclusions may overturn cherished beliefs.

Speakers
avatar for Brook Schoenfield

Brook Schoenfield

Principal Architect Product Security, McAfee
Brook S.E. Schoenfield is the Author of Securing Systems: Applied Security Architecture and Threat Models (CRC Press, 2015). He is the Principal Architect for product security at Intel Security Group. He provides strategic technical leadership, training and mentoring for 75 security... Read More →



Wednesday January 31, 2018 11:30am - 12:20pm
Sand and Sea Room

3:00pm

European Vacation - Leveraging GDPR for Security
Abstract: 
Our friends across the pond, love their privacy. Makes you wonder what they're up to, huh? While many organizations are dreading achieving and maintaining GDPR compliance, if approached properly, it can be a big win for the security of your applications. This presentation will cover how GDPR can be a driver for many security initiatives and how to automate much of the work.

Speakers
avatar for Anthony Trummer

Anthony Trummer

Tinder
Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently a penetration tester for LinkedIn, running point on their mobile security initiatives. Prior to LinkedIn, he has worked for Warner Bros Advanced... Read More →



Wednesday January 31, 2018 3:00pm - 3:50pm
Garden Terrace Room