Loading…

The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Talk: Protect It [clear filter]
Tuesday, January 30
 

10:45am

Authentication without Authentication
Abstract :
Authentication is important, but how do you authenticate when user interaction is not an option? For example, an IoT app without a user interface. We need to authenticate the app ― without any predefined credentials. But how? Join this session to find out - including a demo of the solution on a Raspberry Pi!

Speakers
avatar for Dirk Wetter

Dirk Wetter

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years of professional experience in information security. He has a broad technical and information security management background. He has published over 60 articles in computer magazines.His primary focus... Read More →



Tuesday January 30, 2018 10:45am - 11:35am
Sand and Sea Room

10:45am

DevOps Is Automation, DevSecOps Is People
Abstract
A lot of appsec boils down to DevOps ideals like feedback loops, automation, and flexibility to respond to situations quickly. DevOps has the principles to support security, it should have to knowledge and tools to apply it. Real-world appsec deals with constraints like time, budget, and resources. Navigating these trade-offs requires building skills in collaboration and informed decision-making. On the technology side, we have containers, top 10 lists, and tools. Whether we are focused on more efficient meetings or trying to driving change across an organization, we need equal attention on techniques that make the social aspects of security successful. We build automation with apps. We build relationships with people. This presentation explores methods for establishing incentives, encouraging participation, providing constructive feedback, and reaching goals as a team. It shows different ways to use metrics and communication to drive positive behaviors. These are important skills not only for managing teams, but for influencing appsec among peers and growing a career.Security is an integral part of DevOps. And, yes, it's made of people.

Speakers
avatar for Mike Shema

Mike Shema

VP of SecOps and Research, Cobalt.io
Mike Shema is VP of SecOps and Research at Cobalt.io. Mike's experience with information security includes managing product security teams, building web application scanners, and consulting across a range of infosec topics. He's put this experience into books like Anti-Hacker Tool... Read More →


Tuesday January 30, 2018 10:45am - 11:35am
Club Room

11:45am

Leveraging Cloud SDNs to Solve OWASP Top Ten
Abstract :
Historically, implementing network security controls within a virtualized cloud environment have been difficult to implement requiring tricky networking and hypervisor integration. Advancements in software-defined networking (SDN) now allow virtualized security controls to be implemented within virtual layer 2 (media link) network reducing the complexity. Through the use of SDN defined service chains, network traffic can be required to flow through security controls allowing policy to be implemented within the virtual network itself. This presentation illustrates how common security functions (such as Snort) can be virtualized and injected within layer 2 of a virtual network without requiring any layer 3 (IP) networking changes.

This presentation elaborates on the open-source technologies available to make implementing networking virtualized web security a reality. The presentation culminates in a walk-through of a full workshop available via GitHub for those that are interested in trying out the full implementation. This work has been completed using open-source software including Linux (CentOS), Snort, nginx, and OpenStack.



Speakers
avatar for John Studarus

John Studarus

Software Architect, JHL Consulting
John merges his interests in computing infrastructure, networking, and software security. His background includes leading product teams, writing prototype code and examining distributed systems at Fortune 500s and startups alike. He brings a rare combination of technical expertise... Read More →



Tuesday January 30, 2018 11:45am - 12:35pm
Sand and Sea Room

2:00pm

Decrease Your Stress and Increase Your Reach with Appsec Champions
Abstract
Being the only person in the entire company who works the appsec program gets old. You're getting no help from anyone and no one cares about what you're doing. Are you the ONLY PERSON who actually cares about security? Are you even making a difference, or are you just counting the days until a breach? 
If this is your appsec story, job after job, I'll cover things you can do immediately to start a culture change at your company and recruit appsec champions in this fight. Let's change your story.

Speakers
avatar for Coleen Coolidge

Coleen Coolidge

Head of Security, Segment, San Francisco.
Coleen Coolidge is Head of Security at Segment in San Francisco. Previously, she was at Twilio (pre-to-post IPO) as Sr Director of Trust and Security. She's also served in security-leadership positions at more traditional, enterprise companies like First American Title and CoreLogic... Read More →



Tuesday January 30, 2018 2:00pm - 2:50pm
Club Room

3:00pm

Seeing Through the Fog - Navigating the Security Landscape of a Cloud-First World
Abstract :
The prospect of the cloud is extremely attractive to many enterprises, so it’s no surprise that several industries are in an all out sprint to get there. Cloud has become so popular that many CIOs have simply been given the directive “get to the cloud,” and thus are moving forward at a staggering rate with little regard for cost or security. This is putting security teams on their heels, in large part because many haven’t had the chance to truly grasp the shared responsibility model that most cloud providers operate under.

There is a common misconception in the industry that, when you buy space with a cloud provider, the cloud provider is also responsible for securing your data. This simply isn’t the case. The agreement is much more like leasing an apartment - the landlord maintains the roof, walls and windows, but if you leave the door unlocked that’s on you. That said, determining who has responsibility for the protection of applications, services, and data once cloud has become part of an enterprise stack is a lot harder than locking a door. If it weren’t, we wouldn’t be constantly reading about huge troves of sensitive data stored on unsecured AWS servers. So, figuring out this shared model has become one of the major challenges of navigating this new and only vaguely-defined landscape.

The first thing we all need to understand is that cloud providers are not managing data so much as providing a platform or infrastructure, so the protection of the data is still up to the enterprises. While the cloud offers more availability and uptime, it can also make data more vulnerable to attack. Every copy of data is a potential liability, so while availability is convenient it comes with elevated risk. Cloud providers can certainly make it easier for enterprises to set up their servers correctly, but enterprises need to own the responsibility of securing their data and make sure they are maintaining access control lists properly, performing quality-assurance on configurations and policies, and auditing who has access to what.
 
In this session we will explore how security professionals can own security for their organization as they migrate to the cloud, and detail the steps they can take to make sure the cloud stays secure for their enterprise, thus ensuring that they don’t end up making headlines for all the wrong reasons.



Speakers
avatar for Ben Johnson

Ben Johnson

CTO, Obsidian Security
Ben Johnson is a prominent voice in cybersecurity, having co-founded and been CTO of both Obsidian Security and Carbon Black. Additionally, Ben sits on several cyber start-up boards and spent 7 years at the NSA. Ben has spoken to over 600 organizations and given thought-leadership... Read More →



Tuesday January 30, 2018 3:00pm - 3:50pm
Sand and Sea Room

4:20pm

Edgeguard: Client-side DOM Security - detecting malice - AN Open Framework
Abstract :
“Project edgeguard” is a open framework that allows you to detect when malicious content (planted in your browser  via hacking or client-side malware attacks) results in sensitive user data to be stolen and  transmitted to third parties (hackers, cybercrime etc). - Similar to many banking Trojans.

Injection and tampering attacks:
Malicious content can be placed within a user’s browser whilst using your web application by virtue of a client-side security weakness/vulnerability or certain types of browser malware (e.g. Man in the Browser attacks).

edgeguard is a “Zero-footprint” library that aims to detect exfiltration of sensitive user data from the browser.




Speakers
avatar for Rahim Jina

Rahim Jina

Chief Operating Officer, edgescan.com
Rahim is the Chief Operating Officer of edgescan™, a Security Consultancy firm and Fullstack Vulnerability Management SaaS based in Dublin, Ireland. Rahim is responsible for operational excellence and has extensive experience delivering penetration testing services to a wide range... Read More →
avatar for Eoin Keary

Eoin Keary

Founder/CEO, edgescan.com
Eoin Keary CISSP Founder/CEO edgescan.com Eoin is the CEO and founder of edgescan.com a managed web vulnerability intelligence and threat detection service which is a listed “Sample vendor” and 'Noteable vendor" in the Gartner Application Security Hypecycle and MQ for Managed... Read More →



Tuesday January 30, 2018 4:20pm - 5:10pm
Garden Terrace Room

4:20pm

How Privacy Violations, Fines and Economic Sanctions Create Darker Opportunities.
Abstract
Welcome to 2018. Although there’s no flying car in every garage yet. We do have malicious code capable of crashing governments and markets easily available by Google. A world where data seems leaked more often than secured. New laws and fines appear an opportunity to reverse the current, rather depressing trend of our private data seemingly spilled everywhere, breach after breach. Leaked data, compromised and vulnerable systems have become a new type of currency in the underground cyber crime economy. Some economically sanctioned countries, seeing high returns possible from digital crime, have invested heavily. The European Union’s new data protection regulations, EU GDPR, come into force in May 2018 with wide ranging implications and worldwide income fining teeth. Unfortunately, with progress comes new cyber crime opportunities, for some regimes with nuclear weapons. Learn key points and the effect the EU GDPR can have on your organization. Serious pitfalls, loopholes and take aways. Unravel the way some sanctioned countries actively utilize breaches ad digital crime to fund “interesting” regimes and a new type of cyber crime built on privacy.

Speakers
avatar for Chris Kubecka

Chris Kubecka

CEO, Hypasec
Chris Kubecka is an experienced, committed, energetic and certified digital security expert who is passionate about solutions. Author of multiple books including the 2019 release of Hack the World with OSINT. Over 20 years of professional experience ranging from military, government... Read More →



Tuesday January 30, 2018 4:20pm - 5:10pm
Club Room
 
Wednesday, January 31
 

10:30am

Prevention as a Business Strategy
Abstract
The world of cybersecurity has changed. Cybercriminals target organizations and unleash a torrent of malicious files and attacks that flood an enterprise until a breach occurs. Many businesses, whether small or large, have been infiltrated and employing traditional detect and respond solutions exposes these businesses to high risks and long-term costs. Risk management leaders need agile defenses that quickly adapt to the rapidly changing environment. Organizations can successfully use advances in automation, including artificial intelligence, machine learning, and big data to secure like never before, protecting against both known and unknown attacks. This shift to prevent and protect brings the strategic benefits of cybersecurity to every aspect of the organization.

Speakers
avatar for Corey White

Corey White

Vice President of Worldwide Consulting, ThreatZERO Services at Cylance
Corey White serves as the Vice President of Worldwide Consulting and ThreatZERO Services at Cylance. He leads the strategic growth of prevention-based consulting services for both private and public sector organizations across the company’s international locations. Cylance Consulting... Read More →


Wednesday January 31, 2018 10:30am - 11:20am
Garden Terrace Room

11:30am

Security After Death -- Not your problem, or is it?
Abstract :
The talk covers practical solutions to storing passwords and secure ways to share those passwords. The solutions range from commercial to open source and even some roll your own.

It will also cover solutions that answer the question; “How do I allow others to access all my password after I am unavailable, incapacitated or dead?”

I will review the current state of password key rings, password managers and vault systems available in commercial and open source forms. I will also talk about why you should be using password managers in your personal life and at your businesses to help manage the security of your passwords, share passwords safely, and how to recover from the unexpected.
Finally I will cover Shamir’s Secret Sharing https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing (SSS) as a solution that can be used to safely share passwords, following a dual control rule, where one shared part cannot be used to recover the password but can be used by t of n trusted persons to recover the password(s) and use SSS to access encrypted data.

Speakers
avatar for Ty Shipman

Ty Shipman

Ty Shipman has 30+ years in the computer industry. He started writing games in the 1980’s and now focuses on security and compliance. He co-founded Kagi, an online store that ran for 20+ years. Mostly recently he was the V.P. of Security and Compliance at LoopPay; which was acquired... Read More →



Wednesday January 31, 2018 11:30am - 12:20pm
Garden Terrace Room

11:30am

What's new in TLS 1.3
Abstract: 
TLS 1.3 is just about here ! This talk will cover the more notable attacks against prior versions of TLS and examine their applicability to TLS 1.3. In doing so, important security related design decisions of TLS 1.3, which thwart these attacks, will be highlighted. We will also highlight the new protocol handshakes and how they can give rise to 0-RTT resumption. Finally, potential pitfalls of deploying TLS 1.3 and ways to avoid them will be discussed.



Speakers
avatar for Alex Balducci

Alex Balducci

Principal Security Consultant, NCC Group
Alex Balducci is a Principal Security Consultant at NCC Group's Cryptography Services. His experience includes security research, source code auditing, application security assessments, and software development - but his expertise is in cryptographic security including analysis and... Read More →



Wednesday January 31, 2018 11:30am - 12:20pm
Club Room

2:00pm

A Tour of API Underprotection
Abstract :
Effective API protection is a growing concern, reflecting the popularity of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured Web APIs and techniques to strengthen your API security posture. You'll gain a clear understanding of user authorization via OAuth2, software authorization via static API keys and the critical interplay between them. Of particular concern are mobile API consumers whose code is statically published with secrets which are often poorly concealed. Practical advice with code examples will show how to improve mobile API security. TLS is necessary but insufficient to fully secure client-server communications. Certificate pinning is explained with code examples to show how to strengthen channel communications. Some advanced techniques will be discussed such as app hardening, white box cryptography and mobile app attestation. You should gain a good understanding of the underprotected API problem, with some immediately practical tips to improve your API security posture and a sense of emerging tools and technologies that enable a significant step change in API security.

Speakers
avatar for Skip Hovsmith

Skip Hovsmith

Principal Engineer and VP Americas, CriticalBlue
Skip Hovsmith is a Principal Engineer and VP Americas for CriticalBlue, working on securing API usage between mobile apps and backend services. Previously, Skip consulted with CriticalBlue customers on accelerating mobile and embedded software running on multicore and custom coprocessor... Read More →



Wednesday January 31, 2018 2:00pm - 2:50pm
Club Room

2:00pm

Where, how, and why is SSL traffic on mobile getting intercepted? A look at ten million real-world SSL incidents
Abstract :
Over the last two years, we've received and analyzed more than ten million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.

We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.

First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.

Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.

Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.

Speakers
avatar for Alban Diquet

Alban Diquet

Head of Engineering, Data Theorem
Alban Diquet is Head of Engineering at Data Theorem, a cloud-enabled scanning service for mobile application security and data privacy. Alban's research focuses on security protocols, data privacy, and mobile security. Alban has released several open-source security tools including... Read More →



Wednesday January 31, 2018 2:00pm - 2:50pm
Terrace Lounge

3:00pm

Applied Deception Beyond the Honeypot: Moving Past 101
Abstract
Conflict in cyberspace moves quickly, is primarily asynchronous and can be carried out by a broad range of centralized and decentralized adversaries with great effectiveness. There are many nuanced aspects to this field that make playing defense difficult, offensive deception and challenges in attribution are two which stand out in particular. This talk will focus on applying deception techniques in a security program beyond the standard of honeypots that exists today. We will enumerate and adapt the various means that military and political operations employ deception in a strategic capacity and what we can learn from these other fields.

Speakers
avatar for Robert Wood

Robert Wood

Chief Security Officer, Simon Data
Robert Wood is a security technologist, strategic advisor, and speaker. He currently leads the security efforts at Simon Data where he is responsible for security, privacy, compliance, and overall risk management. After working as a consultant for many years, Robert made the switch... Read More →



Wednesday January 31, 2018 3:00pm - 3:50pm
Sand and Sea Room

3:00pm

Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare
Abstract
Artificial Intelligence, or even just Machine Learning for those who prefer organic, is influencing nearly all aspects of modern digital life. Whether it be financial, health, education, energy, transit...emphasis on performance gains and cost reduction has driven the delegation of human tasks to non-human agents. Yet who in infosec today can prove agents worthy of trust? Unbridled technology advances, as we have repeatedly learned in history, bring very serious risks of accelerated and expanded humanitarian disasters. The infosec industry has been slow to address social inequalities and conflict that escalates on the techincal platforms under their watch; we must stop those who would ply vulnerabilities in big data systems, those who strive for quick political (arguably non-humanitarian) power wins. It is in this context that algorithm security increasingly becomes synonymous with security professionals working to avert, or as necessary helping win, kinetic conflicts instigated by digital exploits. This presentation therefore takes the audience through technical details of defensive concepts in algorithmic warfare based on an illumnating history of international relations. It aims to show how and why to seed security now into big data technology rather than wait to unpoison its fruit.

Speakers
avatar for Davi Ottenheimer

Davi Ottenheimer

Flyingpenguin LLC
More than twenty years' experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. Co-author of the book “Securing the Virtual Environment: How to Defend the Enterprise Against Attack,” published in May... Read More →



Wednesday January 31, 2018 3:00pm - 3:50pm
Terrace Lounge

3:00pm

We Come Bearing Gifts: Enabling Product Security with Culture and Cloud
Abstract :
What would it look like if security never had to say “no”?

This talk explores that counter-intuitive premise, and shows how it is not just possible but *necessary* to discard many traditional security behaviors in order to support modern high-velocity, cloud-centric engineering teams. For the product security team at Netflix, this is the logical implication of a cultural commitment to enabling the organization.

Attendees will learn how to replace heavy-handed gating with an automation-first approach, and build powerful security capabilities on top of cloud deployment primitives. Specific examples including provable application identity, immutable and continuous deployment, and secret bootstrapping illustrate how this approach balances security impact with engineering enablement.



Speakers
avatar for Astha Singhal

Astha Singhal

Application Security Lead, Netflix
Astha Singhal currently leads the Application Security team at Netflix. Prior to this, she managed the Salesforce AppExchange Security Review as a Senior Manager on Product Security. She is a security engineer by qualification who is passionate about proactive security and developer... Read More →
avatar for Patrick Thomas

Patrick Thomas

Senior Application Security Engineer, Netflix
Patrick Thomas is a professional breaker of software with a tremendous amount of love for the builders. He started as a developer, spent years as a penetration tester, and has now found a home in the middle improving appsec as a Senior Application Security Engineer at Netflix. He... Read More →



Wednesday January 31, 2018 3:00pm - 3:50pm
Club Room