Loading…
LASCON 2017 has ended
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 24
 

9:00am

Automating your own AppSec Pipeline with Docker and Serverless Computing w/ Matt Tesauro (Day 1)
Limited Capacity seats available

Paid Training Ticket Required

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, using Serverless functions (Lambda), ChatOps integration (Slack), automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with a firm understanding of how to apply DevOps and Agile concepts to optimize their security programs using local and cloud infrastructure.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline specifically geared towards Cloud and Serverless automation. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Speakers

Tuesday October 24, 2017 9:00am - 5:00pm
TBA

9:00am

Web Application Hacking w/ Brandon Perry (Day 1)
Limited Capacity seats available

Paid Training Ticket Required

The first day of this class focuses on teaching how to start finding and exploiting common web application vulnerabilities (Cross-Site Scripting, SQL Injection, Remote Command/Code Execution), first by hand, and then with common tools.

Real world web applications are used to demonstrate each vulnerability, after learning the basics in an intentionally vulnerable web application called BadStore.

Students end the day having covered the basics of the most prevalent types of web application vulnerabilities, as well as seeing how these can impact applications in the real world.

The second day of training takes the real world vulnerabilities from the previous day to the next level, we quickly rehash by exploiting them by hand using Burp Suite or common tools. Then we weaponize the vulnerabilities while learning the ropes of writing Metasploit exploit and auxiliary modules.

By the end of the day, we will have written two exploit modules and one auxiliary module.  

Trainers
BP

Brandon Perry

Brandon Perry has been writing C# applications since the advent of the open source .NET implementation Mono. In his free time, he ­enjoys writing modules for the Metasploit framework, parsing binary files, and fuzzing things. He is the co-author of Wicked Cool Shell Scripts, 2nd... Read More →


Tuesday October 24, 2017 9:00am - 5:00pm
TBA

9:00am

Modern Crypto Attacks for Pen Testers who Hate Math w/ Daniel Crowley (Day 1)
Limited Capacity seats available

Paid Training Ticket Required

In the same way that applications are difficult to design, code and deploy securely, cryptographic systems are difficult to design, code and deploy securely. So why is it that people who jump at the chance to learn new ways to break application security balk at learning crypto? One reason seems pretty consistent: the math is too hard! But surprisingly, most application security professionals ALREADY understand and have performed some crypto attacks. Ever cracked a password hash? Ever performed an NTLM relay attack? Then you, too, have successfully attacked cryptosystems!

While math and number theory are involved in attacking crypto, it's only a part of what makes cryptosystems break. This training will focus on crypto basics and practical crypto attacks you can use against real-world applications as explained using the language of logic, not math, as well as tools that can help you launch the attacks which involve more complicated math. Attendees will learn how to exploit common crypto flaws through instruction and hands-on exercises.

Student requirements:  An installed copy of FeatherDuster

Trainers
avatar for Daniel Crowley

Daniel Crowley

Austin Research Director, NCC Group
Daniel Crowley is a Senior Security Engineer and Research Director for NCC Group, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. He denies all allegations of unicorn smuggling and... Read More →


Tuesday October 24, 2017 9:00am - 6:15pm
TBA
 
Wednesday, October 25
 

9:00am

Automating your own AppSec Pipeline with Docker and Serverless Computing w/ Matt Tesauro (Day 2)
Limited Capacity seats available

Paid Training Ticket Required

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, using Serverless functions (Lambda), ChatOps integration (Slack), automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with a firm understanding of how to apply DevOps and Agile concepts to optimize their security programs using local and cloud infrastructure.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline specifically geared towards Cloud and Serverless automation. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Speakers

Wednesday October 25, 2017 9:00am - 5:00pm
TBA

9:00am

Web Application Hacking w/ Brandon Perry (Day 2)
Limited Capacity seats available

Paid Training Ticket Required

The first day of this class focuses on teaching how to start finding and exploiting common web application vulnerabilities (Cross-Site Scripting, SQL Injection, Remote Command/Code Execution), first by hand, and then with common tools.

Real world web applications are used to demonstrate each vulnerability, after learning the basics in an intentionally vulnerable web application called BadStore.

Students end the day having covered the basics of the most prevalent types of web application vulnerabilities, as well as seeing how these can impact applications in the real world.

The second day of training takes the real world vulnerabilities from the previous day to the next level, we quickly rehash by exploiting them by hand using Burp Suite or common tools. Then we weaponize the vulnerabilities while learning the ropes of writing Metasploit exploit and auxiliary modules.

By the end of the day, we will have written two exploit modules and one auxiliary module.  

Trainers
BP

Brandon Perry

Brandon Perry has been writing C# applications since the advent of the open source .NET implementation Mono. In his free time, he ­enjoys writing modules for the Metasploit framework, parsing binary files, and fuzzing things. He is the co-author of Wicked Cool Shell Scripts, 2nd... Read More →


Wednesday October 25, 2017 9:00am - 5:00pm
TBA

9:00am

Modern Crypto Attacks for Pen Testers who Hate Math w/ Daniel Crowley (Day 2)
Limited Capacity seats available

Paid Training Ticket Required

In the same way that applications are difficult to design, code and deploy securely, cryptographic systems are difficult to design, code and deploy securely. So why is it that people who jump at the chance to learn new ways to break application security balk at learning crypto? One reason seems pretty consistent: the math is too hard! But surprisingly, most application security professionals ALREADY understand and have performed some crypto attacks. Ever cracked a password hash? Ever performed an NTLM relay attack? Then you, too, have successfully attacked cryptosystems!

While math and number theory are involved in attacking crypto, it's only a part of what makes cryptosystems break. This training will focus on crypto basics and practical crypto attacks you can use against real-world applications as explained using the language of logic, not math, as well as tools that can help you launch the attacks which involve more complicated math. Attendees will learn how to exploit common crypto flaws through instruction and hands-on exercises.

Student requirements:  An installed copy of FeatherDuster

Trainers
avatar for Daniel Crowley

Daniel Crowley

Austin Research Director, NCC Group
Daniel Crowley is a Senior Security Engineer and Research Director for NCC Group, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. He denies all allegations of unicorn smuggling and... Read More →


Wednesday October 25, 2017 9:00am - 6:15pm
TBA
 
Thursday, October 26
 

7:30am

Breakfast Tacos (Sponsored by AlienVault)
Thursday Breakfast, serving breakfast tacos, is being sponsored by AlienVault.


Thursday October 26, 2017 7:30am - 8:45am
Expo Hall (Live Oak Room)

8:00am

Expo Hall Opens
Thursday October 26, 2017 8:00am - 5:00pm
Expo Hall (Live Oak Room)

8:30am

Incident Response (IR) CTF
CSIRTS (Cyber Security Incident Response Team Simulation)

Participants can be either teams or individuals and will be able to use a limited number of laptops provided by us, OR bring their own which we encourage. There will be wired & wireless access to the environment. Upon logging into the environment, participants will act as “blue team” incident responders seeking to identify a network breach that is actively in progress. The range is a small, but realistic mock-up of an enterprise network complete with Active Directory, Exchange, firewalls, SIEM, workstations, etc. Participants will have access to a SIEM/log aggregation tool, and multiple security appliances to try and identify the malicious activities that are taking place on the network.

This is not an active defense challenge, as those often require a significant amount of time. This is simply an “identification” challenge, which is honestly the best starting place for most incident response training functions. The challenge is simple: can you find the hostile activities and identify key components of the threat?

There will be a scoreboard that will prompt the participant to answer Jeopardy-style questions to measure their progress through the challenge. A sample question might be, “What is the external IP address of the malicious activity detected by the perimeter firewall?” or “What protocol is the attacker using to exfiltrate data from within the network?” This will nudge the participant in the right direction for systematically tracing and identifying unauthorized activity on an enterprise network.

This CTF will be coordinated by Eric Capuano of DPS / Texas Homeland Security.

Thursday October 26, 2017 8:30am - 5:00pm
Expo Hall (Live Oak Room)

9:00am

Keynote: Chris Nickerson
Keynote

Speakers
avatar for Chris Nickerson

Chris Nickerson

CEO, LARES
Chris Nickerson, CEO of LARES, is just another “Security guy” with a whole bunch of certs whose main area of expertise is focused on Real world Attack Modeling, Red Team Testing and InfoSec Testing. At Lares, Chris leads a team of security professional who conduct Risk Assessments... Read More →


Thursday October 26, 2017 9:00am - 10:00am
Red Oak Ballroom

10:00am

Won't somebody please think of the data!
The greatest trust a client places in your company is when they make you the custodians of their data. In fact, a data breach is considerably more likely to do your client relationship lasting damage or even land you in legal proceedings with them than an incomplete feature delivery or a late bug fix. Still, in all too many technology organisations database security is an afterthought. We rely on trusted DBAs, forgetting they are humans too, with all too human traits. What happens when your greatest threat is internal to your organisation? In sashays GDPR and suddenly things get really interesting....

This talk is based on Sarah-Jane’s original practicum paper “Detecting Internal Database Fraud” and some sobering real life episodes from her work in secure data management. There is still hope as this talk will present strategies whereby engineering and operations teams can come together to protect the corporate gold - your data.

Speakers
SM

Sarah-Jane Madden

Sarah-Jane is a Data Architect at a global Software firm headquartered in Austin, Texas. She is a seasoned technology professional with 20 years in a variety of rolls across the financial, healthcare and facilities industries. Her passion for all things data marries well with her... Read More →



Thursday October 26, 2017 10:00am - 11:00am
Under Armour Room

10:00am

Security for DevOps
Believe that your application isn't being abused? Have the impression that attackers only pay attention to important sites? Don't have time for the 1% edge case? Think again. It's time to understand the adversary and know more about how to hunt down bad actor activity to make your applications safer to use. During this talk, we'll link security architecture decisions to the feedback loop so you can get ahead and stay ahead of the bad guys.

http://dso.to/talks-lascon2017

Speakers
avatar for Shannon Lietz

Shannon Lietz

DevSecOps Leader, Intuit
Shannon Lietz is an award-winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s security... Read More →



Thursday October 26, 2017 10:00am - 11:00am
Red Oak Ballroom

10:00am

IoT and the Security of That Mobile App
Using research from multiple projects involving IoT and the accompanying mobile app, we'll take a look at three main areas from the perspective of a researcher: where the most common mistakes lie, where to attack, and how to pull things apart. By looking at multiple research projects, patterns begin to emerge in the types of mistakes that are made. While many IoT devices focus what little security they might have on the end device itself, when data is being moved from device to cloud there are numerous methods for attack that emerge. And most importantly, as a security researcher there are certain tools and techniques that can make quick(er) work of the research. We will use at least two real world examples to show how all of this is done (more depending on vendor responses before the talk), including evaluations of research tools used.

Speakers
avatar for Mark Loveless

Mark Loveless

Researcher, Duo Security
Aka Simple Nomad, Mark is a senior security researcher at Duo Security working in Duo Labs. He has spoken at numerous security and hacker conferences including ShmooCon, Defcon, Blackhat, CanSecWest, SANS, Usenix, and others. He has also been interviewed on security matters by television... Read More →



Thursday October 26, 2017 10:00am - 11:00am
Pecan

10:00am

It Was Broken When It Got Here! Security in your Software Procurement Process
In 2017, Software Security is reasonably well understood. Thanks to the hard work of organizations like MITRE, OWASP, BSIMM, Microsoft, OpenSAMM and others, we have moved to a much better software security landscape when compared to 10+ years ago. Of course vulnerabilities still exist, and are found with regularity, but these are typically addressed quickly and competently by the big software vendors. For example a new critical vulnerability in Windows will be fixed by Microsoft and patched efficiently in most enterprises in a matter of days to weeks. Most recently Google managed to fix an OAUTH vuln being exploited in a mass-phishing exercise in a matter of hours! But what about everything else you install in your company or use as a service? Not all product vendors have the same level of understanding or approach to security, and not all software is under the constant scrutiny of an operating system or widespread authentication mechanism.

As organizations we buy and install lots of third party software, ranging from desktop applications through to entire platforms or appliances. Who is checking that software is free of simple vulnerabilities? This issue of security for Commercial Off-The-Shelf (COTS) software, or Free and Open Source Software (FOSS), is often a complicated one. In this talk, we'll look at some case-studies of vulnerabilities found during penetration tests that were then used to forge compromises of companies. In each case, the flaws discovered and exploited had been within the products for a significant amount of time, providing a potential back-door into the company's internal network or data.

The session will culminate in advice and guidance for how to ensure that security is not an after-thought when purchasing new enterprise products for your company.

Speakers
avatar for Kevin Dunn

Kevin Dunn

Senior Vice President for Consultancy, NCC Group
Kevin Dunn is Senior Vice President for Consultancy for NCC Group. Kevin has been a professional security consultant for over 15 years, working on diverse projects and challenging technologies for the world’s largest and most demanding companies. His current responsibilities include... Read More →



Thursday October 26, 2017 10:00am - 11:00am
Security Innovation Room

11:00am

Startup Security: Making Everyone Happy

There is no doubt that security is a must for every company but for startups shipping is above all. For small teams focused on shipping their MVP, security would only slow progress. There's no time or budget for expensive slow moving tools to impede progress. At XFIL we've built tools and processes to automate security using open source tools to provide dependency, code and infrastructure security. This talk is about how we approached security without slowing down shipping or increasing work for developers and how you can add security to your project without cost and friction. We'll discuss how we built security into our pipeline, approached new technologies and used proactive controls to make us more secure.


Speakers
avatar for Brian Henderson

Brian Henderson

Director of Engineering, Stratum Security
Application security, development, dev ops
avatar for Michael McCabe

Michael McCabe

Security Architect, Stratum Security
Michael McCabe is a security consultant and developer. He works on making XFIL more secure and enjoys automating away the boring stuff, and RCE.



Thursday October 26, 2017 11:00am - 12:00pm
Red Oak Ballroom

11:00am

OAuth vs. SAML vs. OpenID Connect

OAuth, SAML and OpenID Connect are the most important identity federation protocols in use today. Yet the many security architects struggle to express the differences between them. Front-channel, back-channel, assertion, JWT, claims, attributes, IDP, SP, OP, RP--there is a lot of jargon, and some of it seems to overlap. This compare / contrast session will help you understand the differences!

Many application security experts are making important decisions about which identity federation protocol to use for single sign-on for their next-generation application platform. There has been a lot of innovation in the area of identity federation in the last few years, and it's hard to keep up. It's really helpful if security architects can be presented with a summary of what's the same (or just re-named), what's different, and what's new. No assumptions will be made about previous expertise. Each protocol will be given a summary introduction, with references to the parts of the standard that are most commonly used, and which parts are esoteric. The security level of an application is impacted based on the protocol and features used. SAML, OpenID Connect and OAuth offer several profiles, enabling the implementation of both high and low assurance trust frameworks. This topic will also be addressed to help clarify which solutions are best suited for which requirements.


Speakers
avatar for Michael Schwartz

Michael Schwartz

CEO, Gluu
Mike has been an entrepreneur and identity specialist for over 18 years. He is the technical and business visionary behind Gluu, whose open source access management platform, called the Gluu Server, enables domains to centralize authentication and authorization using open standards... Read More →



Thursday October 26, 2017 11:00am - 12:00pm
Under Armour Room

11:00am

The Rest of the Story: Securing a Raspberry Pi Home Monitoring System

I love to tinker! I have been playing around with the Raspberry Pi for a couple of years. It is really easy to create home automation projects with these little computers, but most projects do not talk much about how to secure them. I started with an Adafruit project called Adafruit – Monitor Your Home with the Raspberry Pi B+.

My talk will explore steps I took to secure my home monitoring project.


Speakers
avatar for Laurel Marotta

Laurel Marotta

Security Strategist, IntentionalPrivacy.com
I have worked in Information Technology for over twenty years, including positions at the State of Michigan, the University of Michigan, and Advanced Micro Devices. I have concentrated on information security during the last ten years, although every IT job I have had included some... Read More →



Thursday October 26, 2017 11:00am - 12:00pm
Pecan

11:00am

Where we’re going… we won’t need passwords…
This session will cover a real-word approach to enterprise wide multi-factor authentication deployment at a fortune 150 company.

Authentication is a critical component of Identity and Access Management, especially as the security perimeter extends beyond the traditional firewall. Employees are demanding the ability to work from anywhere, at anytime, with any device - that's all predicated on strong identity and authentication controls.

In addition to discussing the technical challenges of adapting passwordless authentication to a wide range of computing devices and work scenarios (anytime, anyplace, any device), we’ll also discuss the critical user experience decisions and lessons learned during the implementation.

Speakers
avatar for Matt Hajda

Matt Hajda

Security Architect, USAA
Matthew Hajda is a Security Architect at USAA, focusing on oversight and roadmap of Identity and Access Management technologies. His background includes roles as an Active Directory Security Analyst, Penetration Tester, SOC Analyst, IT Systems Engineer, and Security Architect... Read More →



Thursday October 26, 2017 11:00am - 12:00pm
Security Innovation Room

11:30am

Lunch - Day 1
Thursday October 26, 2017 11:30am - 12:30pm
Red Oak Ballroom

12:00pm

Abusing Normality: Data Exfiltration in Plain Site

As a defender, you can recognize a potential compromise when a new WMI class appears on an endpoint that constantly connects to mflzwsyimbwkrlnvhrp.xyz. But how likely are you to notice a regular-looking Symantec virus definition file, placed in its designated folder, on a machine that’s communicating with a Wikipedia-based C&C, about once a week and only after previous, legitimate visits to the site? Or a malware saving keystrokes to a Word dictionary file, reading it five days later using Outlook, embedding the captured data in an email header to a legitimate-looking recipient?

This talk will cover common and uncommon channels attackers can use to communicate and hide information. From prefetch files and Search Index to event logs and Recent Documents, free disk space, Excel templates, and many otherwise inconspicuous objects, the goal of this talk is to show that a clever attacker can hide anywhere that is considered too normal and noisy to monitor.


Speakers
AP

Aelon Porat

Aelon Porat is an information security manager at Cision. He has extensive experience attacking and defending corporate environments. Aelon likes to jump inside networks and out of planes, and in his spare time, he enjoys demoing, speaking, and providing training at different events... Read More →


Thursday October 26, 2017 12:00pm - 1:00pm
Under Armour Room

12:00pm

Demystifying the Ransomware and IoT Threat

We have seen a rise in Ransomware attacks in the past year. While we are recovering from these attacks a new wave of DDoS attacks using IoT devices suddenly thrust into the limelight. In this talk, I will discuss all the stages of a ransomware attack. How it works and how a researcher can handle each of the stages with tried and true analysis techniques. I will then shed light on how IoT are used in DDoS attacks by discussing how the malware used in the latest IoT DDoS attack works and how it can be manipulated for future attacks. Then I will discuss how a combination of Ransomware and IoT attacks can be a bigger threat in years to come.

Outline:

  • Ransomware deployment technology and how to analyze them
  • Ransomware installation and how they are decrypted from the malware server
  • Ransomware encryption methodology and how to verify them
  • Ransomware payment method
  • Ransomware decryption
  • The IoT DDoS attack
  • Breakdown of IoT malware
  • How ransomware and IoT can combine to become one of the biggest threat we might face in the future

Speakers
avatar for Christopher Elisan

Christopher Elisan

Principal Malware Scientist, RSA
Christopher Elisan. Principal Malware Scientist at RSA, is a seasoned reverse engineer and malware researcher. His long history of digital threat and malware expertise, reversing, research and product development started at Trend Micro as one of the pioneers of TrendLabs where he... Read More →



Thursday October 26, 2017 12:00pm - 1:00pm
Pecan

1:00pm

Realizing Software Security Maturity: The Growing Pains & Gains
Software security maturity is often diluted down to the OWASP Top 10, leaving organizations with a simplistic view of their real risk. If your organization plans to formalize an application security program, or just don't know where to start, come to this talk to find out the pitfalls and opportunities of using Software Assurance Maturity Model (SAMM) to guide a successful AppSec program.

Speakers
avatar for Kelby Ludwig

Kelby Ludwig

AppSec Engineer, Duo Security
Kelby Ludwig is a senior AppSec Engineer at Duo Security. Kelby specializes in secure code review, web application testing, cryptography, and low-friction methods of shipping secure software. Prior to Duo, Kelby was a AppSec Engineer at Praetorian finding vulnerabilities within software... Read More →
MS

Mark Stanislav

Director of Application Security, Duo Security
Mark Stanislav is the Director of Application Security for Duo Security. Mark has spoken internationally at over 100 events, including RSA, DEF CON, SOURCE Boston, Codegate, SecTor, and THOTCON. Mark’s security research and initiatives have been featured by news outlets such as... Read More →



Thursday October 26, 2017 1:00pm - 2:00pm
Security Innovation Room

1:00pm

Tangled Web: Defense in Deception
"All warfare is based on deception. Hence when able to attack, we must seem unable; when using our force, we must seem inactive..." Sun Tsu

Our adversaries are skilled in deception -- we as defenders must become skilled as well. This talk will provide information to defenders on the importance of deception as part of our defense in depth strategy.

Why should the Red Team have all the fun? Let's explore the tools, techniques, and processes that Blue Team can utilize to detect, deceive, detour, confound, confuse, and corral our attackers.

Topics we will discuss will include the goals of deception from the perspective of both the attacker and defender. Defenders will learn the elements, and processes needed to plan, prepare, execute, and monitor effective deception. We will discuss the types of deception techniques that are effective and how they translate into actual web application capabilities. You will learn how to identify and respond to various types of attackers. Finally, we will walk through an example of a deceptive web application that will detect our attacker and sideline them in defense of our web application.

Speakers
avatar for Herb Todd

Herb Todd

Security Analyst
Electronic warfare veteran of the US Navy, I have been in IT for over 30 years -- 20 years as a developer and 10 in application security. I work for a Fortune 50 company on the Security Architecture team focused on Emerging Technology and Innovation. Previous security roles include... Read More →



Thursday October 26, 2017 1:00pm - 2:00pm
Pecan

2:00pm

Equifax shows hackers have the first mover advantage. Lets close that gap.
Bad hygiene is a bigger problem that you think -- Equifax is not alone

46,557 organizations downloaded vulnerable versions of Struts in the past 12 months.  These components were downloaded 912,359 times.  1000 organizations downloaded vulnerable Struts versions more than 100 times.

The most critical vulnerability announcements with Struts2 were discovered in 2013 and 2017.  In the past 12 months, over 3,053 organizations downloaded the CVE-2017-xxxx vulnerable Struts components; over 100,000 downloads were recorded.  These are the same vulnerable components used to break into Equifax.

The only way to counter the inevitable bugs and vulnerabilities is to ensure you are able to respond and remediate quickly. Come find out how to do that.

Speakers
avatar for Brian Fox

Brian Fox

Co-Founder and CTO, Sonatype
Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the... Read More →


Thursday October 26, 2017 2:00pm - 3:00pm
Red Oak Ballroom

2:00pm

Improving dynamic vulnerability scanners with static code analysis
Finding potential vulnerabilities in your source code is vital, but the two traditional methods for achieving this goal each have drawbacks. In this talk, we’ll discuss how Indeed combined the two methods to create a more robust solution, and how you can benefit from our work.

The first traditional method, static source analysis, examines the code itself. This technique can be successful at finding vulnerabilities, but it can also generate excessive false positives. Processing through these results can take a substantial amount of time if you have a large code base.

The second traditional method, dynamic scanning, finds problems by fuzzing a running instance of an application. To dynamically scan web applications, you must define vectors -- the endpoints, parameters, methods, headers, and cookies that will be tested or fuzzed -- and your results are only as good as the vectors you supply. Whether you discover your vectors by crawling site links or by recording user interactions, you always run the risk of overlooking something. For example, you’ll miss endpoints not explicitly linked or exposed to the user, such as deprecated features.

At Indeed, we combined the two approaches and use static code analysis to enrich dynamic vulnerability scanners. We developed WES: a tool that replaces the need for crawlers by analyzing source code and pulling endpoints right out of where they are defined. In this talk, you’ll not only learn how WES works, but also how to use it to continually improve your application security pipeline.

Speakers
avatar for Caleb Coffie

Caleb Coffie

Information Security Engineer, Indeed.com
Information Security Engineer at Indeed | Rochester Institute of Technology Graduate



Thursday October 26, 2017 2:00pm - 3:00pm
Under Armour Room

2:00pm

Serverless security: A pragmatic primer for builders and defenders
Serverless is the design pattern for writing applications at scale without the necessity of managing infrastructure. This is done across the continuum of cloud—from storage as a service to database as a service, but the center of serverless is functions as a service (FaaS). (Current FaaS offerings include AWS Lambda, Azure Functions, and Google Cloud Functions.) Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.

Serverless adds simplicity and a new economic model to cloud computing, but it creates some unique security challenges. In serverless architectures, technologies like antivirus and intrusion detection become meaningless. James Wickett explores practical security approaches for serverless in four key areas—the software supply chain, the delivery pipeline, data flow, and attack detection—and examines how traditional approaches need to be adapted to serverless.

Even if you don’t have any experience with serverless, don’t worry; this session starts with the basics. You’ll learn what serverless is (hint: it’s still being defined) and practical patterns for serverless adoption.

Speakers
avatar for James Wickett

James Wickett

Head of Research, Signal Sciences
James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt... Read More →



Thursday October 26, 2017 2:00pm - 3:00pm
Security Innovation Room

2:00pm

Your Security Tools are Just a Stop-Gap to Secure DevOps
Many organizations are taking a tools-first approach to verifying the security of applications in their CI/CD pipelines. Usually, after the build, [functional] test, and deploy pipelines are finished, security teams are asked to get involved to decide which security tools should be integrated into those pipelines to detect vulnerabilities. Unfortunately, while integrating SAST (or DAST) into a CI pipeline might result in a quick win, the security posture of applications in the pipeline is still largely unknown. Additionally, integrating SAST often leads to manual triage activities which can slow the pipeline tremendously, or results are aggressively filtered to combat false-positives, which leads to real vulnerabilities being untracked.

To truly gain insight into the security of your applications, start by thinking about your greatest risks. Consider the business risks of a successful attack (i.e. what you need to protect) and the threat models of your applications (i.e. how you might be attacked). Use that information to decide how your applications should be built to reduce those risks (i.e. required security controls). Now, think about how to test that the necessary controls exist and are used properly. Last, choose a tool to perform those tests. You may be able to leverage an existing commercial or open source tool, or you may be better off writing custom scripts or plugins for existing tools.

Sound familiar? The above is not just how to secure your DevOps pipeline – for nearly a decade, it's been standard guidance for building an application security program. The required pace of security activities has increased dramatically with the move to CI/CI, but the overall goal has not.

This talk will explain more deeply:
  • why a tools-first approach to securing a CD pipeline will end in a headache;
  • the security components/activities necessary for securing applications in a CD pipeline; and
  • where to start and how to build momentum within your organization.
I'll provide case studies from industry experience to illustrate common challenges and how they can be overcome.This talk will also introduce a high-level maturity model for setting goals and tracking progress while building an application security program that operates at hyper-speed.

Speakers
avatar for Kevin Fealey

Kevin Fealey

Director, ASPECT SECURITY INC
Kevin Fealey is the Director of Aspect Security's Automation & Integration Services Division. He specializes building security into CI/CD pipelines by automating commercial, open source, and custom tools; and developing streamlined processes to provide faster security feedback to... Read More →



Thursday October 26, 2017 2:00pm - 3:00pm
Pecan

2:45pm

Snack Break (sponsored by Denim Group)
Thursday Snack Break is being sponsored by Denim Group.


Thursday October 26, 2017 2:45pm - 3:15pm
Expo Hall (Live Oak Room)

3:00pm

Are you ready for my call? Responsible Disclosure Preparedness
I came across a flaw in an IOT device I have connected to my house and set inmotion a series of events that add up to the standard "Responsible Disclosure."Garage Doors are a mundane topic. I'll take them from innocuous elements todangerous portals controlling our safety, back out of the light and into the mundaneagain. I'll cover my research motivation, techniques and how they fixed it.

Speakers
avatar for Jason Kent

Jason Kent

CTO, AsTech
Jason Kent is a well-respected leader in the security industry with more than 20 years of experience in Information Technology and Information Security.  Jason has worked with hundreds of organizations across the globe, addressing a wide array of technology, security and program... Read More →



Thursday October 26, 2017 3:00pm - 4:00pm
Pecan

3:00pm

Information Security Risk Assessment (ISRA): Lessons from the Front Lines

Information Security Risk Assessment (ISRA) should be one of the most important ingredients in a software product life cycle, especially if the product deals with sensitive data.  ISRA is also one of those things that are less understood and more difficult to do.  As such, it is more likely to be postponed or, worse, skipped.  This could leave products with unknown risks that adversaries could exploit.  This talk presents the information security risk assessment from a practitioner's perspective.  We will discuss methods for performing ISRA for software products, give practical tips, and share lessons learned.  The audience will gain knowledge on ISRA, which can be applied to their work.


Speakers
KL

Karen Lu

Dr. Karen Lu is a principal security architect at Gemalto, a digital security company. She has over 10 years of experience in security, risk assessment, identity and access management, and privacy protection. Karen holds 23 patents with many pending, and has 50+ publications over... Read More →


Thursday October 26, 2017 3:00pm - 4:00pm
Red Oak Ballroom

3:00pm

4:00pm

IoT Assimilation: Resistance is Futile.
Technology allows society to accelerate exponentially. People are connecting Things to the Internet but the benefits aren’t realized without tradeoffs. Companies are embracing IoT to enhance their business plans. Due to many difficult challenges, some IoT Security Alliances have begun to form. At the federal government level, FTC, FCC, DHS and NIST have become involved. Finally, security companies are now proposing IoT security architectures to complement Enterprise solutions. We will review and discuss all these topics with the very latest information...get ready for a paradigm shift in society! Your Security, Privacy and Safety are all at stake...

Speakers
avatar for Mark Szewczul

Mark Szewczul

IoT Security Architect, Zimperium
Mark is an IoT Security Architect at Zimperium with over 20 years of experience from Semiconductor, Telecom/Datacom, and Computing sectors. He currently is Director of Marketing at the Dallas/Fort Worth Cisco Users Group, has led the IEEE-Electromagnetic Compatibility Society and... Read More →



Thursday October 26, 2017 4:00pm - 5:00pm
Security Innovation Room

4:00pm

Speed Debates
Moderators
BT

Bankim Tejani

Sr. Manager, Product Security, Under Armour

Thursday October 26, 2017 4:00pm - 5:00pm
Red Oak Ballroom

4:00pm

From Zero to Zero-Trust: Lessons Learned Building a BeyondCorp SSH Proxy
The BeyondCorp model introduced by Google does away with placing trust in the network perimeter. Instead, users and devices are authenticated and authorized before access to a service is granted. In this talk we'll cover what we learned building a BeyondCorp-inspired SSH proxy, so that users can access internal resources without a VPN. Spoiler alert: we can do more than just SSH.

Speakers
avatar for James Barclay

James Barclay

Senior R&D Engineer, Duo Labs
James Barclay is a Senior R&D Engineer at Duo Labs, the security research and analysis team at Duo Security. Prior to joining Duo, James was a Tools Engineer at Pinterest, and an IT consultant before that. He's contributed to a handful of open-source projects, and has been called an Apple nerd once or twice... Read More →



Thursday October 26, 2017 4:00pm - 5:00pm
Pecan

5:00pm

Happy Hour (Sponsored by Prevoty)
Thursday October 26, 2017 5:00pm - 7:00pm
Lobby

5:00pm

Ride The Bull
RIDE THE BULL - TASTE THE BEAST

Thursday October 26, 2017 5:00pm - 7:00pm
Under Armour Room
 
Friday, October 27
 

7:30am

Continental Breakfast
Friday October 27, 2017 7:30am - 8:45am
Expo Hall (Live Oak Room)

8:00am

Expo Hall Opens
Friday October 27, 2017 8:00am - 3:00pm
Expo Hall (Live Oak Room)

8:30am

Incident Response (IR) CTF
CSIRTS (Cyber Security Incident Response Team Simulation)

Participants can be either teams or individuals and will be able to use a limited number of laptops provided by us, OR bring their own which we encourage. There will be wired & wireless access to the environment. Upon logging into the environment, participants will act as “blue team” incident responders seeking to identify a network breach that is actively in progress. The range is a small, but realistic mock-up of an enterprise network complete with Active Directory, Exchange, firewalls, SIEM, workstations, etc. Participants will have access to a SIEM/log aggregation tool, and multiple security appliances to try and identify the malicious activities that are taking place on the network.

This is not an active defense challenge, as those often require a significant amount of time. This is simply an “identification” challenge, which is honestly the best starting place for most incident response training functions. The challenge is simple: can you find the hostile activities and identify key components of the threat?

There will be a scoreboard that will prompt the participant to answer Jeopardy-style questions to measure their progress through the challenge. A sample question might be, “What is the external IP address of the malicious activity detected by the perimeter firewall?” or “What protocol is the attacker using to exfiltrate data from within the network?” This will nudge the participant in the right direction for systematically tracing and identifying unauthorized activity on an enterprise network.

This CTF will be coordinated by Eric Capuano of DPS / Texas Homeland Security.

Friday October 27, 2017 8:30am - 3:00pm
Expo Hall (Live Oak Room)

9:00am

Keynote: Georgia Weidman
keynote

Speakers
avatar for Georgia Weidman

Georgia Weidman

Founder and CTO, Shevirah Inc.
Shevirah founder and CTO Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has... Read More →


Friday October 27, 2017 9:00am - 10:00am
Red Oak Ballroom

10:00am

Invited Speaker: Kevin Paige
Speakers
avatar for Kevin Paige

Kevin Paige

Head of Information Security & Compliance at MuleSoft, MuleSoft
Seasoned Information Technology & Security Leader with over 15 years of results, delivering solutions that optimize performance, security, and efficiency for both the private and public sectors. Proven ability to drive large-scale initiatives that streamline business processes, mitigate... Read More →


Friday October 27, 2017 10:00am - 11:00am
Security Innovation Room

10:00am

AppSec Pipelines and Event-based Security: Moving beyond a traditional security test.

Is software development outpacing your ability to secure your company’s portfolio of apps?  You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster.  And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business.  This isn’t a theoretical talk.  It covers the results of  successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees.  Yes, real stats on improvements seen will be provided.

 

By changing focus from a point in time security testing and assessments to automation, continual health checks and event-based security, your AppSec program can start to keep pace with the increasing speed of delivery your business is trying to obtain.  By embracing the same methodologies, you can turn Docker from a problem to how you horizontally scale your security work.  Don't swim against the current of DevOps, Agile software development and Continuous Delivery.  Instead use those movements to speed your AppSec program to new levels.


Speakers

Friday October 27, 2017 10:00am - 11:00am
Red Oak Ballroom

10:00am

Architecting for Security in the Cloud
The best part about creating new products and services in the cloud is the agility that it provides. Your company literally can scale at the click of a button. But if you take the simplicity of the cloud for granted, you wind up with brittle security that even a novice adversary can overcome. This talk will focus on identifying the holes in your cloud application before the attackers do, closing those gaps, and building architectures that can withstand the barrage of attacks that the Internet will throw at it.

Speakers
avatar for Josh Sokol

Josh Sokol

National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information... Read More →



Friday October 27, 2017 10:00am - 11:00am
Pecan

10:00am

Threat Modeling For Secure Software Design

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. In this session, you will learn practical strategies in using threat modeling in secure software design and how to apply risk management in dealing with the threats.


Speakers
avatar for Robert Hurlbut

Robert Hurlbut

Threat Modeling Architect / Lead, Bank of America
Robert Hurlbut is a Threat Modeling Architect with 30 years of industry experience in secure coding, software architecture, and software development. He speaks at user groups, national and international conferences, and provides training for many clients. You can find Robert on Twitter... Read More →



Friday October 27, 2017 10:00am - 11:00am
Under Armour Room

11:00am

Breaking into Security

Are you ready to follow your passion as a Pentester but are unsure of how to switch careers? There are multiple ways to get where you want to go. My colleagues and I want to share our experiences of how we became pentesters even though we all come from different backgrounds. We will touch on the topics of certifications, courses and hobbies that can help you land the job you have always dreamed of!



Speakers
TD

Tommy Dew

Tommy Dew's background includes incident response, digital forensics and security operations. Tommy worked at Texas A&M University as a security analyst for over two years. Tommy currently holds the Network+ and GCIH certifications.
avatar for Gisela Hinojosa

Gisela Hinojosa

Security Analyst, Rapid7
Gisela recently decided to follow her passion and made the jump from Software Test Engineer to Security Analyst. Gisela did software testing for 6 years for multiple companies including Dell, NOV and Bracket. Gisela joined the Rapid7's Penetration Testing team as a Security Analyst... Read More →



Friday October 27, 2017 11:00am - 12:00pm
Pecan

11:00am

A Wake-Up Call - Information Security for Non-Profits, Foundations, and Charities

The last time you gave money or time to your favorite charity did you think about their information security? Did you wonder what measure they were taking to protect you or the people they serve? Like any business, today’s digital landscape and the influx of technology walking around is forcing non-profits of all sizes to take a new look at protecting the organization from surveillance, intrusion, and cyber attack. However, they are often overlooked by vendors, researchers, and the security industry for a variety of reasons. This talk will walk thru the unique challenges facing non-profits, foundations, and charities and will present an approach to truly helping them improve their security for themselves, their donors, and they people they serve. Brought from a unique view of a survivor of cyberstalking turned Ph.D., Dr. Misata will spotlight her research and strategies for non-profits stay safer online.


Speakers
avatar for Kelley Misata, Ph.D.

Kelley Misata, Ph.D.

Executive Director, The Open Information Security Foundation
Dr. Kelley Misata, a strategic leader, speaker, and innovator who combines over 15 years in business leadership roles with a passion for facilitating critical conversations around responsible digital citizenship, digital safety, and privacy. Her work with The Open Information Security... Read More →


Friday October 27, 2017 11:00am - 12:00pm
Under Armour Room

11:00am

Climbing the PacketFence

Implementing 802.1x port authentication in a corporate environment is hard enough, but to attempt it with free open source software is even more of a challenge.  PacketFence, developed by Inverse Inc., has positioned itself as a comprehensive open source network access control (NAC) solution.

At Indeed, we embrace the open source ideology of bottom up versus top down decision making, as well as the concept of open source software.  We will describe the challenges and pitfalls we experienced in deploying a geographically dispersed, multi-office NAC service.  Some of the challenges and pitfalls included centralized logging, synchronizing user and node data between offices, software configuration management, multi-department involvement and coordination, and networking architectural challenges.  PacketFence is also a quickly evolving product, so keeping up with updates and new features in a key infrastructure component is also a paramount concern.

PacketFence has delivered on its promise of being a comprehensive NAC solution.  We now have username to IP address to MAC address correlation.  We have iplogs, locationlogs, device discovery, inventory management, and user auditability.  We have successfully implemented 802.1x port authentication on our wired, wireless, and even VPN network devices.  Join us as we help you successfully climb over the PacketFence!

Speaker:  Robert Bogart


Speakers
avatar for Robert Bogart

Robert Bogart

Security Engineer, Indeed.com
Security, Computers, Home Labs, Media Servers and anything else interesting.



Friday October 27, 2017 11:00am - 12:00pm
Security Innovation Room

11:00am

Phishing: It's Not Just for Pentesters - Using Phishing to Build a Successful Awareness Program
Social engineering attacks remain the most effective way to gain a foothold in a targeted organization. When technology holds up to the test of attack, the human element is often exploited for entry into an organization. The frequency and level of training an employee receives can thwart an attack or amplify it. An example is the Google Docs attack that occurred recently. This attack propagated to a status near that of a worm in part because people were not trained to spot the issues. This talk will discuss the dynamics of creating an effective awareness program and teach practitioners how to create and run a successful internal phishing program to measure the efficiency of the training and help keep users on their toes.

Speakers
avatar for Joe Gray

Joe Gray

Senior Security Architect, IBM
Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is a Senior Security Architect. Joe also maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending... Read More →


Friday October 27, 2017 11:00am - 12:00pm
Red Oak Ballroom

11:30am

Lunch - Day 2
Friday October 27, 2017 11:30am - 12:30pm
Red Oak Ballroom

12:00pm

Leveraging Social Engineering in physical security assessment
Going past the wire Leveraging Social Engineering in physical security assessment
Many organizations have started understanding the value they can get with a physical security assessment. However, after having one performed, they are left with a network penetration test report. Unfortunately, many consulting firms don’t know how to go past the wire and evaluate the physical security of an organization including their employees. During this talk, Stephanie will discuss the methodology she utilizes when performing a physical security assessment. This methodology will cover everything from OSINT and on-site reconnaissance, crafting pretexts, multiple attack vectors, and tips and tricks.

Speakers
avatar for Snow

Snow

Social Engineer Practice Lead, MindPoint Group



Friday October 27, 2017 12:00pm - 1:00pm
Pecan

12:00pm

The Role of Empathy in Vulnerability Disclosure Practices for Software Vendors

There are guides and templates for how to write a security advisory and handle inbound vulnerability reports, but the act of disclosing a vulnerability existed in your software is much more than filling in the blanks and working through a process map.  Vulnerability disclosure also involves many stakeholders beyond one's security team.  Decisions around how to share information, an understanding of your intended audience, and the support provided to impacted customers are critical components that can be represented in process but are also driven by an expression of what that team values.  The word “empathy” does not appear in ISO 29147 - but it plays a key role in this process, and the right response can preserve or build trust while a tone-deaf disclosure can destroy it.

 

In this talk, we’ll walk through a product security advisory and detail how we brought together a cross-functional team and why we made various decisions based on process and an understanding of the needs of customers.  We’ll share what went well, what we learned, and suggestions for future consideration related to security advisories and response practices.


Speakers
avatar for Adam Goodman

Adam Goodman

Principal Security Architect, Duo Security
Adam is Principal Security Architect at Duo Security, and has been responsible for leading various aspects of Duo's security engineering practice since 2010. He has spent well over a decade building secure systems, protocols, and culture (and occasionally veering into security research... Read More →



Friday October 27, 2017 12:00pm - 1:00pm
Security Innovation Room

1:00pm

Core Rule Set for the Masses: Lessons from taming ModSecurity rules at massive scale

Everyone who has used, or attempted to use, OWASP ModSecurity Web Application Firewall knows something about fine-tuning rules. ModSecurity Core Rule Set (CRS) was designed to catch more, show more and let you decide what to do with security alerts. It is a time consuming -- and often frustrating -- exercise to analyze alerts, separating the wheat from the chaff, and determine which are candidates for blocking. 

 

With thousands of servers at more than 100 locations, Verizon Edgecast CDN is one of the world’s largest deployment of OWASP Core Rule Set. We will share our experience in fine-tuning the CRS for a large number of customers, adjusting to their taste in risk and attitude toward false positives. We will discuss lesser used features of ModSecurity to cut down noise levels in alerts, sometimes as much as 90%. We will also discuss our experience in moving from CRS 2.2.9 to 3.0 which was released in late 2016. 

 

We hope that the audience will walk away with understanding benefits of using the venerable web application firewall with the latest enhancements and issues to consider to get the most out of it. Ultimately, we hope that our experience will make your task of fine-tuning the CRS a little easier.


Speakers
avatar for Tin Zaw

Tin Zaw

Director, Security Solutions, Verizon
Tin Zaw has served as Verizon Digital Media Services’ director of global security solutions since 2015. He and his team provide managed and professional security services protecting their clients' web properties from exterior threats from the internet. He launched the services during... Read More →


Friday October 27, 2017 1:00pm - 2:00pm
Red Oak Ballroom

1:00pm

Layer 8 and Why People are the Most Important Security Tool

People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.

 

Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user’s activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.


Speakers


Friday October 27, 2017 1:00pm - 2:00pm
Under Armour Room

1:00pm

Malware Clustering

Malware clustering is an unsupervised similarity search technique where similar malwares are clustered together. We provide a novel approach to cluster malware based on their static and dynamic behavior. Apart from clustering, several stages of preprocessing goes through classic machine learning approaches. Our experiments on sufficiently large datasets have shown that this approach is not only robust, but also scalable and repeatable.


Speakers
avatar for Srivathsan Srinivasagopalan

Srivathsan Srinivasagopalan

R&D engineer, AlienVault
Srivathsan Srinivasagopalan is an R&D engineer at AlienVault Inc in Austin, TX. He has a Ph.D. in theoretical Computer Science and has been developing algorithms for breach detection, correlation and more using machine learning and AI techniques for about six years. Previously, he... Read More →



Friday October 27, 2017 1:00pm - 2:00pm
Pecan

1:00pm

No one left behind : Security Defense through Gamification including CTFs

Do you think that the Information Security training at your company gives an employee a fighting chance against a sophisticated attacker? With data behind breaches continually showing that employees are a root cause of incidents, we need to provide solutions to help them defend themselves. We all know the old school measures of videos, lectures and policy tomes are ineffective, so why not try something new?

I present a new approach - Security Gamification meets CTF (Capture the Flag). CTFs have been a training ground for security professionals and enthusiasts, but in this presentation I will show how to apply similar concepts of CTFs to non-technical employees. The end result is engaging, employs the ‘learning by doing’ methodology and has friendly competition built in. Who doesn’t love solving puzzles over watching another boring video with a quiz at the end! The training emphasizes on a ‘No one left behind’ principle in which all the employees at a company get trained in CyberSecurity defense.

The presentation will include issues with current Security training methods and how Gamification and CTFs address these. I will recount some war stories of how i rolled this out at some of my previous employers and the lessons learnt from those experiences. The presentation will also delve into the difference that this training made and metrics that can be used to quantify the differences at the attendees’ companies.Then, it will go on to talk about how to present this to the management team in order to get buy-in. The attendees will have some chances to do some exercise with their arms as the presentation is interactive.

Some other pros of this training are that it is highly scalable, helps employees get into the attacker mindset, can effectively track increase in employees’ awareness levels etc. Also, the Security puzzles created are customized as per job function and level of the employee. We don’t give the same Sales training to a developer as a Sales guy, so why give everyone the same Security training ? Finally, the presentation will demo some Security puzzles for both technical as well as non technical employees. 


Speakers
avatar for Kashish Mittal

Kashish Mittal

Security Engineer
Kashish Mittal is a Security Researcher and Engineer. He has worked for companies such as Duo Security, Bank of America, Deutsche Bank etc. By choice, he is an ethical hacker and an addicted CTF player. He is a member of PPP (CMU's elite CTF group). Prior to joining Duo, he did Security... Read More →



Friday October 27, 2017 1:00pm - 2:00pm
Security Innovation Room

1:45pm

Snack Break
Friday October 27, 2017 1:45pm - 2:15pm
Expo Hall (Live Oak Room)

2:00pm

How to Put the Sec in DevOps

Automation and DevOps have changed the way organizations deliver products. The shift towards DevOps made it pretty clear that companies are adopting this organizational model in order to facilitate a practice of automated software deployment. While the traditional idea of a “software release” dissolves away into a continuous cycle of service and delivery improvements, organizations find that their traditional application security solutions are having a hard time to adapt to the new process and security becomes an inhibitor to the complete process.

 

In this session, you’ll learn how different organizations adopted security into their DevOps processes. What obstacles need to be addressed when introducing AppSec to DevOps and when should Sec be added to DevOps?

 

Join us to:

  • Discover which obstacles should be expected and how to overcome them
  • Understand what functionality is key to enable real automation of your AppSec program
  • Explore the benefits of having security as part of your DevOps automation (what’s in it for me)?

Speakers

Friday October 27, 2017 2:00pm - 3:00pm
Security Innovation Room

2:00pm

Invited Speaker: Chris Roberts
Speakers
avatar for Chris Roberts

Chris Roberts

Chief Security Architect, Acalvio
Chris Roberts is considered one of the world’s foremost experts on counter threat intelligence within the Information security industry. At Acalvio, Roberts helps drive Technology Innovation and Product Leadership. In addition, Roberts directs a portfolio of services within Acalvio... Read More →


Friday October 27, 2017 2:00pm - 3:00pm
Under Armour Room

2:00pm

Cloud Ops MasterClass: Lessons learned from a multi-year implementation of cloud automation at scale

How can you effectively manage cloud operations for over 80 different agile DevOps teams?  Automated Guardrails.  What are guardrails, how do you implement them at scale and how do they work across the entire cloud stack: Networking, Security, IAM, Service Whitelisting, OS Hardening, and Patching.  

 

In this talk you will learn about the challenges of running Cloud Operations at scale, what problems moving to a multi-account model for application and service isolation solves, and typical issues that arise from that approach for a Cloud Operations team. 

 

The talk will walk you through the real-life benefits, challenges, and approaches to using automation to maintain security, compliance and manage day-to-day drudgery of Cloud Operations; enabling the cloud operations team to focus on higher value activities.  Additionally, we will explore how to get the most out of automation tooling like [Turbot](https://turbot.com), [Terraform](https://www.terraform.io/) & [Ansible](ansible.com); and discuss how to collaborate with these vendors to address your unique technical challenges.


Speakers
avatar for Michael Osburn

Michael Osburn

SecDevOps
High volumes of AWS/azure accounts, python, brewing beer.
avatar for Nathan Wallace

Nathan Wallace

Founder and CEO, Turbot HQ, Inc.
Nathan Wallace is the Founder and CEO of Turbot HQ, Inc. Nathan is recognized as a transformational leader that has enabled some of the World's largest enterprise organizations to make the transition to public cloud. Nathan has recently been profiled by CIO Applications and was a... Read More →



Friday October 27, 2017 2:00pm - 3:00pm
Pecan

3:00pm

Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition Systems: Mobile Authentication Use Case, Blockchain, and More.

Biometrics can be used to recognize individuals based on biological or behavioral characteristics. The subversion of biometric recognition systems by determined adversaries played out in headlines for Touch ID, Samsung Galaxy S8 face, and Samsung Galaxy S8 iris. It is only a matter of time until Face ID is spoofed.

  • What does it mean to subvert a biometric recognition system?
  • Is it possible to reverse-engineer a biometric template?
  • Is it possible to deceive machine learning in a biometrics recognition system?
  • What is anti-spoofing, otherwise known as Presentation Attack Detection (PAD)? 
  • Why is it so difficult for a biometric recognition system to tell the difference between you and an imposter?

Topics include:
 •Vulnerabilities •Attack Diagram •Spoofing •Presentation Attack Detection (PAD) •Mobile Device Vulnerabilities •TABULA RASA, ISO, NIST •Template Security and Evolution • Biometrics and Blockchain •The Future

 


Speakers
avatar for Clare Nelson

Clare Nelson

CEO, Founder, ClearMark Consulting
Clare lives at the nexus of security, privacy, and identity. Her middle name is MFA, and she loves all things identity. She forges identity solution roadmaps and tracks emerging technologies, especially in light of GDPR and PSD2. She recently evaluated 200+ MFA vendors, resulting... Read More →



Friday October 27, 2017 3:00pm - 4:00pm
Security Innovation Room

3:00pm

Security Evaluation of Libraries

The target audience for this talk is security engineers, software development engineers, software development managers, technical program managers and anyone who uses libraries as part of software development process. The attendees will walk away with a methodology on how to review libraries and how to scale secure usage of libraries using secure-by-default implementation.

Software services are built on top of service frameworks such as .net, Java web services, Apache axis etc. These frameworks consist of a set of libraries and other components like support program, compilers, tool sets etc. Applications interact with libraries through well-defined API calls either during the build (static) or at run-time (dynamic). Generally speaking, Application Security programs implement an application-centric review process. They do not cover the criteria to do security evaluations of libraries. The attack surface, threats and data flow for a library are different from an application. This talk discusses the primary difference between applications and libraries and provides a mechanism for evaluating libraries. Specifically, it covers how to scope the assessment of a library and special considerations during architecture review and threat modeling phases. Validation of the secure and correct implementation of the security controls offered by the library is the main goal of the evaluation. By evaluating libraries, we make sure that all the fundamental building blocks of development framework are secure.  By offering guidance on secure-by-default configurations to developers we can strengthen the secure software development process.


Speakers
avatar for Trupti Shiralkar

Trupti Shiralkar

Sr Security Technical Program Manager
Trupti Shiralkar is a Senior Security Technical Program Manager at world’s most disruptive tech company. She manages Cryptography and Application Security Program to build the Next-generation security-by-default foundational technology Platform. | | Trupti has a strong passion... Read More →



Friday October 27, 2017 3:00pm - 4:00pm
Under Armour Room

3:00pm

How to Create and Cultivate Community within the Cybersecurity Industry
Coming soon. 

Speakers
avatar for Jessica Patterson

Jessica Patterson

As a rising leader in the cybersecurity industry, Jessica began sharing her story and inspiring others to stand for diversity and inclusion in the workplace in 2016. As a yoga teacher and cybersecurity professional, Jessica launched a global movement, "Own I.T." , to allow organizations... Read More →


Friday October 27, 2017 3:00pm - 4:00pm
Pecan

3:00pm

Local Austin Security Groups

This talk will present a summary of the local information security groups in Austin.  This will be identical to the presentation at the BSides conference in May.

Tentative groups include: OWASP Austin, Hackformers (ISC)2, ACP, EFF, AHA, Cloud Security Alliance, ISACA and ISSA.  Other groups may be added at a later time.


Moderators
Speakers
AD

Andrew Donoho

Electronic Frontier Foundation (EFF)
avatar for Bart Lauwers

Bart Lauwers

Chief Technology Officer, SignaCert
avatar for Mauvehed

Mauvehed

AHA!
Information Security, Vulnerability Management, Austin Hackers Anonymous (AHA!), Shenanigans
avatar for Larry Moore

Larry Moore

Larry Moore has over twenty years of Information Security experience as part of his thirty-two year IT career and currently works as the Security, Risk & Compliance manager at Tangoe. He has worked in many other capacities such as critical infrastructure protection, mobile platform... Read More →



Friday October 27, 2017 3:00pm - 4:00pm
Red Oak Ballroom

3:00pm

Expo Hall Closes
Friday October 27, 2017 3:00pm - 5:00pm
Expo Hall (Live Oak Room)

4:00pm

Closing, Giveaways and Drawings!
Friday October 27, 2017 4:00pm - 5:00pm
Red Oak Ballroom